Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
M6MafKT2pj.exe

Overview

General Information

Sample name:M6MafKT2pj.exe
renamed because original name is a hash value
Original sample name:07b27d0e65f751737e5d9bee0b78b5a56933264014b5171ae03f3c2c3b51ae0e.exe
Analysis ID:1588936
MD5:848fcc30357be982b8d107e6c45390a6
SHA1:477c03e4f9fb45f9ca6ae04c79728474ffc4cf2a
SHA256:07b27d0e65f751737e5d9bee0b78b5a56933264014b5171ae03f3c2c3b51ae0e
Tags:exeRemcosRATuser-adrian__luca
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • M6MafKT2pj.exe (PID: 7568 cmdline: "C:\Users\user\Desktop\M6MafKT2pj.exe" MD5: 848FCC30357BE982B8D107E6C45390A6)
    • semispheroidal.exe (PID: 7668 cmdline: "C:\Users\user\Desktop\M6MafKT2pj.exe" MD5: 848FCC30357BE982B8D107E6C45390A6)
      • svchost.exe (PID: 7736 cmdline: "C:\Users\user\Desktop\M6MafKT2pj.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • semispheroidal.exe (PID: 7744 cmdline: "C:\Users\user\AppData\Local\Allene\semispheroidal.exe" MD5: 848FCC30357BE982B8D107E6C45390A6)
        • svchost.exe (PID: 7812 cmdline: "C:\Users\user\AppData\Local\Allene\semispheroidal.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
        • semispheroidal.exe (PID: 7824 cmdline: "C:\Users\user\AppData\Local\Allene\semispheroidal.exe" MD5: 848FCC30357BE982B8D107E6C45390A6)
          • svchost.exe (PID: 7852 cmdline: "C:\Users\user\AppData\Local\Allene\semispheroidal.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • iexplore.exe (PID: 7868 cmdline: "c:\program files (x86)\internet explorer\iexplore.exe" MD5: 6F0F06D6AB125A99E43335427066A4A1)
  • wscript.exe (PID: 7928 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\semispheroidal.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • semispheroidal.exe (PID: 7988 cmdline: "C:\Users\user\AppData\Local\Allene\semispheroidal.exe" MD5: 848FCC30357BE982B8D107E6C45390A6)
      • svchost.exe (PID: 8052 cmdline: "C:\Users\user\AppData\Local\Allene\semispheroidal.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["3.64.152:2559:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-ZFXG9Y", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000D.00000002.3786369544.000000000491F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6aab8:$a1: Remcos restarted by watchdog!
            • 0x6b030:$a3: %02i:%02i:%02i:%03i
            Click to see the 59 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.svchost.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              8.2.svchost.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                8.2.svchost.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  8.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6c4b8:$a1: Remcos restarted by watchdog!
                  • 0x6ca30:$a3: %02i:%02i:%02i:%03i
                  8.2.svchost.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x6657c:$str_b2: Executing file:
                  • 0x675fc:$str_b3: GetDirectListeningPort
                  • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x67128:$str_b7: \update.vbs
                  • 0x665a4:$str_b9: Downloaded file:
                  • 0x66590:$str_b10: Downloading file:
                  • 0x66634:$str_b12: Failed to upload file:
                  • 0x675c4:$str_b13: StartForward
                  • 0x675e4:$str_b14: StopForward
                  • 0x67080:$str_b15: fso.DeleteFile "
                  • 0x67014:$str_b16: On Error Resume Next
                  • 0x670b0:$str_b17: fso.DeleteFolder "
                  • 0x66624:$str_b18: Uploaded file:
                  • 0x665e4:$str_b19: Unable to delete:
                  • 0x67048:$str_b20: while fso.FileExists("
                  • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 67 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\semispheroidal.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\semispheroidal.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\semispheroidal.vbs" , ProcessId: 7928, ProcessName: wscript.exe
                  Sigma detected: Uncommon Svchost Parent Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\M6MafKT2pj.exe", CommandLine: "C:\Users\user\Desktop\M6MafKT2pj.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\M6MafKT2pj.exe", ParentImage: C:\Users\user\AppData\Local\Allene\semispheroidal.exe, ParentProcessId: 7668, ParentProcessName: semispheroidal.exe, ProcessCommandLine: "C:\Users\user\Desktop\M6MafKT2pj.exe", ProcessId: 7736, ProcessName: svchost.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\semispheroidal.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\semispheroidal.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\semispheroidal.vbs" , ProcessId: 7928, ProcessName: wscript.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\M6MafKT2pj.exe", CommandLine: "C:\Users\user\Desktop\M6MafKT2pj.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\M6MafKT2pj.exe", ParentImage: C:\Users\user\AppData\Local\Allene\semispheroidal.exe, ParentProcessId: 7668, ParentProcessName: semispheroidal.exe, ProcessCommandLine: "C:\Users\user\Desktop\M6MafKT2pj.exe", ProcessId: 7736, ProcessName: svchost.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Allene\semispheroidal.exe, ProcessId: 7668, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\semispheroidal.vbs

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: Registry Key setAuthor: Joe Security: Data: Details: 30 0F C2 2C CB 87 25 B5 69 01 22 00 77 48 42 83 92 4F 9F E5 99 5F D5 7C 8A D8 0F 42 5F 17 45 BF 49 A5 42 D4 38 96 AA F2 0E 1B 47 44 16 9A 49 78 80 FC 66 0B 6B 55 83 8F 77 20 D0 5B F9 67 8C ED , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 7852, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-ZFXG9Y\exepath

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-11T07:24:28.434944+010020365941Malware Command and Control Activity Detected192.168.2.749979192.3.64.1522559TCP
                  2025-01-11T07:25:17.775094+010020365941Malware Command and Control Activity Detected192.168.2.749807192.3.64.1522559TCP
                  2025-01-11T07:25:40.134144+010020365941Malware Command and Control Activity Detected192.168.2.749944192.3.64.1522559TCP
                  2025-01-11T07:26:02.513911+010020365941Malware Command and Control Activity Detected192.168.2.749971192.3.64.1522559TCP
                  2025-01-11T07:26:24.918482+010020365941Malware Command and Control Activity Detected192.168.2.749972192.3.64.1522559TCP
                  2025-01-11T07:26:47.311881+010020365941Malware Command and Control Activity Detected192.168.2.749973192.3.64.1522559TCP
                  2025-01-11T07:27:09.714835+010020365941Malware Command and Control Activity Detected192.168.2.749974192.3.64.1522559TCP
                  2025-01-11T07:27:32.092604+010020365941Malware Command and Control Activity Detected192.168.2.749975192.3.64.1522559TCP
                  2025-01-11T07:27:54.874471+010020365941Malware Command and Control Activity Detected192.168.2.749976192.3.64.1522559TCP
                  2025-01-11T07:28:17.265313+010020365941Malware Command and Control Activity Detected192.168.2.749977192.3.64.1522559TCP
                  2025-01-11T07:28:39.654283+010020365941Malware Command and Control Activity Detected192.168.2.749978192.3.64.1522559TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000008.00000002.1465308232.0000000003000000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["3.64.152:2559:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-ZFXG9Y", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeReversingLabs: Detection: 91%
                  Multi AV Scanner detection for submitted file
                  Source: M6MafKT2pj.exeVirustotal: Detection: 72%Perma Link
                  Source: M6MafKT2pj.exeReversingLabs: Detection: 91%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.semispheroidal.exe.3400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.semispheroidal.exe.1850000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.semispheroidal.exe.39d0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.semispheroidal.exe.3160000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.semispheroidal.exe.3400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.semispheroidal.exe.39d0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.semispheroidal.exe.1850000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.semispheroidal.exe.3160000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.3786369544.000000000491F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3785980295.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.1465308232.0000000003000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3785937114.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7668, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7744, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7824, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7852, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7988, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8052, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: M6MafKT2pj.exeJoe Sandbox ML: detected
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,8_2_004338C8
                  Source: semispheroidal.exe, 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_6f4d2259-9

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.semispheroidal.exe.3400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.semispheroidal.exe.1850000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.semispheroidal.exe.39d0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.semispheroidal.exe.3160000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.semispheroidal.exe.3400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.semispheroidal.exe.39d0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.semispheroidal.exe.1850000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.semispheroidal.exe.3160000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7668, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7744, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7824, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7852, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7988, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8052, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00407538 _wcslen,CoGetObject,8_2_00407538
                  Source: M6MafKT2pj.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: Binary string: wntdll.pdbUGP source: semispheroidal.exe, 00000003.00000003.1395064664.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000003.00000003.1394447436.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000005.00000003.1430583821.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000005.00000003.1429842072.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000007.00000003.1462334689.0000000003570000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000007.00000003.1462680125.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 0000000C.00000003.1540387293.0000000003480000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 0000000C.00000003.1537536471.0000000003620000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: semispheroidal.exe, 00000003.00000003.1395064664.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000003.00000003.1394447436.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000005.00000003.1430583821.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000005.00000003.1429842072.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000007.00000003.1462334689.0000000003570000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000007.00000003.1462680125.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 0000000C.00000003.1540387293.0000000003480000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 0000000C.00000003.1537536471.0000000003620000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: svchost.pdb source: svchost.exe, 00000008.00000002.1465497782.0000000004FC0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.1464735949.0000000003021000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000009.00000002.1464909694.0000000003390000.00000040.80000000.00040000.00000000.sdmp
                  Source: Binary string: svchost.pdbUGP source: svchost.exe, 00000008.00000002.1465497782.0000000004FC0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.1464735949.0000000003021000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000009.00000002.1464909694.0000000003390000.00000040.80000000.00040000.00000000.sdmp
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AA445A GetFileAttributesW,FindFirstFileW,FindClose,1_2_00AA445A
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AAC6D1 FindFirstFileW,FindClose,1_2_00AAC6D1
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AAC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00AAC75C
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AAEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00AAEF95
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AAF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00AAF0F2
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AAF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00AAF3F3
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AA37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00AA37EF
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AA3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00AA3B12
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AABCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00AABCBC
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A2445A GetFileAttributesW,FindFirstFileW,FindClose,3_2_00A2445A
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A2C6D1 FindFirstFileW,FindClose,3_2_00A2C6D1
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A2C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,3_2_00A2C75C
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A2EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00A2EF95
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A2F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00A2F0F2
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A2F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,3_2_00A2F3F3
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_00A237EF
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A23B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_00A23B12
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A2BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,3_2_00A2BCBC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040928E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C322
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C388
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004096A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00408847
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00407877 FindFirstFileW,FindNextFileW,8_2_00407877
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0044E8F9 FindFirstFileExA,8_2_0044E8F9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB6B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419B86
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD72
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_00407CD2

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49807 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49978 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49977 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49971 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49976 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49944 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49972 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49973 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49974 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49975 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49979 -> 192.3.64.152:2559
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.3.64.152 2559Jump to behavior
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 3.64.152
                  Source: Joe Sandbox ViewIP Address: 192.3.64.152 192.3.64.152
                  Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AB22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,1_2_00AB22EE
                  Source: svchost.exeString found in binary or memory: http://geoplugin.net/json.gp
                  Source: semispheroidal.exe, 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, semispheroidal.exe, 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000008_2_0040A2F3
                  Installs a global keyboard hook
                  Source: C:\Windows\SysWOW64\svchost.exeWindows user hook set: 0 keyboard low level C:\Windows\SysWOW64\svchost.exeJump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AB4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00AB4164
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AB4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00AB4164
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A34164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,3_2_00A34164
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,8_2_004168FC
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AB3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,1_2_00AB3F66
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AA001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,1_2_00AA001C
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00ACCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_00ACCABC
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A4CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,3_2_00A4CABC
                  Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.semispheroidal.exe.3400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.semispheroidal.exe.1850000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.semispheroidal.exe.39d0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.semispheroidal.exe.3160000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.semispheroidal.exe.3400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.semispheroidal.exe.39d0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.semispheroidal.exe.1850000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.semispheroidal.exe.3160000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7668, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7744, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7824, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7852, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7988, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8052, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.semispheroidal.exe.3400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.semispheroidal.exe.1850000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.semispheroidal.exe.39d0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.semispheroidal.exe.3160000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.semispheroidal.exe.3400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.semispheroidal.exe.39d0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.semispheroidal.exe.1850000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.semispheroidal.exe.3160000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.3786369544.000000000491F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3785980295.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.1465308232.0000000003000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3785937114.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7668, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7744, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7824, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7852, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7988, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8052, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0041CA73 SystemParametersInfoW,8_2_0041CA73

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 12.2.semispheroidal.exe.3400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 12.2.semispheroidal.exe.3400000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 12.2.semispheroidal.exe.3400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 7.2.semispheroidal.exe.1850000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 7.2.semispheroidal.exe.1850000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 7.2.semispheroidal.exe.1850000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 5.2.semispheroidal.exe.39d0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 5.2.semispheroidal.exe.39d0000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 5.2.semispheroidal.exe.39d0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 3.2.semispheroidal.exe.3160000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 3.2.semispheroidal.exe.3160000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 3.2.semispheroidal.exe.3160000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 12.2.semispheroidal.exe.3400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 12.2.semispheroidal.exe.3400000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 12.2.semispheroidal.exe.3400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 5.2.semispheroidal.exe.39d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 5.2.semispheroidal.exe.39d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 5.2.semispheroidal.exe.39d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 7.2.semispheroidal.exe.1850000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 7.2.semispheroidal.exe.1850000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 7.2.semispheroidal.exe.1850000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 3.2.semispheroidal.exe.3160000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 3.2.semispheroidal.exe.3160000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 3.2.semispheroidal.exe.3160000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: Process Memory Space: semispheroidal.exe PID: 7668, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: semispheroidal.exe PID: 7744, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: semispheroidal.exe PID: 7824, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: svchost.exe PID: 7852, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: semispheroidal.exe PID: 7988, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: svchost.exe PID: 8052, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: This is a third-party compiled AutoIt script.1_2_00A43B3A
                  Source: M6MafKT2pj.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: M6MafKT2pj.exe, 00000001.00000003.1356374860.00000000034D3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a5238306-8
                  Source: M6MafKT2pj.exe, 00000001.00000003.1356374860.00000000034D3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_5a6b245d-6
                  Source: M6MafKT2pj.exe, 00000001.00000000.1315355739.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_bd20101f-9
                  Source: M6MafKT2pj.exe, 00000001.00000000.1315355739.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_93da3528-a
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: This is a third-party compiled AutoIt script.3_2_009C3B3A
                  Source: semispheroidal.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: semispheroidal.exe, 00000003.00000002.1395863885.0000000000A74000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9f625c3b-d
                  Source: semispheroidal.exe, 00000003.00000002.1395863885.0000000000A74000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_c9091fb4-9
                  Source: semispheroidal.exe, 00000005.00000002.1432033830.0000000000A74000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_972b993f-0
                  Source: semispheroidal.exe, 00000005.00000002.1432033830.0000000000A74000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_d348d77c-1
                  Source: semispheroidal.exe, 00000007.00000000.1431225430.0000000000A74000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_bf7164dd-b
                  Source: semispheroidal.exe, 00000007.00000000.1431225430.0000000000A74000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_dc1076de-4
                  Source: semispheroidal.exe, 0000000C.00000002.1547585036.0000000000A74000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_1be7d479-7
                  Source: semispheroidal.exe, 0000000C.00000002.1547585036.0000000000A74000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_9f2770de-9
                  Source: M6MafKT2pj.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_54fcd90d-a
                  Source: M6MafKT2pj.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_dccc966f-f
                  Source: semispheroidal.exe.1.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7f5fd08a-0
                  Source: semispheroidal.exe.1.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_c5575e4e-f
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess Stats: CPU usage > 49%
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,8_2_0041812A
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AAA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,1_2_00AAA1EF
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A98310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,1_2_00A98310
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AA51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,1_2_00AA51BD
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A251BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,3_2_00A251BD
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,8_2_004167EF
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A4E6A01_2_00A4E6A0
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A6D9751_2_00A6D975
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A4FCE01_2_00A4FCE0
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A621C51_2_00A621C5
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A762D21_2_00A762D2
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AC03DA1_2_00AC03DA
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A7242E1_2_00A7242E
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A625FA1_2_00A625FA
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A566E11_2_00A566E1
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A9E6161_2_00A9E616
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A7878F1_2_00A7878F
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AA88891_2_00AA8889
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A588081_2_00A58808
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A768441_2_00A76844
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AC08571_2_00AC0857
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A6CB211_2_00A6CB21
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A76DB61_2_00A76DB6
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A56F9E1_2_00A56F9E
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A530301_2_00A53030
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A631871_2_00A63187
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A6F1D91_2_00A6F1D9
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A412871_2_00A41287
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A614841_2_00A61484
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A555201_2_00A55520
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A676961_2_00A67696
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A557601_2_00A55760
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A619781_2_00A61978
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A79AB51_2_00A79AB5
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A6BDA61_2_00A6BDA6
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A61D901_2_00A61D90
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AC7DDB1_2_00AC7DDB
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A53FE01_2_00A53FE0
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A4DF001_2_00A4DF00
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00D536F81_2_00D536F8
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009CE6A03_2_009CE6A0
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009ED9753_2_009ED975
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009CFCE03_2_009CFCE0
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009E21C53_2_009E21C5
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009F62D23_2_009F62D2
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A403DA3_2_00A403DA
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009F242E3_2_009F242E
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009E25FA3_2_009E25FA
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009D66E13_2_009D66E1
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A1E6163_2_00A1E616
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009F878F3_2_009F878F
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A288893_2_00A28889
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009D88083_2_009D8808
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009F68443_2_009F6844
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A408573_2_00A40857
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009ECB213_2_009ECB21
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009F6DB63_2_009F6DB6
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009D6F9E3_2_009D6F9E
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009D30303_2_009D3030
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009E31873_2_009E3187
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009EF1D93_2_009EF1D9
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009C12873_2_009C1287
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009E14843_2_009E1484
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009D55203_2_009D5520
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009E76963_2_009E7696
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009D57603_2_009D5760
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009E19783_2_009E1978
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009F9AB53_2_009F9AB5
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009E1D903_2_009E1D90
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009EBDA63_2_009EBDA6
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A47DDB3_2_00A47DDB
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009D3FE03_2_009D3FE0
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009CDF003_2_009CDF00
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_013DB4C83_2_013DB4C8
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 5_2_01726D405_2_01726D40
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 7_2_00BEEAF87_2_00BEEAF8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0043706A8_2_0043706A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004140058_2_00414005
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0043E11C8_2_0043E11C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004541D98_2_004541D9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004381E88_2_004381E8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0041F18B8_2_0041F18B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004462708_2_00446270
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0043E34B8_2_0043E34B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004533AB8_2_004533AB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0042742E8_2_0042742E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004375668_2_00437566
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0043E5A88_2_0043E5A8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004387F08_2_004387F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0043797E8_2_0043797E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004339D78_2_004339D7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0044DA498_2_0044DA49
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00427AD78_2_00427AD7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0041DBF38_2_0041DBF3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00427C408_2_00427C40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00437DB38_2_00437DB3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00435EEB8_2_00435EEB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0043DEED8_2_0043DEED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00426E9F8_2_00426E9F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00402093 appears 50 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00401E65 appears 34 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00434E70 appears 54 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00434801 appears 41 times
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: String function: 00A68900 appears 42 times
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: String function: 00A47DE1 appears 36 times
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: String function: 00A60AE3 appears 70 times
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: String function: 009E0AE3 appears 70 times
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: String function: 009C7DE1 appears 35 times
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: String function: 009E8900 appears 42 times
                  Source: M6MafKT2pj.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 12.2.semispheroidal.exe.3400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 12.2.semispheroidal.exe.3400000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 12.2.semispheroidal.exe.3400000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 7.2.semispheroidal.exe.1850000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 7.2.semispheroidal.exe.1850000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 7.2.semispheroidal.exe.1850000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 5.2.semispheroidal.exe.39d0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 5.2.semispheroidal.exe.39d0000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 5.2.semispheroidal.exe.39d0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 3.2.semispheroidal.exe.3160000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 3.2.semispheroidal.exe.3160000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 3.2.semispheroidal.exe.3160000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 12.2.semispheroidal.exe.3400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 12.2.semispheroidal.exe.3400000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 12.2.semispheroidal.exe.3400000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 5.2.semispheroidal.exe.39d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 5.2.semispheroidal.exe.39d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 5.2.semispheroidal.exe.39d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 7.2.semispheroidal.exe.1850000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 7.2.semispheroidal.exe.1850000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 7.2.semispheroidal.exe.1850000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 3.2.semispheroidal.exe.3160000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 3.2.semispheroidal.exe.3160000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 3.2.semispheroidal.exe.3160000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: Process Memory Space: semispheroidal.exe PID: 7668, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: semispheroidal.exe PID: 7744, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: semispheroidal.exe PID: 7824, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: svchost.exe PID: 7852, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: semispheroidal.exe PID: 7988, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: svchost.exe PID: 8052, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@20/9@0/1
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AAA06A GetLastError,FormatMessageW,1_2_00AAA06A
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A981CB AdjustTokenPrivileges,CloseHandle,1_2_00A981CB
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A987E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,1_2_00A987E1
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A181CB AdjustTokenPrivileges,CloseHandle,3_2_00A181CB
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A187E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,3_2_00A187E1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,8_2_0041798D
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AAB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,1_2_00AAB3FB
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00ABEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_00ABEE0D
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AB83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,1_2_00AB83BB
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A44E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,1_2_00A44E89
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_0041AADB
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeFile created: C:\Users\user\AppData\Local\AlleneJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-ZFXG9Y
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeFile created: C:\Users\user~1\AppData\Local\Temp\aut1C63.tmpJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\semispheroidal.vbs"
                  Source: M6MafKT2pj.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: M6MafKT2pj.exeVirustotal: Detection: 72%
                  Source: M6MafKT2pj.exeReversingLabs: Detection: 91%
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeFile read: C:\Users\user\Desktop\M6MafKT2pj.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\M6MafKT2pj.exe "C:\Users\user\Desktop\M6MafKT2pj.exe"
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeProcess created: C:\Users\user\AppData\Local\Allene\semispheroidal.exe "C:\Users\user\Desktop\M6MafKT2pj.exe"
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\M6MafKT2pj.exe"
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess created: C:\Users\user\AppData\Local\Allene\semispheroidal.exe "C:\Users\user\AppData\Local\Allene\semispheroidal.exe"
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Allene\semispheroidal.exe"
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess created: C:\Users\user\AppData\Local\Allene\semispheroidal.exe "C:\Users\user\AppData\Local\Allene\semispheroidal.exe"
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Allene\semispheroidal.exe"
                  Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\semispheroidal.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Allene\semispheroidal.exe "C:\Users\user\AppData\Local\Allene\semispheroidal.exe"
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Allene\semispheroidal.exe"
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeProcess created: C:\Users\user\AppData\Local\Allene\semispheroidal.exe "C:\Users\user\Desktop\M6MafKT2pj.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\M6MafKT2pj.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess created: C:\Users\user\AppData\Local\Allene\semispheroidal.exe "C:\Users\user\AppData\Local\Allene\semispheroidal.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Allene\semispheroidal.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess created: C:\Users\user\AppData\Local\Allene\semispheroidal.exe "C:\Users\user\AppData\Local\Allene\semispheroidal.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Allene\semispheroidal.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Allene\semispheroidal.exe "C:\Users\user\AppData\Local\Allene\semispheroidal.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Allene\semispheroidal.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: M6MafKT2pj.exeStatic file information: File size 1352704 > 1048576
                  Source: M6MafKT2pj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: M6MafKT2pj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: M6MafKT2pj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: M6MafKT2pj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: M6MafKT2pj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: M6MafKT2pj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: M6MafKT2pj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: semispheroidal.exe, 00000003.00000003.1395064664.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000003.00000003.1394447436.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000005.00000003.1430583821.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000005.00000003.1429842072.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000007.00000003.1462334689.0000000003570000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000007.00000003.1462680125.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 0000000C.00000003.1540387293.0000000003480000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 0000000C.00000003.1537536471.0000000003620000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: semispheroidal.exe, 00000003.00000003.1395064664.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000003.00000003.1394447436.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000005.00000003.1430583821.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000005.00000003.1429842072.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000007.00000003.1462334689.0000000003570000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000007.00000003.1462680125.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 0000000C.00000003.1540387293.0000000003480000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 0000000C.00000003.1537536471.0000000003620000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: svchost.pdb source: svchost.exe, 00000008.00000002.1465497782.0000000004FC0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.1464735949.0000000003021000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000009.00000002.1464909694.0000000003390000.00000040.80000000.00040000.00000000.sdmp
                  Source: Binary string: svchost.pdbUGP source: svchost.exe, 00000008.00000002.1465497782.0000000004FC0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000003.1464735949.0000000003021000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000009.00000002.1464909694.0000000003390000.00000040.80000000.00040000.00000000.sdmp
                  Source: M6MafKT2pj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: M6MafKT2pj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: M6MafKT2pj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: M6MafKT2pj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: M6MafKT2pj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A44B37 LoadLibraryA,GetProcAddress,1_2_00A44B37
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A68945 push ecx; ret 1_2_00A68958
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009E8945 push ecx; ret 3_2_009E8958
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00457186 push ecx; ret 8_2_00457199
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0045E55D push esi; ret 8_2_0045E566
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00457AA8 push eax; ret 8_2_00457AC6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00434EB6 push ecx; ret 8_2_00434EC9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00406EEB ShellExecuteW,URLDownloadToFileW,8_2_00406EEB
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeFile created: C:\Users\user\AppData\Local\Allene\semispheroidal.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\semispheroidal.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\semispheroidal.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\semispheroidal.vbsJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_0041AADB
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_00A448D7
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AC5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_00AC5376
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009C48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,3_2_009C48D7
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A45376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,3_2_00A45376
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A63187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00A63187
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040F7E2 Sleep,ExitProcess,8_2_0040F7E2
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeAPI/Special instruction interceptor: Address: 13DB0EC
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeAPI/Special instruction interceptor: Address: 1726964
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeAPI/Special instruction interceptor: Address: BEE71C
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeAPI/Special instruction interceptor: Address: C8351C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,8_2_0041A7D9
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 1417Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 8122Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: foregroundWindowGot 1766Jump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeAPI coverage: 4.6 %
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeAPI coverage: 4.8 %
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 8092Thread sleep count: 180 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 8092Thread sleep time: -90000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 8096Thread sleep count: 1417 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 8096Thread sleep time: -4251000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 8096Thread sleep count: 8122 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 8096Thread sleep time: -24366000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AA445A GetFileAttributesW,FindFirstFileW,FindClose,1_2_00AA445A
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AAC6D1 FindFirstFileW,FindClose,1_2_00AAC6D1
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AAC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00AAC75C
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AAEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00AAEF95
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AAF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00AAF0F2
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AAF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00AAF3F3
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AA37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00AA37EF
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AA3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00AA3B12
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AABCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00AABCBC
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A2445A GetFileAttributesW,FindFirstFileW,FindClose,3_2_00A2445A
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A2C6D1 FindFirstFileW,FindClose,3_2_00A2C6D1
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A2C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,3_2_00A2C75C
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A2EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00A2EF95
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A2F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00A2F0F2
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A2F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,3_2_00A2F3F3
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_00A237EF
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A23B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_00A23B12
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A2BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,3_2_00A2BCBC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040928E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C322
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C388
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004096A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00408847
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00407877 FindFirstFileW,FindNextFileW,8_2_00407877
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0044E8F9 FindFirstFileExA,8_2_0044E8F9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB6B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419B86
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD72
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_00407CD2
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A449A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,1_2_00A449A0
                  Source: svchost.exe, 0000000D.00000002.3785980295.0000000002C12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeAPI call chain: ExitProcess graph end nodegraph_1-104673
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AB3F09 BlockInput,1_2_00AB3F09
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A43B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,1_2_00A43B3A
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A75A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_00A75A7C
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A44B37 LoadLibraryA,GetProcAddress,1_2_00A44B37
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00D535E8 mov eax, dword ptr fs:[00000030h]1_2_00D535E8
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00D53588 mov eax, dword ptr fs:[00000030h]1_2_00D53588
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00D51F28 mov eax, dword ptr fs:[00000030h]1_2_00D51F28
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_013DB358 mov eax, dword ptr fs:[00000030h]3_2_013DB358
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_013DB3B8 mov eax, dword ptr fs:[00000030h]3_2_013DB3B8
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_013D9CF8 mov eax, dword ptr fs:[00000030h]3_2_013D9CF8
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 5_2_01725570 mov eax, dword ptr fs:[00000030h]5_2_01725570
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 5_2_01726BD0 mov eax, dword ptr fs:[00000030h]5_2_01726BD0
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 5_2_01726C30 mov eax, dword ptr fs:[00000030h]5_2_01726C30
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 7_2_00BED328 mov eax, dword ptr fs:[00000030h]7_2_00BED328
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 7_2_00BEE988 mov eax, dword ptr fs:[00000030h]7_2_00BEE988
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 7_2_00BEE9E8 mov eax, dword ptr fs:[00000030h]7_2_00BEE9E8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00443355 mov eax, dword ptr fs:[00000030h]8_2_00443355
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A980A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,1_2_00A980A9
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A6A124 SetUnhandledExceptionFilter,1_2_00A6A124
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A6A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00A6A155
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009EA124 SetUnhandledExceptionFilter,3_2_009EA124
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_009EA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_009EA155
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_0043503C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00434A8A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0043BB71
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00434BD8 SetUnhandledExceptionFilter,8_2_00434BD8

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.3.64.152 2559Jump to behavior
                  Contains functionality to inject code into remote processes
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,8_2_0041812A
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\Internet Explorer\iexplore.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2A9E008Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 3193008Jump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 269B008Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe8_2_00412132
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A987B1 LogonUserW,1_2_00A987B1
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A43B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,1_2_00A43B3A
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_00A448D7
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AA4C27 mouse_event,1_2_00AA4C27
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\M6MafKT2pj.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Allene\semispheroidal.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Allene\semispheroidal.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Allene\semispheroidal.exe "C:\Users\user\AppData\Local\Allene\semispheroidal.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Allene\semispheroidal.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A97CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,1_2_00A97CAF
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A9874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,1_2_00A9874B
                  Source: M6MafKT2pj.exe, semispheroidal.exe.1.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: svchost.exe, 0000000D.00000002.3786102007.0000000002C3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eProgram Manager9Y\ar
                  Source: svchost.exe, 0000000D.00000002.3786102007.0000000002C3A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3786102007.0000000002C3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\
                  Source: M6MafKT2pj.exe, semispheroidal.exeBinary or memory string: Shell_TrayWnd
                  Source: svchost.exe, 0000000D.00000002.3786102007.0000000002C37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerSoftware\Rmc-ZFXG9Y\
                  Source: svchost.exe, 0000000D.00000002.3786102007.0000000002C3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\ar
                  Source: svchost.exe, 0000000D.00000002.3786102007.0000000002C3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\am
                  Source: svchost.exe, 0000000D.00000002.3786032231.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, logs.dat.13.drBinary or memory string: [Program Manager]
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A6862B cpuid 1_2_00A6862B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,8_2_0045201B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,8_2_004520B6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_00452143
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,8_2_00452393
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,8_2_00448484
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_004524BC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,8_2_004525C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_00452690
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,8_2_0044896D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,8_2_0040F90C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_00451D58
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,8_2_00451FD0
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A74E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_00A74E87
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A81E06 GetUserNameW,1_2_00A81E06
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A73F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,1_2_00A73F3A
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00A449A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,1_2_00A449A0
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.semispheroidal.exe.3400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.semispheroidal.exe.1850000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.semispheroidal.exe.39d0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.semispheroidal.exe.3160000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.semispheroidal.exe.3400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.semispheroidal.exe.39d0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.semispheroidal.exe.1850000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.semispheroidal.exe.3160000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.3786369544.000000000491F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3785980295.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.1465308232.0000000003000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3785937114.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7668, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7744, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7824, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7852, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7988, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8052, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data8_2_0040BA4D
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\8_2_0040BB6B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: \key3.db8_2_0040BB6B
                  Source: semispheroidal.exeBinary or memory string: WIN_81
                  Source: semispheroidal.exeBinary or memory string: WIN_XP
                  Source: semispheroidal.exeBinary or memory string: WIN_XPe
                  Source: semispheroidal.exeBinary or memory string: WIN_VISTA
                  Source: semispheroidal.exeBinary or memory string: WIN_7
                  Source: semispheroidal.exeBinary or memory string: WIN_8
                  Source: semispheroidal.exe.1.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Windows\SysWOW64\svchost.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ZFXG9YJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ZFXG9YJump to behavior
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.semispheroidal.exe.3400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.semispheroidal.exe.1850000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.semispheroidal.exe.39d0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.semispheroidal.exe.3160000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.semispheroidal.exe.3400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.semispheroidal.exe.39d0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.semispheroidal.exe.1850000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.semispheroidal.exe.3160000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.3786369544.000000000491F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3785980295.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.1465308232.0000000003000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.3785937114.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7668, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7744, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7824, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7852, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: semispheroidal.exe PID: 7988, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8052, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: cmd.exe8_2_0040569A
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AB6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,1_2_00AB6283
                  Source: C:\Users\user\Desktop\M6MafKT2pj.exeCode function: 1_2_00AB6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_00AB6747
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A36283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,3_2_00A36283
                  Source: C:\Users\user\AppData\Local\Allene\semispheroidal.exeCode function: 3_2_00A36747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,3_2_00A36747

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		1
                  Native API                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		11
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Command and Scripting Interpreter                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		221
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol221
                  Input Capture                  		2
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts2
                  Service Execution                  		2
                  Valid Accounts                  		1
                  Bypass User Account Control                  		2
                  Obfuscated Files or Information                  		2
                  Credentials In Files                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		1
                  Remote Access Software                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Windows Service                  		2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		NTDS3
                  File and Directory Discovery                  		Distributed Component Object ModelInput Capture1
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchd2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		1
                  Bypass User Account Control                  		LSA Secrets126
                  System Information Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                  Windows Service                  		1
                  Masquerading                  		Cached Domain Credentials231
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items422
                  Process Injection                  		2
                  Valid Accounts                  		DCSync1
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job2
                  Registry Run Keys / Startup Folder                  		1
                  Virtualization/Sandbox Evasion                  		Proc Filesystem3
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow11
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron422
                  Process Injection                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1588936 Sample: M6MafKT2pj.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 61 Suricata IDS alerts for network traffic 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 10 other signatures 2->67 10 M6MafKT2pj.exe 4 2->10         started        14 wscript.exe 1 2->14         started        process3 file4 43 C:\Users\user\AppData\...\semispheroidal.exe, PE32 10->43 dropped 91 Binary is likely a compiled AutoIt script file 10->91 16 semispheroidal.exe 2 10->16         started        93 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->93 20 semispheroidal.exe 1 14->20         started        signatures5 process6 file7 41 C:\Users\user\AppData\...\semispheroidal.vbs, data 16->41 dropped 49 Multi AV Scanner detection for dropped file 16->49 51 Binary is likely a compiled AutoIt script file 16->51 53 Machine Learning detection for dropped file 16->53 59 2 other signatures 16->59 22 semispheroidal.exe 1 16->22         started        25 svchost.exe 16->25         started        55 Writes to foreign memory regions 20->55 57 Maps a DLL or memory area into another process 20->57 27 svchost.exe 2 2 20->27         started        signatures8 process9 dnsIp10 75 Binary is likely a compiled AutoIt script file 22->75 31 semispheroidal.exe 1 22->31         started        34 svchost.exe 22->34         started        77 Contains functionality to bypass UAC (CMSTPLUA) 25->77 79 Contains functionalty to change the wallpaper 25->79 81 Contains functionality to steal Chrome passwords or cookies 25->81 89 4 other signatures 25->89 47 192.3.64.152, 2559, 49807, 49944 AS-COLOCROSSINGUS United States 27->47 45 C:\ProgramData\remcos\logs.dat, data 27->45 dropped 83 System process connects to network (likely due to code injection or exploit) 27->83 85 Detected Remcos RAT 27->85 87 Installs a global keyboard hook 27->87 file11 signatures12 process13 signatures14 95 Binary is likely a compiled AutoIt script file 31->95 97 Writes to foreign memory regions 31->97 99 Maps a DLL or memory area into another process 31->99 36 svchost.exe 2 31->36         started        process15 signatures16 69 Detected Remcos RAT 36->69 71 Writes to foreign memory regions 36->71 73 Maps a DLL or memory area into another process 36->73 39 iexplore.exe 36->39         started        process17

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  M6MafKT2pj.exe72%VirustotalBrowse
                  M6MafKT2pj.exe91%ReversingLabsWin32.Backdoor.Remcos
                  M6MafKT2pj.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Allene\semispheroidal.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Allene\semispheroidal.exe91%ReversingLabsWin32.Backdoor.Remcos

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  3.64.1520%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  3.64.152true
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://geoplugin.net/json.gpsvchost.exefalse
                    		high
                    http://geoplugin.net/json.gp/Csemispheroidal.exe, 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, semispheroidal.exe, 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, semispheroidal.exe, 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      192.3.64.152
                      		unknownUnited States
                      		36352AS-COLOCROSSINGUStrue

                      General Information

                      Joe Sandbox version:42.0.0 Malachite
                      Analysis ID:1588936
                      Start date and time:2025-01-11 07:23:32 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 11m 18s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:18
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:M6MafKT2pj.exe
                      renamed because original name is a hash value
                      Original Sample Name:07b27d0e65f751737e5d9bee0b78b5a56933264014b5171ae03f3c2c3b51ae0e.exe
                      Detection:MAL
                      Classification:mal100.rans.troj.spyw.expl.evad.winEXE@20/9@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 55
                      • Number of non-executed functions: 281
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
                      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      03:07:10API Interceptor4984351x Sleep call for process: svchost.exe modified
                      07:24:42AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\semispheroidal.vbs

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      192.3.64.152OKkUGRkZV7.exeGet hashmaliciousRemcosBrowse
                        MLxloAVuCZ.exeGet hashmaliciousRemcosBrowse
                          1evAkYZpwDV0N4v.exeGet hashmaliciousRemcosBrowse
                            LdSbZG1iH6.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                              EIuz8Bk9kGav2ix.exeGet hashmaliciousRemcosBrowse
                                6Ctc0o7vhqKgjU7.exeGet hashmaliciousRemcosBrowse
                                  New Order.exeGet hashmaliciousRemcosBrowse
                                    UsoOuMVYCv8QrxG.exeGet hashmaliciousRemcosBrowse
                                      New Order.exeGet hashmaliciousRemcosBrowse
                                        SecuriteInfo.com.Trojan.PackedNET.3042.4675.2937.exeGet hashmaliciousRemcosBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          AS-COLOCROSSINGUSWk731bq71c.exeGet hashmaliciousRemcosBrowse
                                          • 198.23.227.212
                                          yPIOW6yoPi.exeGet hashmaliciousRemcosBrowse
                                          • 198.23.227.212
                                          C2R7VV2QmG.exeGet hashmaliciousRemcosBrowse
                                          • 192.210.150.26
                                          8kjlHXmbAY.exeGet hashmaliciousRemcosBrowse
                                          • 192.210.150.26
                                          OKkUGRkZV7.exeGet hashmaliciousRemcosBrowse
                                          • 192.3.64.152
                                          NssBkEQKsI.exeGet hashmaliciousRemcosBrowse
                                          • 192.210.150.26
                                          l1QC9H0SNR.exeGet hashmaliciousRemcosBrowse
                                          • 192.210.150.26
                                          MLxloAVuCZ.exeGet hashmaliciousRemcosBrowse
                                          • 192.3.64.152
                                          bwYw3UUfy7.exeGet hashmaliciousRemcosBrowse
                                          • 192.210.150.26
                                          Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 192.3.27.144

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\ProgramData\remcos\logs.dat

                                          Download File
                                          Process:C:\Windows\SysWOW64\svchost.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):144
                                          Entropy (8bit):3.379519383183141
                                          Encrypted:false
                                          SSDEEP:3:rglsPlalpFi5JWRal2Jl+7R0DAlBG45klovDl6v:MlsPln5YcIeeDAlOWAv
                                          MD5:D7991E3631094CC87DADC2BAD00E381F
                                          SHA1:85D0435BE90C6F8A0532743471A7F084DD66EB9D
                                          SHA-256:FAE7EBF3F20CC8113D898E5B476B8903D2DC09CBADD75F5942632900BFBF036D
                                          SHA-512:5DEABCD6A5D79BFF8943BE148B6A5118584C6E0F4C9C5D55E68FB531F552371C5A3B36AECEFDC0A3E3D465885E37C1D5DEE446F4F8AC6C3E48DA7D025B9B1220
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                          Reputation:low
                                          Preview:....[.2.0.2.5./.0.1./.1.1. .0.3.:.0.6.:.3.7. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                          C:\Users\user\AppData\Local\Allene\semispheroidal.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\M6MafKT2pj.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:modified
                                          Size (bytes):1352704
                                          Entropy (8bit):7.320665182001936
                                          Encrypted:false
                                          SSDEEP:24576:Vu6J33O0c+JY5UZ+XC0kGso6FaKQ+KLJVQBZNsYfKxQfq+WY:3u0c++OCvkGs9FaKQLLJuB8owQiY
                                          MD5:848FCC30357BE982B8D107E6C45390A6
                                          SHA1:477C03E4F9FB45F9CA6AE04C79728474FFC4CF2A
                                          SHA-256:07B27D0E65F751737E5D9BEE0B78B5A56933264014B5171AE03F3C2C3B51AE0E
                                          SHA-512:A2ADDE1775886DB699B103742469C8675C56633CAC1C4B110947793B10C562D27CCD9FB482D5DCE5F1052684925E156F81F70169D1A56FA61C6CBF4515BB65EB
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 91%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L....[g.........."..................}............@.......................................@...@.......@.....................L...|....p...........................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc........p......................@..@.reloc...q.......r...2..............@..B........................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\aut1C63.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\M6MafKT2pj.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):432084
                                          Entropy (8bit):7.986709624955639
                                          Encrypted:false
                                          SSDEEP:12288:ZKbFVn/sFcB/zoLmTwAczLAd5pdQiNejDdvyAbm6LEGEK5Z4634wD:srnLBtPkL8d+jAAbm6LEGEQTnD
                                          MD5:D2302D1D872717016055D5C011E77D57
                                          SHA1:01A9E85C6E7661E3C7F5F108FCB2315062F30B59
                                          SHA-256:7D930A783AEC2591FED6006A624528425D5198BC974CCB8C8241A9AFB82F11B1
                                          SHA-512:93FFFB752ADBF05B16AE1912C3342010C749CB13924F5B92DCA6A42A3D89909AA5CFDB406DC51EBD99479C91C13873A124B94519BA91D88CB1C8C6FFFD316595
                                          Malicious:false
                                          Reputation:low
                                          Preview:EA06......z..qH..f.m6.cE...*.>.6...3P.rr..Vj..-$._50..Jh...*[...pU.Tc.9.ac.Z.Uv....Y.N]o.U...1Z..ftYE.._..o.x..A!..iSI.p..5.W..z.y'.z..[.....Ntz.k.c........ef;...so.....N....).?..ux..g}8.J.g.{.../.s+.y.z.Z.)....)-.i.g..VFO .d.....yc.\7.....R....,l.._.."....,..@9..-.qH..&.h.[.#....;.L.4i...C...p.{.......S.<.E#5i.T.\.P....H....h......*8..&.."sA.Q.4`.6.2...Vq(...+U4.....e8.@.(~n..q..Pf.lUBc}.....Y.....r.0..C@.. 9.(..t).....oi.I.....N........1.......]E.c....QM..iTz.Z.@.../....=".H........I..y.......3...N....*.......s*.4.....(~...e......*k8.R...5z.1..".@....Y.\ms.....l.....H..@.J...'.N)..}.G5.......\..jtx(.)....|.Y.N........^....I.N'.:|.},.N{.X}.s......C...$.zLZ...C.t.....Df:....2...W:......"?.].]......B........k8.{..I......e./...q....9..A..]h.....I...w8..m......x.s*.....l"..U.3Z..o|..#v..9..Q1r0......2`..p... ..U.Mj......]...sP..t...8....`.q.........]b...%?[.Q.5....9........#..s@.....\G9...V.....|.p.C...6..p.X..+.L.....0.....]b. ..Q].\/@....r....+$

                                          C:\Users\user\AppData\Local\Temp\aut2CBF.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Allene\semispheroidal.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):432084
                                          Entropy (8bit):7.986709624955639
                                          Encrypted:false
                                          SSDEEP:12288:ZKbFVn/sFcB/zoLmTwAczLAd5pdQiNejDdvyAbm6LEGEK5Z4634wD:srnLBtPkL8d+jAAbm6LEGEQTnD
                                          MD5:D2302D1D872717016055D5C011E77D57
                                          SHA1:01A9E85C6E7661E3C7F5F108FCB2315062F30B59
                                          SHA-256:7D930A783AEC2591FED6006A624528425D5198BC974CCB8C8241A9AFB82F11B1
                                          SHA-512:93FFFB752ADBF05B16AE1912C3342010C749CB13924F5B92DCA6A42A3D89909AA5CFDB406DC51EBD99479C91C13873A124B94519BA91D88CB1C8C6FFFD316595
                                          Malicious:false
                                          Preview:EA06......z..qH..f.m6.cE...*.>.6...3P.rr..Vj..-$._50..Jh...*[...pU.Tc.9.ac.Z.Uv....Y.N]o.U...1Z..ftYE.._..o.x..A!..iSI.p..5.W..z.y'.z..[.....Ntz.k.c........ef;...so.....N....).?..ux..g}8.J.g.{.../.s+.y.z.Z.)....)-.i.g..VFO .d.....yc.\7.....R....,l.._.."....,..@9..-.qH..&.h.[.#....;.L.4i...C...p.{.......S.<.E#5i.T.\.P....H....h......*8..&.."sA.Q.4`.6.2...Vq(...+U4.....e8.@.(~n..q..Pf.lUBc}.....Y.....r.0..C@.. 9.(..t).....oi.I.....N........1.......]E.c....QM..iTz.Z.@.../....=".H........I..y.......3...N....*.......s*.4.....(~...e......*k8.R...5z.1..".@....Y.\ms.....l.....H..@.J...'.N)..}.G5.......\..jtx(.)....|.Y.N........^....I.N'.:|.},.N{.X}.s......C...$.zLZ...C.t.....Df:....2...W:......"?.].]......B........k8.{..I......e./...q....9..A..]h.....I...w8..m......x.s*.....l"..U.3Z..o|..#v..9..Q1r0......2`..p... ..U.Mj......]...sP..t...8....`.q.........]b...%?[.Q.5....9........#..s@.....\G9...V.....|.p.C...6..p.X..+.L.....0.....]b. ..Q].\/@....r....+$

                                          C:\Users\user\AppData\Local\Temp\aut3BC2.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Allene\semispheroidal.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):432084
                                          Entropy (8bit):7.986709624955639
                                          Encrypted:false
                                          SSDEEP:12288:ZKbFVn/sFcB/zoLmTwAczLAd5pdQiNejDdvyAbm6LEGEK5Z4634wD:srnLBtPkL8d+jAAbm6LEGEQTnD
                                          MD5:D2302D1D872717016055D5C011E77D57
                                          SHA1:01A9E85C6E7661E3C7F5F108FCB2315062F30B59
                                          SHA-256:7D930A783AEC2591FED6006A624528425D5198BC974CCB8C8241A9AFB82F11B1
                                          SHA-512:93FFFB752ADBF05B16AE1912C3342010C749CB13924F5B92DCA6A42A3D89909AA5CFDB406DC51EBD99479C91C13873A124B94519BA91D88CB1C8C6FFFD316595
                                          Malicious:false
                                          Preview:EA06......z..qH..f.m6.cE...*.>.6...3P.rr..Vj..-$._50..Jh...*[...pU.Tc.9.ac.Z.Uv....Y.N]o.U...1Z..ftYE.._..o.x..A!..iSI.p..5.W..z.y'.z..[.....Ntz.k.c........ef;...so.....N....).?..ux..g}8.J.g.{.../.s+.y.z.Z.)....)-.i.g..VFO .d.....yc.\7.....R....,l.._.."....,..@9..-.qH..&.h.[.#....;.L.4i...C...p.{.......S.<.E#5i.T.\.P....H....h......*8..&.."sA.Q.4`.6.2...Vq(...+U4.....e8.@.(~n..q..Pf.lUBc}.....Y.....r.0..C@.. 9.(..t).....oi.I.....N........1.......]E.c....QM..iTz.Z.@.../....=".H........I..y.......3...N....*.......s*.4.....(~...e......*k8.R...5z.1..".@....Y.\ms.....l.....H..@.J...'.N)..}.G5.......\..jtx(.)....|.Y.N........^....I.N'.:|.},.N{.X}.s......C...$.zLZ...C.t.....Df:....2...W:......"?.].]......B........k8.{..I......e./...q....9..A..]h.....I...w8..m......x.s*.....l"..U.3Z..o|..#v..9..Q1r0......2`..p... ..U.Mj......]...sP..t...8....`.q.........]b...%?[.Q.5....9........#..s@.....\G9...V.....|.p.C...6..p.X..+.L.....0.....]b. ..Q].\/@....r....+$

                                          C:\Users\user\AppData\Local\Temp\aut4A1A.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Allene\semispheroidal.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):432084
                                          Entropy (8bit):7.986709624955639
                                          Encrypted:false
                                          SSDEEP:12288:ZKbFVn/sFcB/zoLmTwAczLAd5pdQiNejDdvyAbm6LEGEK5Z4634wD:srnLBtPkL8d+jAAbm6LEGEQTnD
                                          MD5:D2302D1D872717016055D5C011E77D57
                                          SHA1:01A9E85C6E7661E3C7F5F108FCB2315062F30B59
                                          SHA-256:7D930A783AEC2591FED6006A624528425D5198BC974CCB8C8241A9AFB82F11B1
                                          SHA-512:93FFFB752ADBF05B16AE1912C3342010C749CB13924F5B92DCA6A42A3D89909AA5CFDB406DC51EBD99479C91C13873A124B94519BA91D88CB1C8C6FFFD316595
                                          Malicious:false
                                          Preview:EA06......z..qH..f.m6.cE...*.>.6...3P.rr..Vj..-$._50..Jh...*[...pU.Tc.9.ac.Z.Uv....Y.N]o.U...1Z..ftYE.._..o.x..A!..iSI.p..5.W..z.y'.z..[.....Ntz.k.c........ef;...so.....N....).?..ux..g}8.J.g.{.../.s+.y.z.Z.)....)-.i.g..VFO .d.....yc.\7.....R....,l.._.."....,..@9..-.qH..&.h.[.#....;.L.4i...C...p.{.......S.<.E#5i.T.\.P....H....h......*8..&.."sA.Q.4`.6.2...Vq(...+U4.....e8.@.(~n..q..Pf.lUBc}.....Y.....r.0..C@.. 9.(..t).....oi.I.....N........1.......]E.c....QM..iTz.Z.@.../....=".H........I..y.......3...N....*.......s*.4.....(~...e......*k8.R...5z.1..".@....Y.\ms.....l.....H..@.J...'.N)..}.G5.......\..jtx(.)....|.Y.N........^....I.N'.:|.},.N{.X}.s......C...$.zLZ...C.t.....Df:....2...W:......"?.].]......B........k8.{..I......e./...q....9..A..]h.....I...w8..m......x.s*.....l"..U.3Z..o|..#v..9..Q1r0......2`..p... ..U.Mj......]...sP..t...8....`.q.........]b...%?[.Q.5....9........#..s@.....\G9...V.....|.p.C...6..p.X..+.L.....0.....]b. ..Q].\/@....r....+$

                                          C:\Users\user\AppData\Local\Temp\aut6478.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Allene\semispheroidal.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):432084
                                          Entropy (8bit):7.986709624955639
                                          Encrypted:false
                                          SSDEEP:12288:ZKbFVn/sFcB/zoLmTwAczLAd5pdQiNejDdvyAbm6LEGEK5Z4634wD:srnLBtPkL8d+jAAbm6LEGEQTnD
                                          MD5:D2302D1D872717016055D5C011E77D57
                                          SHA1:01A9E85C6E7661E3C7F5F108FCB2315062F30B59
                                          SHA-256:7D930A783AEC2591FED6006A624528425D5198BC974CCB8C8241A9AFB82F11B1
                                          SHA-512:93FFFB752ADBF05B16AE1912C3342010C749CB13924F5B92DCA6A42A3D89909AA5CFDB406DC51EBD99479C91C13873A124B94519BA91D88CB1C8C6FFFD316595
                                          Malicious:false
                                          Preview:EA06......z..qH..f.m6.cE...*.>.6...3P.rr..Vj..-$._50..Jh...*[...pU.Tc.9.ac.Z.Uv....Y.N]o.U...1Z..ftYE.._..o.x..A!..iSI.p..5.W..z.y'.z..[.....Ntz.k.c........ef;...so.....N....).?..ux..g}8.J.g.{.../.s+.y.z.Z.)....)-.i.g..VFO .d.....yc.\7.....R....,l.._.."....,..@9..-.qH..&.h.[.#....;.L.4i...C...p.{.......S.<.E#5i.T.\.P....H....h......*8..&.."sA.Q.4`.6.2...Vq(...+U4.....e8.@.(~n..q..Pf.lUBc}.....Y.....r.0..C@.. 9.(..t).....oi.I.....N........1.......]E.c....QM..iTz.Z.@.../....=".H........I..y.......3...N....*.......s*.4.....(~...e......*k8.R...5z.1..".@....Y.\ms.....l.....H..@.J...'.N)..}.G5.......\..jtx(.)....|.Y.N........^....I.N'.:|.},.N{.X}.s......C...$.zLZ...C.t.....Df:....2...W:......"?.].]......B........k8.{..I......e./...q....9..A..]h.....I...w8..m......x.s*.....l"..U.3Z..o|..#v..9..Q1r0......2`..p... ..U.Mj......]...sP..t...8....`.q.........]b...%?[.Q.5....9........#..s@.....\G9...V.....|.p.C...6..p.X..+.L.....0.....]b. ..Q].\/@....r....+$

                                          C:\Users\user\AppData\Local\Temp\electicism

                                          Download File
                                          Process:C:\Users\user\Desktop\M6MafKT2pj.exe
                                          File Type:data
                                          Category:modified
                                          Size (bytes):494592
                                          Entropy (8bit):7.669952843573994
                                          Encrypted:false
                                          SSDEEP:6144:NvC2nLnJH7H9eZqqC1hVqvkere3nvM7XCtCMPvjBIuBfJtntktceKx2YkdNEjfMz:Nv/LnV7HIZ03qMrEUZnjeuDzRx2YknRl
                                          MD5:9E287CF0E603F30CB9122A150F58BC78
                                          SHA1:80396C204DEF66C4688FC8815509BB1D3DE7168B
                                          SHA-256:6CAF1DF0DACFA64C525647282EE449B529CF49F5316330496BE4081D5257A6E5
                                          SHA-512:684C53328842D8FD053DDDB8E575A59D40ABEECEADA56FFBCBA7C5C33BECB87C237A61F6F5B6B17706274B41B0A2DF86A1D3E2679F9B45F5F5B13D33DF76B538
                                          Malicious:false
                                          Preview:{..9688H=A0F..1E.2D2COE6.G9588H9A0FYV1EI2D2COE6SG9588H9A0FYV)DI2J-.AE.Z...9t...X/*vA7&U6S.o&W=)VA.Z-.3E(y?_e.}... !S}J4?.8H9A0FYZJ.dz^.=._.-.#.F...?k\.(..lL.(.1..w9o/.F.[.N.C.O..#:xY.;...Fg".6...9+L.;.v.M)U.H.%|Ki".G.*.' *.7...<c_.-.}.FqR.?...)x_.L.[ '.,.99588H9A0FYV1EI2D2COE6SG9e}8Hu@7F...#I2D2COE6.G;439F9ABCYV'GI2D2C..5SG)588.<A0F.V1UI2D0CO@6RG9588M9@0FYV1Ei:D2GOE6SG9788.9A FYF1EI2T2C_E6SG95(8H9A0FYV1EI..4CKD6SG.28..9A0FYV1EI2D2COE6SG9.?8..A0..P1}I2D2COE6SG9588H9A0F..7EQ2D2.C6.G9588H9A0FYV.@I2A2COE6SG9588H9A0FYV1EI2D2COkB6?M588.HD0FIV1E;7D2GOE6SG9588H9A0FyV1%g@ S7.E6.>858.M9AJGYVG@I2D2COE6SG958xH9.."8"PEI2.oCOE&TG9;88H.G0FYV1EI2D2COEvSG..LT;9A0FPV1EIBC2CME6S.?588H9A0FYV1EIrD2.a"P:#J58.J9A0.^V1AI2D2DOE6SG9588H9A0.YVqk;A6QCOE..G95.?H9.0FYR6EI2D2COE6SG95x8HyoB#59REI..2CO.1SG.588.>A0FYV1EI2D2CO.6S.9588H9A0FYV1EI2D2COE6SG9588H9A0FYV1EI2D2COE6SG9588H9A0FYV1EI2D2COE6SG9588H9A0FYV1EI2D2COE6SG9588H9A0FYV1EI2D2COE6SG9588H9A0FYV1EI2D2COE6SG9588H9A0FYV1EI2D2COE6SG9588H9A0FYV1EI2D2COE6SG9588H9A0

                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\semispheroidal.vbs

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Allene\semispheroidal.exe
                                          File Type:data
                                          Category:modified
                                          Size (bytes):290
                                          Entropy (8bit):3.411744385569589
                                          Encrypted:false
                                          SSDEEP:6:DMM8lfm3OOQdUfclMMlW8g1UEZ+lX1klAD/iiVWQdnriIM8lfQVn:DsO+vNlMkXg1Q1klAD/imRmA2n
                                          MD5:B4F0F1E9BACB37E3FE184A03A48267A4
                                          SHA1:95974BB7102C433CA8940AD3107F049B0CC014B7
                                          SHA-256:F6C78189E841AAAC87FC7CBAF80C7FB03718888B52EE9B41E76776680289AAA8
                                          SHA-512:E9CA1FE5FA112CEC37F33213F0F496209E882177F4F7ECCFD672C7A6416CB545A5F48D1EC28C85304C7CA2762911E213528B3F11D2459DFD47431A5444DD4283
                                          Malicious:true
                                          Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.A.l.l.e.n.e.\.s.e.m.i.s.p.h.e.r.o.i.d.a.l...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Entropy (8bit):7.320665182001936
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:M6MafKT2pj.exe
                                          File size:1'352'704 bytes
                                          MD5:848fcc30357be982b8d107e6c45390a6
                                          SHA1:477c03e4f9fb45f9ca6ae04c79728474ffc4cf2a
                                          SHA256:07b27d0e65f751737e5d9bee0b78b5a56933264014b5171ae03f3c2c3b51ae0e
                                          SHA512:a2adde1775886db699b103742469c8675c56633cac1c4b110947793b10c562d27ccd9fb482d5dce5f1052684925e156f81f70169d1a56fa61c6cbf4515bb65eb
                                          SSDEEP:24576:Vu6J33O0c+JY5UZ+XC0kGso6FaKQ+KLJVQBZNsYfKxQfq+WY:3u0c++OCvkGs9FaKQLLJuB8owQiY
                                          TLSH:3B55DF2273DDC360CB669173BF69B7016E7F7C214630B85B2F880D7DA950162266D7A3
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                          File Icon

                                          Icon Hash:aaf3e3e3938382a0

                                          Static PE Info

                                          General

                                          Entrypoint:0x427dcd
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x675B88D6 [Fri Dec 13 01:07:34 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:5
                                          OS Version Minor:1
                                          File Version Major:5
                                          File Version Minor:1
                                          Subsystem Version Major:5
                                          Subsystem Version Minor:1
                                          Import Hash:afcdf79be1557326c854b6e20cb900a7

                                          Entrypoint Preview

                                          Instruction
                                          call 00007F884CE3711Ah
                                          jmp 00007F884CE29EE4h
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          push edi
                                          push esi
                                          mov esi, dword ptr [esp+10h]
                                          mov ecx, dword ptr [esp+14h]
                                          mov edi, dword ptr [esp+0Ch]
                                          mov eax, ecx
                                          mov edx, ecx
                                          add eax, esi
                                          cmp edi, esi
                                          jbe 00007F884CE2A06Ah
                                          cmp edi, eax
                                          jc 00007F884CE2A3CEh
                                          bt dword ptr [004C31FCh], 01h
                                          jnc 00007F884CE2A069h
                                          rep movsb
                                          jmp 00007F884CE2A37Ch
                                          cmp ecx, 00000080h
                                          jc 00007F884CE2A234h
                                          mov eax, edi
                                          xor eax, esi
                                          test eax, 0000000Fh
                                          jne 00007F884CE2A070h
                                          bt dword ptr [004BE324h], 01h
                                          jc 00007F884CE2A540h
                                          bt dword ptr [004C31FCh], 00000000h
                                          jnc 00007F884CE2A20Dh
                                          test edi, 00000003h
                                          jne 00007F884CE2A21Eh
                                          test esi, 00000003h
                                          jne 00007F884CE2A1FDh
                                          bt edi, 02h
                                          jnc 00007F884CE2A06Fh
                                          mov eax, dword ptr [esi]
                                          sub ecx, 04h
                                          lea esi, dword ptr [esi+04h]
                                          mov dword ptr [edi], eax
                                          lea edi, dword ptr [edi+04h]
                                          bt edi, 03h
                                          jnc 00007F884CE2A073h
                                          movq xmm1, qword ptr [esi]
                                          sub ecx, 08h
                                          lea esi, dword ptr [esi+08h]
                                          movq qword ptr [edi], xmm1
                                          lea edi, dword ptr [edi+08h]
                                          test esi, 00000007h
                                          je 00007F884CE2A0C5h
                                          bt esi, 03h
                                          jnc 00007F884CE2A118h

                                          Rich Headers

                                          Programming Language:
                                          • [ASM] VS2013 build 21005
                                          • [ C ] VS2013 build 21005
                                          • [C++] VS2013 build 21005
                                          • [ C ] VS2008 SP1 build 30729
                                          • [IMP] VS2008 SP1 build 30729
                                          • [ASM] VS2013 UPD4 build 31101
                                          • [RES] VS2013 build 21005
                                          • [LNK] VS2013 UPD4 build 31101

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x81ac8.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1490000x711c.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rsrc0xc70000x81ac80x81c004f45d5afabcd17d2ddaa9bbfed06cbb1False0.9493372922687862data7.938355010344865IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x1490000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                          RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                          RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                          RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                          RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                          RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                          RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                          RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                          RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                          RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                          RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                          RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                          RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                          RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                          RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                          RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                          RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                          RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                          RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                          RT_RCDATA0xcf7b80x78d8fdata1.0003252584390423
                                          RT_GROUP_ICON0x1485480x76dataEnglishGreat Britain0.6610169491525424
                                          RT_GROUP_ICON0x1485c00x14dataEnglishGreat Britain1.25
                                          RT_GROUP_ICON0x1485d40x14dataEnglishGreat Britain1.15
                                          RT_GROUP_ICON0x1485e80x14dataEnglishGreat Britain1.25
                                          RT_VERSION0x1485fc0xdcdataEnglishGreat Britain0.6181818181818182
                                          RT_MANIFEST0x1486d80x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                          Imports

                                          DLLImport
                                          WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                          VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                          WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                          PSAPI.DLLGetProcessMemoryInfo
                                          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                          USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                          UxTheme.dllIsThemeActive
                                          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                          USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                          GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                          COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                          OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishGreat Britain

                                          Network Behavior

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 11, 2025 07:24:56.394222975 CET498072559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:24:56.399085045 CET255949807192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:24:56.399143934 CET498072559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:24:56.404836893 CET498072559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:24:56.410474062 CET255949807192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:25:17.774910927 CET255949807192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:25:17.775094032 CET498072559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:25:17.777096033 CET498072559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:25:17.781946898 CET255949807192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:25:18.780039072 CET499442559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:25:18.784872055 CET255949944192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:25:18.785100937 CET499442559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:25:18.790301085 CET499442559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:25:18.795162916 CET255949944192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:25:40.133991957 CET255949944192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:25:40.134144068 CET499442559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:25:40.137501001 CET499442559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:25:40.142285109 CET255949944192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:25:41.139484882 CET499712559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:25:41.144315004 CET255949971192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:25:41.144411087 CET499712559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:25:41.158023119 CET499712559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:25:41.162781954 CET255949971192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:26:02.513822079 CET255949971192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:26:02.513911009 CET499712559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:26:02.514183044 CET499712559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:26:02.519386053 CET255949971192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:26:03.530924082 CET499722559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:26:03.535725117 CET255949972192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:26:03.536040068 CET499722559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:26:03.540282965 CET499722559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:26:03.545056105 CET255949972192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:26:24.918402910 CET255949972192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:26:24.918482065 CET499722559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:26:24.918562889 CET499722559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:26:24.923434973 CET255949972192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:26:25.920974016 CET499732559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:26:25.925837040 CET255949973192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:26:25.925930977 CET499732559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:26:25.929358959 CET499732559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:26:25.934288025 CET255949973192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:26:47.311784029 CET255949973192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:26:47.311881065 CET499732559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:26:47.311917067 CET499732559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:26:47.316736937 CET255949973192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:26:48.327713966 CET499742559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:26:48.332751036 CET255949974192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:26:48.332915068 CET499742559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:26:48.336595058 CET499742559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:26:48.341398954 CET255949974192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:27:09.714751959 CET255949974192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:27:09.714834929 CET499742559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:27:09.714920998 CET499742559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:27:09.719769955 CET255949974192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:27:10.718717098 CET499752559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:27:10.723614931 CET255949975192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:27:10.723747015 CET499752559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:27:10.727844000 CET499752559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:27:10.732579947 CET255949975192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:27:32.090955019 CET255949975192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:27:32.092603922 CET499752559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:27:32.092664957 CET499752559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:27:32.097511053 CET255949975192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:27:33.512033939 CET499762559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:27:33.517000914 CET255949976192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:27:33.517067909 CET499762559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:27:33.538305044 CET499762559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:27:33.543067932 CET255949976192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:27:54.872028112 CET255949976192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:27:54.874470949 CET499762559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:27:54.874670029 CET499762559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:27:54.879431009 CET255949976192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:27:55.890840054 CET499772559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:27:55.896560907 CET255949977192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:27:55.896651030 CET499772559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:27:55.901081085 CET499772559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:27:55.907052994 CET255949977192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:28:17.263075113 CET255949977192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:28:17.265312910 CET499772559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:28:17.265381098 CET499772559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:28:17.270181894 CET255949977192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:28:18.281481028 CET499782559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:28:18.286480904 CET255949978192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:28:18.286592007 CET499782559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:28:18.290119886 CET499782559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:28:18.294910908 CET255949978192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:28:39.654185057 CET255949978192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:28:39.654283047 CET499782559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:28:39.654398918 CET499782559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:28:39.659168959 CET255949978192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:28:40.812593937 CET499792559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:28:40.817575932 CET255949979192.3.64.152192.168.2.7
                                          Jan 11, 2025 07:28:40.817658901 CET499792559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:28:40.821402073 CET499792559192.168.2.7192.3.64.152
                                          Jan 11, 2025 07:28:40.826248884 CET255949979192.3.64.152192.168.2.7

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:1
                                          Start time:01:24:33
                                          Start date:11/01/2025
                                          Path:C:\Users\user\Desktop\M6MafKT2pj.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\M6MafKT2pj.exe"
                                          Imagebase:0xa40000
                                          File size:1'352'704 bytes
                                          MD5 hash:848FCC30357BE982B8D107E6C45390A6
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:01:24:37
                                          Start date:11/01/2025
                                          Path:C:\Users\user\AppData\Local\Allene\semispheroidal.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\M6MafKT2pj.exe"
                                          Imagebase:0x9c0000
                                          File size:1'352'704 bytes
                                          MD5 hash:848FCC30357BE982B8D107E6C45390A6
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.1396865351.0000000003160000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                          Antivirus matches:
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 91%, ReversingLabs
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:01:24:41
                                          Start date:11/01/2025
                                          Path:C:\Windows\SysWOW64\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\M6MafKT2pj.exe"
                                          Imagebase:0x560000
                                          File size:46'504 bytes
                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:01:24:41
                                          Start date:11/01/2025
                                          Path:C:\Users\user\AppData\Local\Allene\semispheroidal.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Allene\semispheroidal.exe"
                                          Imagebase:0x9c0000
                                          File size:1'352'704 bytes
                                          MD5 hash:848FCC30357BE982B8D107E6C45390A6
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000005.00000002.1433093141.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:01:24:43
                                          Start date:11/01/2025
                                          Path:C:\Windows\SysWOW64\svchost.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\AppData\Local\Allene\semispheroidal.exe"
                                          Imagebase:0x560000
                                          File size:46'504 bytes
                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:01:24:44
                                          Start date:11/01/2025
                                          Path:C:\Users\user\AppData\Local\Allene\semispheroidal.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Allene\semispheroidal.exe"
                                          Imagebase:0x9c0000
                                          File size:1'352'704 bytes
                                          MD5 hash:848FCC30357BE982B8D107E6C45390A6
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000007.00000002.1465464829.0000000001850000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:01:24:47
                                          Start date:11/01/2025
                                          Path:C:\Windows\SysWOW64\svchost.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Allene\semispheroidal.exe"
                                          Imagebase:0x560000
                                          File size:46'504 bytes
                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.1464852260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.1465308232.0000000003000000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:9
                                          Start time:01:24:48
                                          Start date:11/01/2025
                                          Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                          Wow64 process (32bit):true
                                          Commandline:"c:\program files (x86)\internet explorer\iexplore.exe"
                                          Imagebase:0xad0000
                                          File size:828'368 bytes
                                          MD5 hash:6F0F06D6AB125A99E43335427066A4A1
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:03:06:32
                                          Start date:11/01/2025
                                          Path:C:\Windows\System32\wscript.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\semispheroidal.vbs"
                                          Imagebase:0x7ff606af0000
                                          File size:170'496 bytes
                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:12
                                          Start time:03:06:33
                                          Start date:11/01/2025
                                          Path:C:\Users\user\AppData\Local\Allene\semispheroidal.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Allene\semispheroidal.exe"
                                          Imagebase:0x9c0000
                                          File size:1'352'704 bytes
                                          MD5 hash:848FCC30357BE982B8D107E6C45390A6
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.1553122848.0000000003400000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:13
                                          Start time:03:06:37
                                          Start date:11/01/2025
                                          Path:C:\Windows\SysWOW64\svchost.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Allene\semispheroidal.exe"
                                          Imagebase:0x560000
                                          File size:46'504 bytes
                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.3786369544.000000000491F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000D.00000002.3785307895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.3785980295.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.3785937114.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:3.4%
                                            Dynamic/Decrypted Code Coverage:0.4%
                                            Signature Coverage:6.3%
                                            Total number of Nodes:2000
                                            Total number of Limit Nodes:71
                                            execution_graph 104534 a7fe27 104547 a5f944 104534->104547 104536 a7fe3d 104537 a7fe53 104536->104537 104538 a7febe 104536->104538 104636 a49e5d 60 API calls 104537->104636 104556 a4fce0 104538->104556 104540 a7fe92 104541 a8089c 104540->104541 104542 a7fe9a 104540->104542 104638 aa9e4a 89 API calls 4 library calls 104541->104638 104637 aa834f 59 API calls Mailbox 104542->104637 104546 a7feb2 Mailbox 104548 a5f950 104547->104548 104549 a5f962 104547->104549 104639 a49d3c 60 API calls Mailbox 104548->104639 104551 a5f991 104549->104551 104552 a5f968 104549->104552 104650 a49d3c 60 API calls Mailbox 104551->104650 104640 a60db6 104552->104640 104555 a5f95a 104555->104536 104679 a48180 104556->104679 104558 a4fd3d 104559 a506f6 104558->104559 104560 a8472d 104558->104560 104684 a4f234 104558->104684 104801 aa9e4a 89 API calls 4 library calls 104559->104801 104802 aa9e4a 89 API calls 4 library calls 104560->104802 104564 a84742 104565 a8488d 104565->104564 104568 a4fe4c 104565->104568 104808 aba2d9 85 API calls Mailbox 104565->104808 104566 a4fe3e 104566->104565 104566->104568 104806 a966ec 59 API calls 2 library calls 104566->104806 104567 a50517 104575 a60db6 Mailbox 59 API calls 104567->104575 104577 a848f9 104568->104577 104624 a84b53 104568->104624 104688 a4837c 104568->104688 104569 a847d7 104569->104564 104804 aa9e4a 89 API calls 4 library calls 104569->104804 104572 a60db6 59 API calls Mailbox 104598 a4fdd3 104572->104598 104584 a50545 _memmove 104575->104584 104576 a84848 104807 a960ef 59 API calls 2 library calls 104576->104807 104585 a84917 104577->104585 104810 a485c0 59 API calls Mailbox 104577->104810 104580 a84755 104580->104569 104803 a4f6a3 341 API calls 104580->104803 104582 a848b2 Mailbox 104582->104568 104809 a966ec 59 API calls 2 library calls 104582->104809 104591 a60db6 Mailbox 59 API calls 104584->104591 104589 a84928 104585->104589 104811 a485c0 59 API calls Mailbox 104585->104811 104586 a4fea4 104594 a4ff32 104586->104594 104595 a84ad6 104586->104595 104630 a50179 Mailbox _memmove 104586->104630 104587 a8486b 104590 a49ea0 341 API calls 104587->104590 104589->104630 104812 a960ab 59 API calls Mailbox 104589->104812 104590->104565 104619 a50106 _memmove 104591->104619 104597 a60db6 Mailbox 59 API calls 104594->104597 104821 aa9ae7 60 API calls 104595->104821 104600 a4ff39 104597->104600 104598->104564 104598->104566 104598->104567 104598->104572 104598->104580 104598->104584 104611 a8480c 104598->104611 104776 a49ea0 104598->104776 104600->104559 104695 a509d0 104600->104695 104602 a84a4d 104603 a49ea0 341 API calls 104602->104603 104605 a84a87 104603->104605 104605->104564 104816 a484c0 104605->104816 104607 a4ffb2 104607->104559 104607->104584 104614 a4ffe6 104607->104614 104805 aa9e4a 89 API calls 4 library calls 104611->104805 104613 a84ab2 104820 aa9e4a 89 API calls 4 library calls 104613->104820 104622 a50007 104614->104622 104822 a48047 104614->104822 104619->104630 104635 a50162 104619->104635 104800 a49c90 59 API calls Mailbox 104619->104800 104620 a60db6 59 API calls Mailbox 104620->104630 104621 a50398 104621->104546 104622->104559 104623 a84b24 104622->104623 104626 a5004c 104622->104626 104826 a49d3c 60 API calls Mailbox 104623->104826 104624->104564 104827 aa9e4a 89 API calls 4 library calls 104624->104827 104626->104559 104626->104624 104627 a500d8 104626->104627 104772 a49d3c 60 API calls Mailbox 104627->104772 104629 a500eb 104629->104559 104773 a482df 59 API calls Mailbox 104629->104773 104630->104559 104630->104602 104630->104613 104630->104620 104630->104621 104631 a84a1c 104630->104631 104774 a48740 68 API calls __cinit 104630->104774 104775 a48660 68 API calls 104630->104775 104813 aa5937 68 API calls 104630->104813 104814 a489b3 69 API calls Mailbox 104630->104814 104815 a49d3c 60 API calls Mailbox 104630->104815 104632 a60db6 Mailbox 59 API calls 104631->104632 104632->104602 104635->104546 104636->104540 104637->104546 104638->104546 104639->104555 104642 a60dbe 104640->104642 104643 a60dd8 104642->104643 104645 a60ddc std::exception::exception 104642->104645 104651 a6571c 104642->104651 104668 a633a1 DecodePointer 104642->104668 104643->104555 104669 a6859b RaiseException 104645->104669 104647 a60e06 104670 a684d1 58 API calls _free 104647->104670 104649 a60e18 104649->104555 104650->104555 104652 a65797 104651->104652 104658 a65728 104651->104658 104677 a633a1 DecodePointer 104652->104677 104654 a6579d 104678 a68b28 58 API calls __getptd_noexit 104654->104678 104655 a65733 104655->104658 104671 a6a16b 58 API calls 2 library calls 104655->104671 104672 a6a1c8 58 API calls 8 library calls 104655->104672 104673 a6309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104655->104673 104658->104655 104659 a6575b RtlAllocateHeap 104658->104659 104662 a65783 104658->104662 104666 a65781 104658->104666 104674 a633a1 DecodePointer 104658->104674 104659->104658 104660 a6578f 104659->104660 104660->104642 104675 a68b28 58 API calls __getptd_noexit 104662->104675 104676 a68b28 58 API calls __getptd_noexit 104666->104676 104668->104642 104669->104647 104670->104649 104671->104655 104672->104655 104674->104658 104675->104666 104676->104660 104677->104654 104678->104660 104680 a4818f 104679->104680 104683 a481aa 104679->104683 104828 a47e4f 104680->104828 104682 a48197 CharUpperBuffW 104682->104683 104683->104558 104685 a4f251 104684->104685 104687 a4f272 104685->104687 104832 aa9e4a 89 API calls 4 library calls 104685->104832 104687->104598 104689 a4838d 104688->104689 104690 a7edbd 104688->104690 104691 a60db6 Mailbox 59 API calls 104689->104691 104692 a48394 104691->104692 104693 a483b5 104692->104693 104833 a48634 59 API calls Mailbox 104692->104833 104693->104577 104693->104586 104696 a84cc3 104695->104696 104710 a509f5 104695->104710 104894 aa9e4a 89 API calls 4 library calls 104696->104894 104698 a50cfa 104698->104607 104701 a50ee4 104701->104698 104703 a50ef1 104701->104703 104702 a50a4b PeekMessageW 104771 a50a05 Mailbox 104702->104771 104892 a51093 341 API calls Mailbox 104703->104892 104705 a50ef8 LockWindowUpdate DestroyWindow GetMessageW 104705->104698 104708 a50f2a 104705->104708 104707 a84e81 Sleep 104707->104771 104711 a85c58 TranslateMessage DispatchMessageW GetMessageW 104708->104711 104709 a50ce4 104709->104698 104891 a51070 10 API calls Mailbox 104709->104891 104710->104771 104895 a49e5d 60 API calls 104710->104895 104896 a96349 341 API calls 104710->104896 104711->104711 104713 a85c88 104711->104713 104713->104698 104714 a84d50 TranslateAcceleratorW 104717 a50e43 PeekMessageW 104714->104717 104714->104771 104715 a49e5d 60 API calls 104715->104771 104716 a50ea5 TranslateMessage DispatchMessageW 104716->104717 104717->104771 104718 a8581f WaitForSingleObject 104722 a8583c GetExitCodeProcess CloseHandle 104718->104722 104718->104771 104720 a60db6 59 API calls Mailbox 104720->104771 104721 a50d13 timeGetTime 104721->104771 104756 a50f95 104722->104756 104723 a50e5f Sleep 104755 a50e70 Mailbox 104723->104755 104724 a48047 59 API calls 104724->104771 104726 a85af8 Sleep 104726->104755 104729 a50f4e timeGetTime 104893 a49e5d 60 API calls 104729->104893 104730 a6049f timeGetTime 104730->104755 104733 a85b8f GetExitCodeProcess 104737 a85bbb CloseHandle 104733->104737 104738 a85ba5 WaitForSingleObject 104733->104738 104735 ac5f25 110 API calls 104735->104755 104736 a4b7dd 109 API calls 104736->104755 104737->104755 104738->104737 104738->104771 104741 a85874 104741->104756 104742 a85078 Sleep 104742->104771 104743 a85c17 Sleep 104743->104771 104749 a49ea0 314 API calls 104749->104771 104752 a4fce0 314 API calls 104752->104771 104755->104730 104755->104733 104755->104735 104755->104736 104755->104741 104755->104742 104755->104743 104755->104756 104755->104771 104921 a47667 104755->104921 104926 aa2408 60 API calls 104755->104926 104927 a49e5d 60 API calls 104755->104927 104928 a47de1 104755->104928 104932 a489b3 69 API calls Mailbox 104755->104932 104933 a4b73c 341 API calls 104755->104933 104934 a964da 60 API calls 104755->104934 104935 aa5244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 104755->104935 104936 aa3c55 66 API calls Mailbox 104755->104936 104756->104607 104757 a47de1 59 API calls 104757->104771 104758 aa9e4a 89 API calls 104758->104771 104760 a484c0 69 API calls 104760->104771 104761 a49c90 59 API calls Mailbox 104761->104771 104762 a4b73c 314 API calls 104762->104771 104764 a9617e 59 API calls Mailbox 104764->104771 104765 a855d5 VariantClear 104765->104771 104766 a96e8f 59 API calls 104766->104771 104767 a8566b VariantClear 104767->104771 104768 a48cd4 59 API calls Mailbox 104768->104771 104769 a85419 VariantClear 104769->104771 104770 a489b3 69 API calls 104770->104771 104771->104702 104771->104707 104771->104709 104771->104714 104771->104715 104771->104716 104771->104717 104771->104718 104771->104720 104771->104721 104771->104723 104771->104724 104771->104726 104771->104729 104771->104749 104771->104752 104771->104755 104771->104756 104771->104757 104771->104758 104771->104760 104771->104761 104771->104762 104771->104764 104771->104765 104771->104766 104771->104767 104771->104768 104771->104769 104771->104770 104834 a4e6a0 104771->104834 104865 a4f460 104771->104865 104885 a431ce 104771->104885 104890 a4e420 341 API calls 104771->104890 104897 ac6018 59 API calls 104771->104897 104898 aa9a15 59 API calls Mailbox 104771->104898 104899 a9d4f2 59 API calls 104771->104899 104900 a49837 104771->104900 104918 a960ef 59 API calls 2 library calls 104771->104918 104919 a48401 59 API calls 104771->104919 104920 a482df 59 API calls Mailbox 104771->104920 104772->104629 104773->104619 104774->104630 104775->104630 104777 a49ebf 104776->104777 104790 a49eed Mailbox 104776->104790 104778 a60db6 Mailbox 59 API calls 104777->104778 104778->104790 104779 a62d40 67 API calls __cinit 104779->104790 104780 a4b475 104781 a48047 59 API calls 104780->104781 104792 a4a057 104781->104792 104782 a60db6 59 API calls Mailbox 104782->104790 104783 a809e5 106308 aa9e4a 89 API calls 4 library calls 104783->106308 104784 a80055 106305 aa9e4a 89 API calls 4 library calls 104784->106305 104785 a47667 59 API calls 104785->104790 104789 a4b47a 104789->104783 104789->104784 104790->104779 104790->104780 104790->104782 104790->104784 104790->104785 104790->104789 104791 a4a55a 104790->104791 104790->104792 104796 a48047 59 API calls 104790->104796 104797 a96e8f 59 API calls 104790->104797 104798 a809d6 104790->104798 106288 a4b900 104790->106288 106304 a4c8c0 341 API calls 2 library calls 104790->106304 106306 aa9e4a 89 API calls 4 library calls 104791->106306 104792->104598 104793 a80064 104793->104598 104796->104790 104797->104790 106307 aa9e4a 89 API calls 4 library calls 104798->106307 104800->104619 104801->104560 104802->104564 104803->104569 104804->104564 104805->104564 104806->104576 104807->104587 104808->104582 104809->104582 104810->104585 104811->104589 104812->104630 104813->104630 104814->104630 104815->104630 104817 a484cb 104816->104817 104818 a484f2 104817->104818 106314 a489b3 69 API calls Mailbox 104817->106314 104818->104613 104820->104564 104821->104614 104823 a48052 104822->104823 104824 a4805a 104822->104824 106315 a47f77 59 API calls 2 library calls 104823->106315 104824->104622 104826->104624 104827->104564 104829 a47e62 104828->104829 104831 a47e5f _memmove 104828->104831 104830 a60db6 Mailbox 59 API calls 104829->104830 104830->104831 104831->104682 104832->104687 104833->104693 104835 a4e6d5 104834->104835 104836 a83aa9 104835->104836 104839 a4e73f 104835->104839 104849 a4e799 104835->104849 104837 a49ea0 341 API calls 104836->104837 104838 a83abe 104837->104838 104864 a4e970 Mailbox 104838->104864 104938 aa9e4a 89 API calls 4 library calls 104838->104938 104841 a47667 59 API calls 104839->104841 104839->104849 104840 a47667 59 API calls 104840->104849 104843 a83b04 104841->104843 104939 a62d40 104843->104939 104844 a62d40 __cinit 67 API calls 104844->104849 104846 a83b26 104846->104771 104847 a484c0 69 API calls 104847->104864 104848 a49ea0 341 API calls 104848->104864 104849->104840 104849->104844 104849->104846 104850 a4e95a 104849->104850 104849->104864 104850->104864 104942 aa9e4a 89 API calls 4 library calls 104850->104942 104851 aa9e4a 89 API calls 104851->104864 104853 a48d40 59 API calls 104853->104864 104861 a83e25 104861->104771 104862 a4f195 104946 aa9e4a 89 API calls 4 library calls 104862->104946 104863 a4ea78 104863->104771 104864->104847 104864->104848 104864->104851 104864->104853 104864->104862 104864->104863 104937 a47f77 59 API calls 2 library calls 104864->104937 104943 a96e8f 59 API calls 104864->104943 104944 abc5c3 341 API calls 104864->104944 104945 abb53c 341 API calls Mailbox 104864->104945 104947 a49c90 59 API calls Mailbox 104864->104947 104948 ab93c6 341 API calls Mailbox 104864->104948 104866 a4f650 104865->104866 104867 a4f4ba 104865->104867 104868 a47de1 59 API calls 104866->104868 104869 a4f4c6 104867->104869 104870 a8441e 104867->104870 104876 a4f58c Mailbox 104868->104876 105128 a4f290 341 API calls 2 library calls 104869->105128 105130 abbc6b 104870->105130 104873 a8442c 104877 a4f630 104873->104877 105170 aa9e4a 89 API calls 4 library calls 104873->105170 104875 a4f4fd 104875->104873 104875->104876 104875->104877 105027 ab445a 104876->105027 105036 aacb7a 104876->105036 105116 abdf37 104876->105116 105119 aa3c37 104876->105119 105122 a44e4a 104876->105122 104877->104771 104879 a4f5e3 104879->104877 105129 a49c90 59 API calls Mailbox 104879->105129 104886 a43212 104885->104886 104888 a431e0 104885->104888 104886->104771 104887 a43205 IsDialogMessageW 104887->104886 104887->104888 104888->104886 104888->104887 104889 a7cf32 GetClassLongW 104888->104889 104889->104887 104889->104888 104890->104771 104891->104701 104892->104705 104893->104771 104894->104710 104895->104710 104896->104710 104897->104771 104898->104771 104899->104771 104901 a49851 104900->104901 104902 a4984b 104900->104902 104903 a7f5d3 __i64tow 104901->104903 104904 a49899 104901->104904 104905 a49857 __itow 104901->104905 104909 a7f4da 104901->104909 104902->104771 106286 a63698 83 API calls 3 library calls 104904->106286 104907 a60db6 Mailbox 59 API calls 104905->104907 104910 a49871 104907->104910 104911 a60db6 Mailbox 59 API calls 104909->104911 104916 a7f552 Mailbox _wcscpy 104909->104916 104910->104902 104912 a47de1 59 API calls 104910->104912 104913 a7f51f 104911->104913 104912->104902 104914 a60db6 Mailbox 59 API calls 104913->104914 104915 a7f545 104914->104915 104915->104916 104917 a47de1 59 API calls 104915->104917 106287 a63698 83 API calls 3 library calls 104916->106287 104917->104916 104918->104771 104919->104771 104920->104771 104922 a60db6 Mailbox 59 API calls 104921->104922 104923 a47688 104922->104923 104924 a60db6 Mailbox 59 API calls 104923->104924 104925 a47696 104924->104925 104925->104755 104926->104755 104927->104755 104929 a47df0 __wsetenvp _memmove 104928->104929 104930 a60db6 Mailbox 59 API calls 104929->104930 104931 a47e2e 104930->104931 104931->104755 104932->104755 104933->104755 104934->104755 104935->104755 104936->104755 104937->104864 104938->104864 104949 a62c44 104939->104949 104941 a62d4b 104941->104849 104942->104864 104943->104864 104944->104864 104945->104864 104946->104861 104947->104864 104948->104864 104950 a62c50 __read 104949->104950 104957 a63217 104950->104957 104956 a62c77 __read 104956->104941 104974 a69c0b 104957->104974 104959 a62c59 104960 a62c88 DecodePointer DecodePointer 104959->104960 104961 a62c65 104960->104961 104962 a62cb5 104960->104962 104971 a62c82 104961->104971 104962->104961 105020 a687a4 59 API calls __read 104962->105020 104964 a62d18 EncodePointer EncodePointer 104964->104961 104965 a62cc7 104965->104964 104967 a62cec 104965->104967 105021 a68864 61 API calls 2 library calls 104965->105021 104967->104961 104969 a62d06 EncodePointer 104967->104969 105022 a68864 61 API calls 2 library calls 104967->105022 104969->104964 104970 a62d00 104970->104961 104970->104969 105023 a63220 104971->105023 104975 a69c2f EnterCriticalSection 104974->104975 104976 a69c1c 104974->104976 104975->104959 104981 a69c93 104976->104981 104978 a69c22 104978->104975 105005 a630b5 58 API calls 3 library calls 104978->105005 104982 a69c9f __read 104981->104982 104983 a69cc0 104982->104983 104984 a69ca8 104982->104984 104992 a69ce1 __read 104983->104992 105009 a6881d 58 API calls 2 library calls 104983->105009 105006 a6a16b 58 API calls 2 library calls 104984->105006 104987 a69cad 105007 a6a1c8 58 API calls 8 library calls 104987->105007 104988 a69cd5 104990 a69cdc 104988->104990 104991 a69ceb 104988->104991 105010 a68b28 58 API calls __getptd_noexit 104990->105010 104995 a69c0b __lock 58 API calls 104991->104995 104992->104978 104993 a69cb4 105008 a6309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104993->105008 104997 a69cf2 104995->104997 104999 a69d17 104997->104999 105000 a69cff 104997->105000 105012 a62d55 104999->105012 105011 a69e2b InitializeCriticalSectionAndSpinCount 105000->105011 105003 a69d0b 105018 a69d33 LeaveCriticalSection _doexit 105003->105018 105006->104987 105007->104993 105009->104988 105010->104992 105011->105003 105013 a62d5e RtlFreeHeap 105012->105013 105017 a62d87 __dosmaperr 105012->105017 105014 a62d73 105013->105014 105013->105017 105019 a68b28 58 API calls __getptd_noexit 105014->105019 105016 a62d79 GetLastError 105016->105017 105017->105003 105018->104992 105019->105016 105020->104965 105021->104967 105022->104970 105026 a69d75 LeaveCriticalSection 105023->105026 105025 a62c87 105025->104956 105026->105025 105028 a49837 84 API calls 105027->105028 105029 ab4494 105028->105029 105171 a46240 105029->105171 105031 ab44a4 105032 ab44c9 105031->105032 105033 a49ea0 341 API calls 105031->105033 105035 ab44cd 105032->105035 105196 a49a98 59 API calls Mailbox 105032->105196 105033->105032 105035->104879 105037 a47667 59 API calls 105036->105037 105038 aacbaf 105037->105038 105039 a47667 59 API calls 105038->105039 105040 aacbb8 105039->105040 105041 aacbcc 105040->105041 105415 a49b3c 59 API calls 105040->105415 105043 a49837 84 API calls 105041->105043 105044 aacbe9 105043->105044 105045 aaccea 105044->105045 105046 aacc0b 105044->105046 105058 aacd1a Mailbox 105044->105058 105219 a44ddd 105045->105219 105047 a49837 84 API calls 105046->105047 105049 aacc17 105047->105049 105051 a48047 59 API calls 105049->105051 105053 aacc23 105051->105053 105052 aacd16 105055 a47667 59 API calls 105052->105055 105052->105058 105060 aacc69 105053->105060 105061 aacc37 105053->105061 105054 a44ddd 136 API calls 105054->105052 105056 aacd4b 105055->105056 105057 a47667 59 API calls 105056->105057 105059 aacd54 105057->105059 105058->104879 105063 a47667 59 API calls 105059->105063 105062 a49837 84 API calls 105060->105062 105064 a48047 59 API calls 105061->105064 105065 aacc76 105062->105065 105066 aacd5d 105063->105066 105067 aacc47 105064->105067 105068 a48047 59 API calls 105065->105068 105069 a47667 59 API calls 105066->105069 105416 a47cab 105067->105416 105071 aacc82 105068->105071 105072 aacd66 105069->105072 105423 aa4a31 GetFileAttributesW 105071->105423 105075 a49837 84 API calls 105072->105075 105078 aacd73 105075->105078 105076 a49837 84 API calls 105079 aacc5d 105076->105079 105077 aacc8b 105080 aacc9e 105077->105080 105083 a479f2 59 API calls 105077->105083 105243 a4459b 105078->105243 105082 a47b2e 59 API calls 105079->105082 105085 a49837 84 API calls 105080->105085 105090 aacca4 105080->105090 105082->105060 105083->105080 105084 aacd8e 105294 a479f2 105084->105294 105087 aacccb 105085->105087 105424 aa37ef 75 API calls Mailbox 105087->105424 105090->105058 105091 aacdd1 105092 a48047 59 API calls 105091->105092 105094 aacddf 105092->105094 105093 a479f2 59 API calls 105095 aacdae 105093->105095 105297 a47b2e 105094->105297 105095->105091 105425 a47bcc 105095->105425 105099 aacdc3 105101 a47bcc 59 API calls 105099->105101 105100 a47b2e 59 API calls 105102 aacdfb 105100->105102 105101->105091 105103 a47b2e 59 API calls 105102->105103 105104 aace09 105103->105104 105105 a49837 84 API calls 105104->105105 105106 aace15 105105->105106 105306 aa4071 105106->105306 105108 aace26 105109 aa3c37 3 API calls 105108->105109 105110 aace30 105109->105110 105111 a49837 84 API calls 105110->105111 105115 aace61 105110->105115 105112 aace4e 105111->105112 105360 aa9155 105112->105360 105114 a44e4a 84 API calls 105114->105058 105115->105114 106163 abcadd 105116->106163 105118 abdf47 105118->104879 106274 aa445a GetFileAttributesW 105119->106274 105123 a44e54 105122->105123 105127 a44e5b 105122->105127 105124 a653a6 __fcloseall 83 API calls 105123->105124 105124->105127 105125 a44e6a 105125->104879 105126 a44e7b FreeLibrary 105126->105125 105127->105125 105127->105126 105128->104875 105129->104879 105131 abbcb0 105130->105131 105132 abbc96 105130->105132 106279 aba213 59 API calls Mailbox 105131->106279 106278 aa9e4a 89 API calls 4 library calls 105132->106278 105135 abbcbb 105136 a49ea0 340 API calls 105135->105136 105137 abbd1c 105136->105137 105138 abbdae 105137->105138 105142 abbd5d 105137->105142 105163 abbca8 Mailbox 105137->105163 105139 abbe04 105138->105139 105140 abbdb4 105138->105140 105141 a49837 84 API calls 105139->105141 105139->105163 106281 aa791a 59 API calls 105140->106281 105143 abbe16 105141->105143 106280 aa72df 59 API calls Mailbox 105142->106280 105146 a47e4f 59 API calls 105143->105146 105149 abbe3a CharUpperBuffW 105146->105149 105147 abbdd7 106282 a45d41 59 API calls Mailbox 105147->106282 105148 abbd8d 105151 a4f460 340 API calls 105148->105151 105153 abbe54 105149->105153 105151->105163 105152 abbddf Mailbox 105156 a4fce0 340 API calls 105152->105156 105154 abbe5b 105153->105154 105155 abbea7 105153->105155 106283 aa72df 59 API calls Mailbox 105154->106283 105157 a49837 84 API calls 105155->105157 105156->105163 105158 abbeaf 105157->105158 106284 a49e5d 60 API calls 105158->106284 105161 abbe89 105162 a4f460 340 API calls 105161->105162 105162->105163 105163->104873 105164 abbeb9 105164->105163 105165 a49837 84 API calls 105164->105165 105166 abbed4 105165->105166 106285 a45d41 59 API calls Mailbox 105166->106285 105168 abbee4 105169 a4fce0 340 API calls 105168->105169 105169->105163 105170->104877 105197 a47a16 105171->105197 105173 a4646a 105204 a4750f 105173->105204 105175 a46484 Mailbox 105175->105031 105178 a46265 105178->105173 105179 a7dff6 105178->105179 105180 a47d8c 59 API calls 105178->105180 105181 a46799 _memmove 105178->105181 105182 a4750f 59 API calls 105178->105182 105189 a7df92 105178->105189 105193 a47e4f 59 API calls 105178->105193 105202 a45f6c 60 API calls 105178->105202 105203 a45d41 59 API calls Mailbox 105178->105203 105212 a45e72 60 API calls 105178->105212 105213 a47924 59 API calls 2 library calls 105178->105213 105217 a9f8aa 91 API calls 4 library calls 105179->105217 105180->105178 105218 a9f8aa 91 API calls 4 library calls 105181->105218 105182->105178 105186 a7e004 105187 a4750f 59 API calls 105186->105187 105188 a7e01a 105187->105188 105188->105175 105214 a48029 105189->105214 105191 a7df9d 105195 a60db6 Mailbox 59 API calls 105191->105195 105194 a4643b CharUpperBuffW 105193->105194 105194->105178 105195->105181 105196->105035 105198 a60db6 Mailbox 59 API calls 105197->105198 105199 a47a3b 105198->105199 105200 a48029 59 API calls 105199->105200 105201 a47a4a 105200->105201 105201->105178 105202->105178 105203->105178 105205 a475af 105204->105205 105209 a47522 _memmove 105204->105209 105207 a60db6 Mailbox 59 API calls 105205->105207 105206 a60db6 Mailbox 59 API calls 105208 a47529 105206->105208 105207->105209 105210 a60db6 Mailbox 59 API calls 105208->105210 105211 a47552 105208->105211 105209->105206 105210->105211 105211->105175 105212->105178 105213->105178 105215 a60db6 Mailbox 59 API calls 105214->105215 105216 a48033 105215->105216 105216->105191 105217->105186 105218->105175 105434 a44bb5 105219->105434 105224 a7d8e6 105226 a44e4a 84 API calls 105224->105226 105225 a44e08 LoadLibraryExW 105444 a44b6a 105225->105444 105228 a7d8ed 105226->105228 105230 a44b6a 3 API calls 105228->105230 105232 a7d8f5 105230->105232 105470 a44f0b 105232->105470 105233 a44e2f 105233->105232 105234 a44e3b 105233->105234 105235 a44e4a 84 API calls 105234->105235 105237 a44e40 105235->105237 105237->105052 105237->105054 105240 a7d91c 105476 a44ec7 105240->105476 105244 a47667 59 API calls 105243->105244 105245 a445b1 105244->105245 105246 a47667 59 API calls 105245->105246 105247 a445b9 105246->105247 105248 a47667 59 API calls 105247->105248 105249 a445c1 105248->105249 105250 a47667 59 API calls 105249->105250 105251 a445c9 105250->105251 105252 a7d4d2 105251->105252 105253 a445fd 105251->105253 105254 a48047 59 API calls 105252->105254 105255 a4784b 59 API calls 105253->105255 105256 a7d4db 105254->105256 105257 a4460b 105255->105257 105775 a47d8c 105256->105775 105771 a47d2c 105257->105771 105260 a44615 105261 a44640 105260->105261 105262 a4784b 59 API calls 105260->105262 105263 a44680 105261->105263 105265 a4465f 105261->105265 105281 a7d4fb 105261->105281 105266 a44636 105262->105266 105758 a4784b 105263->105758 105270 a479f2 59 API calls 105265->105270 105269 a47d2c 59 API calls 105266->105269 105267 a44691 105271 a446a3 105267->105271 105274 a48047 59 API calls 105267->105274 105268 a7d5cb 105272 a47bcc 59 API calls 105268->105272 105269->105261 105273 a44669 105270->105273 105275 a446b3 105271->105275 105277 a48047 59 API calls 105271->105277 105289 a7d588 105272->105289 105273->105263 105276 a4784b 59 API calls 105273->105276 105274->105271 105278 a48047 59 API calls 105275->105278 105279 a446ba 105275->105279 105276->105263 105277->105275 105278->105279 105280 a48047 59 API calls 105279->105280 105291 a446c1 Mailbox 105279->105291 105280->105291 105281->105268 105282 a7d5b4 105281->105282 105288 a7d532 105281->105288 105282->105268 105284 a7d59f 105282->105284 105283 a479f2 59 API calls 105283->105289 105286 a47bcc 59 API calls 105284->105286 105285 a7d590 105287 a47bcc 59 API calls 105285->105287 105286->105289 105287->105289 105288->105285 105292 a7d57b 105288->105292 105289->105263 105289->105283 105779 a47924 59 API calls 2 library calls 105289->105779 105291->105084 105293 a47bcc 59 API calls 105292->105293 105293->105289 105295 a47e4f 59 API calls 105294->105295 105296 a479fd 105295->105296 105296->105091 105296->105093 105298 a47b40 105297->105298 105299 a7ec6b 105297->105299 105781 a47a51 105298->105781 105787 a97bdb 59 API calls _memmove 105299->105787 105302 a47b4c 105302->105100 105303 a7ec75 105304 a48047 59 API calls 105303->105304 105305 a7ec7d Mailbox 105304->105305 105307 aa408d 105306->105307 105308 aa4092 105307->105308 105309 aa40a0 105307->105309 105311 a48047 59 API calls 105308->105311 105310 a47667 59 API calls 105309->105310 105312 aa40a8 105310->105312 105313 aa409b Mailbox 105311->105313 105314 a47667 59 API calls 105312->105314 105313->105108 105315 aa40b0 105314->105315 105316 a47667 59 API calls 105315->105316 105317 aa40bb 105316->105317 105318 a47667 59 API calls 105317->105318 105319 aa40c3 105318->105319 105320 a47667 59 API calls 105319->105320 105321 aa40cb 105320->105321 105322 a47667 59 API calls 105321->105322 105323 aa40d3 105322->105323 105324 a47667 59 API calls 105323->105324 105325 aa40db 105324->105325 105326 a47667 59 API calls 105325->105326 105327 aa40e3 105326->105327 105328 a4459b 59 API calls 105327->105328 105329 aa40fa 105328->105329 105330 a4459b 59 API calls 105329->105330 105331 aa4113 105330->105331 105332 a479f2 59 API calls 105331->105332 105333 aa411f 105332->105333 105334 aa4132 105333->105334 105335 a47d2c 59 API calls 105333->105335 105336 a479f2 59 API calls 105334->105336 105335->105334 105337 aa413b 105336->105337 105338 aa414b 105337->105338 105339 a47d2c 59 API calls 105337->105339 105340 a48047 59 API calls 105338->105340 105339->105338 105341 aa4157 105340->105341 105342 a47b2e 59 API calls 105341->105342 105343 aa4163 105342->105343 105788 aa4223 59 API calls 105343->105788 105345 aa4172 105789 aa4223 59 API calls 105345->105789 105347 aa4185 105348 a479f2 59 API calls 105347->105348 105349 aa418f 105348->105349 105350 aa41a6 105349->105350 105351 aa4194 105349->105351 105353 a479f2 59 API calls 105350->105353 105352 a47cab 59 API calls 105351->105352 105354 aa41a1 105352->105354 105355 aa41af 105353->105355 105357 a47b2e 59 API calls 105354->105357 105356 aa41cd 105355->105356 105359 a47cab 59 API calls 105355->105359 105358 a47b2e 59 API calls 105356->105358 105357->105356 105358->105313 105359->105354 105361 aa9162 __write_nolock 105360->105361 105362 a60db6 Mailbox 59 API calls 105361->105362 105363 aa91bf 105362->105363 105364 a4522e 59 API calls 105363->105364 105365 aa91c9 105364->105365 105790 aa8f5f 105365->105790 105367 aa91d4 105368 a44ee5 85 API calls 105367->105368 105369 aa91e7 _wcscmp 105368->105369 105370 aa920b 105369->105370 105371 aa92b8 105369->105371 105823 aa9734 96 API calls 2 library calls 105370->105823 105826 aa9734 96 API calls 2 library calls 105371->105826 105374 aa9210 105378 aa92c1 105374->105378 105824 a640fb 58 API calls __wsplitpath_helper 105374->105824 105375 aa9284 _wcscat 105377 a44f0b 74 API calls 105375->105377 105375->105378 105379 aa92dd 105377->105379 105378->105115 105380 a44f0b 74 API calls 105379->105380 105382 aa92ed 105380->105382 105381 aa9239 _wcscat _wcscpy 105825 a640fb 58 API calls __wsplitpath_helper 105381->105825 105383 a44f0b 74 API calls 105382->105383 105385 aa9308 105383->105385 105386 a44f0b 74 API calls 105385->105386 105387 aa9318 105386->105387 105388 a44f0b 74 API calls 105387->105388 105389 aa9333 105388->105389 105390 a44f0b 74 API calls 105389->105390 105391 aa9343 105390->105391 105392 a44f0b 74 API calls 105391->105392 105393 aa9353 105392->105393 105394 a44f0b 74 API calls 105393->105394 105395 aa9363 105394->105395 105793 aa98e3 GetTempPathW GetTempFileNameW 105395->105793 105397 aa936f 105398 a6525b 115 API calls 105397->105398 105409 aa9380 105398->105409 105399 aa943a 105807 a653a6 105399->105807 105401 aa9445 105403 aa944b DeleteFileW 105401->105403 105404 aa945f 105401->105404 105402 a44f0b 74 API calls 105402->105409 105403->105378 105405 aa9505 CopyFileW 105404->105405 105410 aa9469 _wcsncpy 105404->105410 105406 aa951b DeleteFileW 105405->105406 105407 aa952d DeleteFileW 105405->105407 105406->105378 105409->105378 105409->105399 105409->105402 105794 a64863 105409->105794 105827 aa8b06 105410->105827 105415->105041 105417 a47cbf 105416->105417 105418 a7ed4a 105416->105418 106157 a47c50 105417->106157 105420 a48029 59 API calls 105418->105420 105422 a7ed55 __wsetenvp _memmove 105420->105422 105421 a47cca 105421->105076 105423->105077 105424->105090 105426 a47c45 105425->105426 105428 a47bd8 __wsetenvp 105425->105428 105427 a47d2c 59 API calls 105426->105427 105433 a47bf6 _memmove 105427->105433 105429 a47c13 105428->105429 105430 a47bee 105428->105430 105432 a48029 59 API calls 105429->105432 106162 a47f27 59 API calls Mailbox 105430->106162 105432->105433 105433->105099 105481 a44c03 105434->105481 105437 a44c03 2 API calls 105440 a44bdc 105437->105440 105438 a44bf5 105441 a6525b 105438->105441 105439 a44bec FreeLibrary 105439->105438 105440->105438 105440->105439 105485 a65270 105441->105485 105443 a44dfc 105443->105224 105443->105225 105566 a44c36 105444->105566 105447 a44b8f 105448 a44ba1 FreeLibrary 105447->105448 105449 a44baa 105447->105449 105448->105449 105451 a44c70 105449->105451 105450 a44c36 2 API calls 105450->105447 105452 a60db6 Mailbox 59 API calls 105451->105452 105453 a44c85 105452->105453 105570 a4522e 105453->105570 105455 a44c91 _memmove 105456 a44ccc 105455->105456 105457 a44dc1 105455->105457 105458 a44d89 105455->105458 105459 a44ec7 69 API calls 105456->105459 105584 aa991b 95 API calls 105457->105584 105573 a44e89 CreateStreamOnHGlobal 105458->105573 105467 a44cd5 105459->105467 105462 a44f0b 74 API calls 105462->105467 105464 a44d69 105464->105233 105465 a7d8a7 105466 a44ee5 85 API calls 105465->105466 105468 a7d8bb 105466->105468 105467->105462 105467->105464 105467->105465 105579 a44ee5 105467->105579 105469 a44f0b 74 API calls 105468->105469 105469->105464 105471 a44f1d 105470->105471 105472 a7d9cd 105470->105472 105608 a655e2 105471->105608 105475 aa9109 GetSystemTimeAsFileTime 105475->105240 105477 a44ed6 105476->105477 105478 a7d990 105476->105478 105740 a65c60 105477->105740 105480 a44ede 105482 a44bd0 105481->105482 105483 a44c0c LoadLibraryA 105481->105483 105482->105437 105482->105440 105483->105482 105484 a44c1d GetProcAddress 105483->105484 105484->105482 105488 a6527c __read 105485->105488 105486 a6528f 105534 a68b28 58 API calls __getptd_noexit 105486->105534 105488->105486 105490 a652c0 105488->105490 105489 a65294 105535 a68db6 9 API calls __read 105489->105535 105504 a704e8 105490->105504 105493 a652c5 105494 a652ce 105493->105494 105495 a652db 105493->105495 105536 a68b28 58 API calls __getptd_noexit 105494->105536 105497 a65305 105495->105497 105498 a652e5 105495->105498 105519 a70607 105497->105519 105537 a68b28 58 API calls __getptd_noexit 105498->105537 105503 a6529f @_EH4_CallFilterFunc@8 __read 105503->105443 105505 a704f4 __read 105504->105505 105506 a69c0b __lock 58 API calls 105505->105506 105507 a70502 105506->105507 105508 a7057d 105507->105508 105514 a69c93 __mtinitlocknum 58 API calls 105507->105514 105517 a70576 105507->105517 105542 a66c50 59 API calls __lock 105507->105542 105543 a66cba LeaveCriticalSection LeaveCriticalSection _doexit 105507->105543 105544 a6881d 58 API calls 2 library calls 105508->105544 105511 a70584 105511->105517 105545 a69e2b InitializeCriticalSectionAndSpinCount 105511->105545 105512 a705f3 __read 105512->105493 105514->105507 105516 a705aa EnterCriticalSection 105516->105517 105539 a705fe 105517->105539 105528 a70627 __wopenfile 105519->105528 105520 a70641 105550 a68b28 58 API calls __getptd_noexit 105520->105550 105521 a707fc 105521->105520 105525 a7085f 105521->105525 105523 a70646 105551 a68db6 9 API calls __read 105523->105551 105547 a785a1 105525->105547 105526 a65310 105538 a65332 LeaveCriticalSection LeaveCriticalSection _fseek 105526->105538 105528->105520 105528->105521 105552 a637cb 60 API calls 2 library calls 105528->105552 105530 a707f5 105530->105521 105553 a637cb 60 API calls 2 library calls 105530->105553 105532 a70814 105532->105521 105554 a637cb 60 API calls 2 library calls 105532->105554 105534->105489 105535->105503 105536->105503 105537->105503 105538->105503 105546 a69d75 LeaveCriticalSection 105539->105546 105541 a70605 105541->105512 105542->105507 105543->105507 105544->105511 105545->105516 105546->105541 105555 a77d85 105547->105555 105549 a785ba 105549->105526 105550->105523 105551->105526 105552->105530 105553->105532 105554->105521 105556 a77d91 __read 105555->105556 105557 a77da7 105556->105557 105560 a77ddd 105556->105560 105558 a68b28 __read 58 API calls 105557->105558 105559 a77dac 105558->105559 105561 a68db6 __read 9 API calls 105559->105561 105562 a77e4e __wsopen_nolock 109 API calls 105560->105562 105565 a77db6 __read 105561->105565 105563 a77df9 105562->105563 105564 a77e22 __wsopen_helper LeaveCriticalSection 105563->105564 105564->105565 105565->105549 105567 a44b83 105566->105567 105568 a44c3f LoadLibraryA 105566->105568 105567->105447 105567->105450 105568->105567 105569 a44c50 GetProcAddress 105568->105569 105569->105567 105571 a60db6 Mailbox 59 API calls 105570->105571 105572 a45240 105571->105572 105572->105455 105574 a44ea3 FindResourceExW 105573->105574 105578 a44ec0 105573->105578 105575 a7d933 LoadResource 105574->105575 105574->105578 105576 a7d948 SizeofResource 105575->105576 105575->105578 105577 a7d95c LockResource 105576->105577 105576->105578 105577->105578 105578->105456 105580 a44ef4 105579->105580 105581 a7d9ab 105579->105581 105585 a6584d 105580->105585 105583 a44f02 105583->105467 105584->105456 105587 a65859 __read 105585->105587 105586 a6586b 105598 a68b28 58 API calls __getptd_noexit 105586->105598 105587->105586 105588 a65891 105587->105588 105600 a66c11 105588->105600 105590 a65870 105599 a68db6 9 API calls __read 105590->105599 105595 a658a6 105607 a658c8 LeaveCriticalSection LeaveCriticalSection _fseek 105595->105607 105597 a6587b __read 105597->105583 105598->105590 105599->105597 105601 a66c43 EnterCriticalSection 105600->105601 105602 a66c21 105600->105602 105604 a65897 105601->105604 105602->105601 105603 a66c29 105602->105603 105605 a69c0b __lock 58 API calls 105603->105605 105606 a657be 83 API calls 5 library calls 105604->105606 105605->105604 105606->105595 105607->105597 105611 a655fd 105608->105611 105610 a44f2e 105610->105475 105612 a65609 __read 105611->105612 105613 a6561f _memset 105612->105613 105614 a6564c 105612->105614 105615 a65644 __read 105612->105615 105638 a68b28 58 API calls __getptd_noexit 105613->105638 105616 a66c11 __lock_file 59 API calls 105614->105616 105615->105610 105618 a65652 105616->105618 105624 a6541d 105618->105624 105619 a65639 105639 a68db6 9 API calls __read 105619->105639 105625 a65453 105624->105625 105629 a65438 _memset 105624->105629 105640 a65686 LeaveCriticalSection LeaveCriticalSection _fseek 105625->105640 105626 a65443 105736 a68b28 58 API calls __getptd_noexit 105626->105736 105628 a65448 105737 a68db6 9 API calls __read 105628->105737 105629->105625 105629->105626 105636 a65493 105629->105636 105632 a655a4 _memset 105739 a68b28 58 API calls __getptd_noexit 105632->105739 105636->105625 105636->105632 105641 a646e6 105636->105641 105648 a70e5b 105636->105648 105716 a70ba7 105636->105716 105738 a70cc8 58 API calls 3 library calls 105636->105738 105638->105619 105639->105615 105640->105615 105642 a64705 105641->105642 105643 a646f0 105641->105643 105642->105636 105644 a68b28 __read 58 API calls 105643->105644 105645 a646f5 105644->105645 105646 a68db6 __read 9 API calls 105645->105646 105647 a64700 105646->105647 105647->105636 105649 a70e93 105648->105649 105650 a70e7c 105648->105650 105652 a715cb 105649->105652 105655 a70ecd 105649->105655 105651 a68af4 __read 58 API calls 105650->105651 105654 a70e81 105651->105654 105653 a68af4 __read 58 API calls 105652->105653 105656 a715d0 105653->105656 105657 a68b28 __read 58 API calls 105654->105657 105658 a70ed5 105655->105658 105665 a70eec 105655->105665 105659 a68b28 __read 58 API calls 105656->105659 105696 a70e88 105657->105696 105660 a68af4 __read 58 API calls 105658->105660 105661 a70ee1 105659->105661 105662 a70eda 105660->105662 105663 a68db6 __read 9 API calls 105661->105663 105666 a68b28 __read 58 API calls 105662->105666 105663->105696 105664 a70f01 105667 a68af4 __read 58 API calls 105664->105667 105665->105664 105668 a70f1b 105665->105668 105669 a70f39 105665->105669 105665->105696 105666->105661 105667->105662 105668->105664 105671 a70f26 105668->105671 105670 a6881d __malloc_crt 58 API calls 105669->105670 105672 a70f49 105670->105672 105673 a75c6b __flsbuf 58 API calls 105671->105673 105674 a70f51 105672->105674 105675 a70f6c 105672->105675 105676 a7103a 105673->105676 105677 a68b28 __read 58 API calls 105674->105677 105679 a718c1 __lseeki64_nolock 60 API calls 105675->105679 105678 a710b3 ReadFile 105676->105678 105683 a71050 GetConsoleMode 105676->105683 105680 a70f56 105677->105680 105681 a710d5 105678->105681 105682 a71593 GetLastError 105678->105682 105679->105671 105684 a68af4 __read 58 API calls 105680->105684 105681->105682 105690 a710a5 105681->105690 105685 a71093 105682->105685 105686 a715a0 105682->105686 105687 a71064 105683->105687 105688 a710b0 105683->105688 105684->105696 105693 a68b07 __dosmaperr 58 API calls 105685->105693 105698 a71099 105685->105698 105691 a68b28 __read 58 API calls 105686->105691 105687->105688 105689 a7106a ReadConsoleW 105687->105689 105688->105678 105689->105690 105692 a7108d GetLastError 105689->105692 105690->105698 105699 a7110a 105690->105699 105702 a71377 105690->105702 105694 a715a5 105691->105694 105692->105685 105693->105698 105695 a68af4 __read 58 API calls 105694->105695 105695->105698 105696->105636 105697 a62d55 _free 58 API calls 105697->105696 105698->105696 105698->105697 105701 a71176 ReadFile 105699->105701 105708 a711f7 105699->105708 105704 a71197 GetLastError 105701->105704 105714 a711a1 105701->105714 105702->105698 105703 a7147d ReadFile 105702->105703 105707 a714a0 GetLastError 105703->105707 105715 a714ae 105703->105715 105704->105714 105705 a712b4 105710 a718c1 __lseeki64_nolock 60 API calls 105705->105710 105712 a71264 MultiByteToWideChar 105705->105712 105706 a712a4 105709 a68b28 __read 58 API calls 105706->105709 105707->105715 105708->105698 105708->105705 105708->105706 105708->105712 105709->105698 105710->105712 105711 a718c1 __lseeki64_nolock 60 API calls 105711->105714 105712->105692 105712->105698 105713 a718c1 __lseeki64_nolock 60 API calls 105713->105715 105714->105699 105714->105711 105715->105702 105715->105713 105717 a70bb2 105716->105717 105721 a70bc7 105716->105721 105718 a68b28 __read 58 API calls 105717->105718 105719 a70bb7 105718->105719 105720 a68db6 __read 9 API calls 105719->105720 105730 a70bc2 105720->105730 105722 a75fe4 __getbuf 58 API calls 105721->105722 105723 a70bfc 105721->105723 105721->105730 105722->105723 105724 a646e6 __fseek_nolock 58 API calls 105723->105724 105725 a70c10 105724->105725 105726 a70d47 __read 72 API calls 105725->105726 105727 a70c17 105726->105727 105728 a646e6 __fseek_nolock 58 API calls 105727->105728 105727->105730 105729 a70c3a 105728->105729 105729->105730 105731 a646e6 __fseek_nolock 58 API calls 105729->105731 105730->105636 105732 a70c46 105731->105732 105732->105730 105733 a646e6 __fseek_nolock 58 API calls 105732->105733 105734 a70c53 105733->105734 105735 a646e6 __fseek_nolock 58 API calls 105734->105735 105735->105730 105736->105628 105737->105625 105738->105636 105739->105628 105741 a65c6c __read 105740->105741 105742 a65c93 105741->105742 105743 a65c7e 105741->105743 105745 a66c11 __lock_file 59 API calls 105742->105745 105754 a68b28 58 API calls __getptd_noexit 105743->105754 105747 a65c99 105745->105747 105746 a65c83 105755 a68db6 9 API calls __read 105746->105755 105756 a658d0 67 API calls 6 library calls 105747->105756 105750 a65ca4 105757 a65cc4 LeaveCriticalSection LeaveCriticalSection _fseek 105750->105757 105752 a65cb6 105753 a65c8e __read 105752->105753 105753->105480 105754->105746 105755->105753 105756->105750 105757->105752 105759 a478b7 105758->105759 105760 a4785a 105758->105760 105761 a47d2c 59 API calls 105759->105761 105760->105759 105762 a47865 105760->105762 105768 a47888 _memmove 105761->105768 105763 a47880 105762->105763 105764 a7eb09 105762->105764 105780 a47f27 59 API calls Mailbox 105763->105780 105766 a48029 59 API calls 105764->105766 105767 a7eb13 105766->105767 105769 a60db6 Mailbox 59 API calls 105767->105769 105768->105267 105770 a7eb33 105769->105770 105772 a47d3a 105771->105772 105774 a47d43 _memmove 105771->105774 105773 a47e4f 59 API calls 105772->105773 105772->105774 105773->105774 105774->105260 105776 a47da6 105775->105776 105778 a47d99 105775->105778 105777 a60db6 Mailbox 59 API calls 105776->105777 105777->105778 105778->105261 105779->105289 105780->105768 105782 a47a5f 105781->105782 105783 a47a85 _memmove 105781->105783 105782->105783 105784 a60db6 Mailbox 59 API calls 105782->105784 105783->105302 105785 a47ad4 105784->105785 105786 a60db6 Mailbox 59 API calls 105785->105786 105786->105783 105787->105303 105788->105345 105789->105347 105858 a6520a GetSystemTimeAsFileTime 105790->105858 105792 aa8f6e 105792->105367 105793->105397 105795 a6486f __read 105794->105795 105796 a648a5 105795->105796 105797 a6488d 105795->105797 105799 a6489d __read 105795->105799 105800 a66c11 __lock_file 59 API calls 105796->105800 105872 a68b28 58 API calls __getptd_noexit 105797->105872 105799->105409 105802 a648ab 105800->105802 105801 a64892 105873 a68db6 9 API calls __read 105801->105873 105860 a6470a 105802->105860 105808 a653b2 __read 105807->105808 105809 a653c6 105808->105809 105810 a653de 105808->105810 106042 a68b28 58 API calls __getptd_noexit 105809->106042 105812 a66c11 __lock_file 59 API calls 105810->105812 105816 a653d6 __read 105810->105816 105815 a653f0 105812->105815 105813 a653cb 106043 a68db6 9 API calls __read 105813->106043 106026 a6533a 105815->106026 105816->105401 105823->105374 105824->105381 105825->105375 105826->105375 105859 a65238 __aulldiv 105858->105859 105859->105792 105861 a64719 105860->105861 105866 a64737 105860->105866 105862 a64727 105861->105862 105861->105866 105870 a64751 _memmove 105861->105870 105903 a68b28 58 API calls __getptd_noexit 105862->105903 105874 a648dd LeaveCriticalSection LeaveCriticalSection _fseek 105866->105874 105869 a646e6 __fseek_nolock 58 API calls 105869->105870 105870->105866 105870->105869 105875 a6d886 105870->105875 105905 a64a3d 105870->105905 105911 a6ae1e 78 API calls 6 library calls 105870->105911 105872->105801 105873->105799 105874->105799 105911->105870 106027 a6535d 106026->106027 106028 a65349 106026->106028 106030 a65359 106027->106030 106032 a64a3d __flush 78 API calls 106027->106032 106075 a68b28 58 API calls __getptd_noexit 106028->106075 106042->105813 106043->105816 106158 a47c5f __wsetenvp 106157->106158 106159 a48029 59 API calls 106158->106159 106160 a47c70 _memmove 106158->106160 106161 a7ed07 _memmove 106159->106161 106160->105421 106162->105433 106164 a49837 84 API calls 106163->106164 106165 abcb1a 106164->106165 106184 abcb61 Mailbox 106165->106184 106201 abd7a5 106165->106201 106167 abcdb9 106168 abcf2e 106167->106168 106172 abcdc7 106167->106172 106251 abd8c8 92 API calls Mailbox 106168->106251 106171 abcf3d 106171->106172 106174 abcf49 106171->106174 106214 abc96e 106172->106214 106173 a49837 84 API calls 106191 abcbb2 Mailbox 106173->106191 106174->106184 106179 abce00 106229 a60c08 106179->106229 106182 abce1a 106235 aa9e4a 89 API calls 4 library calls 106182->106235 106183 abce33 106236 a492ce 106183->106236 106184->105118 106187 abce25 GetCurrentProcess TerminateProcess 106187->106183 106191->106167 106191->106173 106191->106184 106233 abfbce 59 API calls 2 library calls 106191->106233 106234 abcfdf 61 API calls 2 library calls 106191->106234 106193 abcfa4 106193->106184 106197 abcfb8 FreeLibrary 106193->106197 106194 abce6b 106248 abd649 107 API calls _free 106194->106248 106197->106184 106199 abce7c 106199->106193 106249 a48d40 59 API calls Mailbox 106199->106249 106250 a49d3c 60 API calls Mailbox 106199->106250 106252 abd649 107 API calls _free 106199->106252 106202 a47e4f 59 API calls 106201->106202 106203 abd7c0 CharLowerBuffW 106202->106203 106253 a9f167 106203->106253 106207 a47667 59 API calls 106208 abd7f9 106207->106208 106209 a4784b 59 API calls 106208->106209 106211 abd810 106209->106211 106210 abd858 Mailbox 106210->106191 106212 a47d2c 59 API calls 106211->106212 106213 abd81c Mailbox 106212->106213 106213->106210 106260 abcfdf 61 API calls 2 library calls 106213->106260 106215 abc989 106214->106215 106219 abc9de 106214->106219 106216 a60db6 Mailbox 59 API calls 106215->106216 106217 abc9ab 106216->106217 106218 a60db6 Mailbox 59 API calls 106217->106218 106217->106219 106218->106217 106220 abda50 106219->106220 106221 abdc79 Mailbox 106220->106221 106228 abda73 _strcat _wcscpy __wsetenvp 106220->106228 106221->106179 106222 a49be6 59 API calls 106222->106228 106223 a49b3c 59 API calls 106223->106228 106224 a49b98 59 API calls 106224->106228 106225 a49837 84 API calls 106225->106228 106226 a6571c 58 API calls __crtLCMapStringA_stat 106226->106228 106228->106221 106228->106222 106228->106223 106228->106224 106228->106225 106228->106226 106263 aa5887 61 API calls 2 library calls 106228->106263 106230 a60c1d 106229->106230 106231 a60cb5 VirtualProtect 106230->106231 106232 a60c83 106230->106232 106231->106232 106232->106182 106232->106183 106233->106191 106234->106191 106235->106187 106237 a492d6 106236->106237 106238 a60db6 Mailbox 59 API calls 106237->106238 106239 a492e4 106238->106239 106240 a492f0 106239->106240 106264 a491fc 59 API calls Mailbox 106239->106264 106242 a49050 106240->106242 106265 a49160 106242->106265 106244 a4905f 106245 a60db6 Mailbox 59 API calls 106244->106245 106246 a490fb 106244->106246 106245->106246 106246->106199 106247 a48d40 59 API calls Mailbox 106246->106247 106247->106194 106248->106199 106249->106199 106250->106199 106251->106171 106252->106199 106254 a9f192 __wsetenvp 106253->106254 106255 a9f1d1 106254->106255 106258 a9f1c7 106254->106258 106259 a9f278 106254->106259 106255->106207 106255->106213 106258->106255 106261 a478c4 61 API calls 106258->106261 106259->106255 106262 a478c4 61 API calls 106259->106262 106260->106210 106261->106258 106262->106259 106263->106228 106264->106240 106266 a49169 Mailbox 106265->106266 106267 a7f19f 106266->106267 106272 a49173 106266->106272 106268 a60db6 Mailbox 59 API calls 106267->106268 106270 a7f1ab 106268->106270 106269 a4917a 106269->106244 106272->106269 106273 a49c90 59 API calls Mailbox 106272->106273 106273->106272 106275 aa3c3e 106274->106275 106276 aa4475 FindFirstFileW 106274->106276 106275->104879 106276->106275 106277 aa448a FindClose 106276->106277 106277->106275 106278->105163 106279->105135 106280->105148 106281->105147 106282->105152 106283->105161 106284->105164 106285->105168 106286->104905 106287->104903 106289 a4b91a 106288->106289 106292 a4bac7 106288->106292 106290 a4bf81 106289->106290 106289->106292 106293 a4b9fc 106289->106293 106294 a4baab 106289->106294 106290->106294 106313 a494dc 59 API calls __gmtime64_s 106290->106313 106292->106290 106292->106294 106295 a4bb46 106292->106295 106296 a4ba8b Mailbox 106292->106296 106293->106294 106293->106295 106299 a4ba38 106293->106299 106294->104790 106294->106294 106295->106294 106295->106296 106298 a81361 106295->106298 106310 a96e8f 59 API calls 106295->106310 106296->104790 106296->106294 106296->106298 106312 a48cd4 59 API calls Mailbox 106296->106312 106298->106294 106311 a63d46 59 API calls __wtof_l 106298->106311 106299->106294 106299->106296 106303 a811b4 106299->106303 106303->106294 106309 a63d46 59 API calls __wtof_l 106303->106309 106304->104790 106305->104793 106306->104792 106307->104783 106308->104792 106309->106303 106310->106296 106311->106294 106312->106296 106313->106294 106314->104818 106315->104824 106316 a67c56 106317 a67c62 __read 106316->106317 106353 a69e08 GetStartupInfoW 106317->106353 106319 a67c67 106355 a68b7c GetProcessHeap 106319->106355 106321 a67cbf 106322 a67cca 106321->106322 106438 a67da6 58 API calls 3 library calls 106321->106438 106356 a69ae6 106322->106356 106325 a67cd0 106327 a67cdb __RTC_Initialize 106325->106327 106439 a67da6 58 API calls 3 library calls 106325->106439 106377 a6d5d2 106327->106377 106329 a67cea 106330 a67cf6 GetCommandLineW 106329->106330 106440 a67da6 58 API calls 3 library calls 106329->106440 106396 a74f23 GetEnvironmentStringsW 106330->106396 106333 a67cf5 106333->106330 106336 a67d10 106337 a67d1b 106336->106337 106441 a630b5 58 API calls 3 library calls 106336->106441 106406 a74d58 106337->106406 106340 a67d21 106341 a67d2c 106340->106341 106442 a630b5 58 API calls 3 library calls 106340->106442 106420 a630ef 106341->106420 106344 a67d34 106345 a67d3f __wwincmdln 106344->106345 106443 a630b5 58 API calls 3 library calls 106344->106443 106426 a447d0 106345->106426 106348 a67d53 106349 a67d62 106348->106349 106444 a63358 58 API calls _doexit 106348->106444 106445 a630e0 58 API calls _doexit 106349->106445 106352 a67d67 __read 106354 a69e1e 106353->106354 106354->106319 106355->106321 106446 a63187 36 API calls 2 library calls 106356->106446 106358 a69aeb 106447 a69d3c InitializeCriticalSectionAndSpinCount ___lock_fhandle 106358->106447 106360 a69af0 106361 a69af4 106360->106361 106449 a69d8a TlsAlloc 106360->106449 106448 a69b5c 61 API calls 2 library calls 106361->106448 106364 a69af9 106364->106325 106365 a69b06 106365->106361 106366 a69b11 106365->106366 106450 a687d5 106366->106450 106369 a69b53 106458 a69b5c 61 API calls 2 library calls 106369->106458 106372 a69b58 106372->106325 106373 a69b32 106373->106369 106374 a69b38 106373->106374 106457 a69a33 58 API calls 4 library calls 106374->106457 106376 a69b40 GetCurrentThreadId 106376->106325 106378 a6d5de __read 106377->106378 106379 a69c0b __lock 58 API calls 106378->106379 106380 a6d5e5 106379->106380 106381 a687d5 __calloc_crt 58 API calls 106380->106381 106382 a6d5f6 106381->106382 106383 a6d661 GetStartupInfoW 106382->106383 106384 a6d601 @_EH4_CallFilterFunc@8 __read 106382->106384 106390 a6d676 106383->106390 106391 a6d7a5 106383->106391 106384->106329 106385 a6d86d 106472 a6d87d LeaveCriticalSection _doexit 106385->106472 106387 a687d5 __calloc_crt 58 API calls 106387->106390 106388 a6d7f2 GetStdHandle 106388->106391 106389 a6d805 GetFileType 106389->106391 106390->106387 106390->106391 106392 a6d6c4 106390->106392 106391->106385 106391->106388 106391->106389 106471 a69e2b InitializeCriticalSectionAndSpinCount 106391->106471 106392->106391 106393 a6d6f8 GetFileType 106392->106393 106470 a69e2b InitializeCriticalSectionAndSpinCount 106392->106470 106393->106392 106397 a74f34 106396->106397 106398 a67d06 106396->106398 106473 a6881d 58 API calls 2 library calls 106397->106473 106402 a74b1b GetModuleFileNameW 106398->106402 106400 a74f5a _memmove 106401 a74f70 FreeEnvironmentStringsW 106400->106401 106401->106398 106403 a74b4f _wparse_cmdline 106402->106403 106405 a74b8f _wparse_cmdline 106403->106405 106474 a6881d 58 API calls 2 library calls 106403->106474 106405->106336 106407 a74d71 __wsetenvp 106406->106407 106411 a74d69 106406->106411 106408 a687d5 __calloc_crt 58 API calls 106407->106408 106416 a74d9a __wsetenvp 106408->106416 106409 a74df1 106410 a62d55 _free 58 API calls 106409->106410 106410->106411 106411->106340 106412 a687d5 __calloc_crt 58 API calls 106412->106416 106413 a74e16 106414 a62d55 _free 58 API calls 106413->106414 106414->106411 106416->106409 106416->106411 106416->106412 106416->106413 106417 a74e2d 106416->106417 106475 a74607 58 API calls __read 106416->106475 106476 a68dc6 IsProcessorFeaturePresent 106417->106476 106419 a74e39 106419->106340 106421 a630fb __IsNonwritableInCurrentImage 106420->106421 106491 a6a4d1 106421->106491 106423 a63119 __initterm_e 106424 a62d40 __cinit 67 API calls 106423->106424 106425 a63138 _doexit __IsNonwritableInCurrentImage 106423->106425 106424->106425 106425->106344 106427 a44889 106426->106427 106428 a447ea 106426->106428 106427->106348 106429 a44824 IsThemeActive 106428->106429 106494 a6336c 106429->106494 106433 a44850 106506 a448fd SystemParametersInfoW SystemParametersInfoW 106433->106506 106435 a4485c 106507 a43b3a 106435->106507 106437 a44864 SystemParametersInfoW 106437->106427 106438->106322 106439->106327 106440->106333 106444->106349 106445->106352 106446->106358 106447->106360 106448->106364 106449->106365 106453 a687dc 106450->106453 106452 a68817 106452->106369 106456 a69de6 TlsSetValue 106452->106456 106453->106452 106455 a687fa 106453->106455 106459 a751f6 106453->106459 106455->106452 106455->106453 106467 a6a132 Sleep 106455->106467 106456->106373 106457->106376 106458->106372 106460 a75201 106459->106460 106466 a7521c 106459->106466 106461 a7520d 106460->106461 106460->106466 106468 a68b28 58 API calls __getptd_noexit 106461->106468 106463 a7522c RtlAllocateHeap 106464 a75212 106463->106464 106463->106466 106464->106453 106466->106463 106466->106464 106469 a633a1 DecodePointer 106466->106469 106467->106455 106468->106464 106469->106466 106470->106392 106471->106391 106472->106384 106473->106400 106474->106405 106475->106416 106477 a68dd1 106476->106477 106482 a68c59 106477->106482 106481 a68dec 106481->106419 106483 a68c73 _memset ___raise_securityfailure 106482->106483 106484 a68c93 IsDebuggerPresent 106483->106484 106490 a6a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 106484->106490 106486 a6c5f6 ___wstrgtold12_l 6 API calls 106488 a68d7a 106486->106488 106487 a68d57 ___raise_securityfailure 106487->106486 106489 a6a140 GetCurrentProcess TerminateProcess 106488->106489 106489->106481 106490->106487 106492 a6a4d4 EncodePointer 106491->106492 106492->106492 106493 a6a4ee 106492->106493 106493->106423 106495 a69c0b __lock 58 API calls 106494->106495 106496 a63377 DecodePointer EncodePointer 106495->106496 106559 a69d75 LeaveCriticalSection 106496->106559 106498 a44849 106499 a633d4 106498->106499 106500 a633de 106499->106500 106501 a633f8 106499->106501 106500->106501 106560 a68b28 58 API calls __getptd_noexit 106500->106560 106501->106433 106503 a633e8 106561 a68db6 9 API calls __read 106503->106561 106505 a633f3 106505->106433 106506->106435 106508 a43b47 __write_nolock 106507->106508 106509 a47667 59 API calls 106508->106509 106510 a43b51 GetCurrentDirectoryW 106509->106510 106562 a43766 106510->106562 106512 a43b7a IsDebuggerPresent 106513 a7d272 MessageBoxA 106512->106513 106514 a43b88 106512->106514 106517 a7d28c 106513->106517 106515 a43c61 106514->106515 106514->106517 106518 a43ba5 106514->106518 106516 a43c68 SetCurrentDirectoryW 106515->106516 106519 a43c75 Mailbox 106516->106519 106695 a47213 59 API calls Mailbox 106517->106695 106643 a47285 106518->106643 106519->106437 106522 a7d29c 106527 a7d2b2 SetCurrentDirectoryW 106522->106527 106524 a43bc3 GetFullPathNameW 106527->106519 106559->106498 106560->106503 106561->106505 106563 a47667 59 API calls 106562->106563 106564 a4377c 106563->106564 106704 a43d31 106564->106704 106566 a4379a 106567 a44706 61 API calls 106566->106567 106568 a437ae 106567->106568 106569 a47de1 59 API calls 106568->106569 106570 a437bb 106569->106570 106571 a44ddd 136 API calls 106570->106571 106572 a437d4 106571->106572 106573 a7d173 106572->106573 106574 a437dc Mailbox 106572->106574 106746 aa955b 106573->106746 106578 a48047 59 API calls 106574->106578 106577 a7d192 106580 a62d55 _free 58 API calls 106577->106580 106581 a437ef 106578->106581 106579 a44e4a 84 API calls 106579->106577 106582 a7d19f 106580->106582 106718 a4928a 106581->106718 106584 a44e4a 84 API calls 106582->106584 106586 a7d1a8 106584->106586 106590 a43ed0 59 API calls 106586->106590 106587 a47de1 59 API calls 106588 a43808 106587->106588 106589 a484c0 69 API calls 106588->106589 106591 a4381a Mailbox 106589->106591 106592 a7d1c3 106590->106592 106593 a47de1 59 API calls 106591->106593 106594 a43ed0 59 API calls 106592->106594 106595 a43840 106593->106595 106596 a7d1df 106594->106596 106597 a484c0 69 API calls 106595->106597 106598 a44706 61 API calls 106596->106598 106600 a4384f Mailbox 106597->106600 106599 a7d204 106598->106599 106601 a43ed0 59 API calls 106599->106601 106603 a47667 59 API calls 106600->106603 106602 a7d210 106601->106602 106604 a48047 59 API calls 106602->106604 106605 a4386d 106603->106605 106606 a7d21e 106604->106606 106721 a43ed0 106605->106721 106609 a43ed0 59 API calls 106606->106609 106612 a7d22d 106609->106612 106611 a43887 106611->106586 106613 a43891 106611->106613 106616 a48047 59 API calls 106612->106616 106614 a62efd _W_store_winword 60 API calls 106613->106614 106615 a4389c 106614->106615 106615->106592 106617 a438a6 106615->106617 106618 a7d24f 106616->106618 106619 a62efd _W_store_winword 60 API calls 106617->106619 106620 a43ed0 59 API calls 106618->106620 106621 a438b1 106619->106621 106622 a7d25c 106620->106622 106621->106596 106623 a438bb 106621->106623 106622->106622 106624 a62efd _W_store_winword 60 API calls 106623->106624 106625 a438c6 106624->106625 106625->106612 106626 a43907 106625->106626 106628 a43ed0 59 API calls 106625->106628 106626->106612 106627 a43914 106626->106627 106629 a492ce 59 API calls 106627->106629 106630 a438ea 106628->106630 106632 a43924 106629->106632 106631 a48047 59 API calls 106630->106631 106633 a438f8 106631->106633 106634 a49050 59 API calls 106632->106634 106635 a43ed0 59 API calls 106633->106635 106636 a43932 106634->106636 106635->106626 106737 a48ee0 106636->106737 106638 a4928a 59 API calls 106640 a4394f 106638->106640 106639 a48ee0 60 API calls 106639->106640 106640->106638 106640->106639 106641 a43ed0 59 API calls 106640->106641 106642 a43995 Mailbox 106640->106642 106641->106640 106642->106512 106644 a47292 __write_nolock 106643->106644 106645 a7ea22 _memset 106644->106645 106646 a472ab 106644->106646 106648 a7ea3e GetOpenFileNameW 106645->106648 106794 a44750 106646->106794 106650 a7ea8d 106648->106650 106653 a47bcc 59 API calls 106650->106653 106655 a7eaa2 106653->106655 106655->106655 106656 a472c9 106822 a4686a 106656->106822 106695->106522 106705 a43d3e __write_nolock 106704->106705 106706 a47bcc 59 API calls 106705->106706 106711 a43ea4 Mailbox 106705->106711 106707 a43d70 106706->106707 106708 a479f2 59 API calls 106707->106708 106716 a43da6 Mailbox 106707->106716 106708->106707 106709 a43e77 106710 a47de1 59 API calls 106709->106710 106709->106711 106713 a43e98 106710->106713 106711->106566 106712 a47de1 59 API calls 106712->106716 106714 a43f74 59 API calls 106713->106714 106714->106711 106716->106709 106716->106711 106716->106712 106717 a479f2 59 API calls 106716->106717 106781 a43f74 106716->106781 106717->106716 106719 a60db6 Mailbox 59 API calls 106718->106719 106720 a437fb 106719->106720 106720->106587 106722 a43ef3 106721->106722 106723 a43eda 106721->106723 106724 a47bcc 59 API calls 106722->106724 106725 a48047 59 API calls 106723->106725 106726 a43879 106724->106726 106725->106726 106727 a62efd 106726->106727 106728 a62f7e 106727->106728 106729 a62f09 106727->106729 106789 a62f90 60 API calls 3 library calls 106728->106789 106736 a62f2e 106729->106736 106787 a68b28 58 API calls __getptd_noexit 106729->106787 106732 a62f8b 106732->106611 106733 a62f15 106788 a68db6 9 API calls __read 106733->106788 106735 a62f20 106735->106611 106736->106611 106738 a7f17c 106737->106738 106741 a48ef7 106737->106741 106738->106741 106791 a48bdb 59 API calls Mailbox 106738->106791 106740 a48fff 106740->106640 106741->106740 106742 a49040 106741->106742 106743 a48ff8 106741->106743 106790 a49d3c 60 API calls Mailbox 106742->106790 106745 a60db6 Mailbox 59 API calls 106743->106745 106745->106740 106747 a44ee5 85 API calls 106746->106747 106748 aa95ca 106747->106748 106792 aa9734 96 API calls 2 library calls 106748->106792 106750 aa95dc 106751 a44f0b 74 API calls 106750->106751 106780 a7d186 106750->106780 106752 aa95f7 106751->106752 106753 a44f0b 74 API calls 106752->106753 106754 aa9607 106753->106754 106755 a44f0b 74 API calls 106754->106755 106756 aa9622 106755->106756 106757 a44f0b 74 API calls 106756->106757 106758 aa963d 106757->106758 106759 a44ee5 85 API calls 106758->106759 106760 aa9654 106759->106760 106761 a6571c __crtLCMapStringA_stat 58 API calls 106760->106761 106762 aa965b 106761->106762 106763 a6571c __crtLCMapStringA_stat 58 API calls 106762->106763 106764 aa9665 106763->106764 106765 a44f0b 74 API calls 106764->106765 106766 aa9679 106765->106766 106793 aa9109 GetSystemTimeAsFileTime 106766->106793 106768 aa968c 106769 aa96a1 106768->106769 106770 aa96b6 106768->106770 106773 a62d55 _free 58 API calls 106769->106773 106771 aa971b 106770->106771 106772 aa96bc 106770->106772 106775 a62d55 _free 58 API calls 106771->106775 106774 aa8b06 116 API calls 106772->106774 106776 aa96a7 106773->106776 106777 aa9713 106774->106777 106775->106780 106778 a62d55 _free 58 API calls 106776->106778 106779 a62d55 _free 58 API calls 106777->106779 106778->106780 106779->106780 106780->106577 106780->106579 106782 a43f82 106781->106782 106786 a43fa4 _memmove 106781->106786 106784 a60db6 Mailbox 59 API calls 106782->106784 106783 a60db6 Mailbox 59 API calls 106785 a43fb8 106783->106785 106784->106786 106785->106716 106786->106783 106787->106733 106788->106735 106789->106732 106790->106740 106791->106741 106792->106750 106793->106768 106856 a71940 106794->106856 106797 a4477c 106800 a47bcc 59 API calls 106797->106800 106798 a44799 106799 a47d8c 59 API calls 106798->106799 106801 a44788 106799->106801 106800->106801 106858 a47726 106801->106858 106804 a60791 106805 a71940 __write_nolock 106804->106805 106806 a6079e GetLongPathNameW 106805->106806 106807 a47bcc 59 API calls 106806->106807 106808 a472bd 106807->106808 106809 a4700b 106808->106809 106810 a47667 59 API calls 106809->106810 106811 a4701d 106810->106811 106812 a44750 60 API calls 106811->106812 106813 a47028 106812->106813 106814 a47033 106813->106814 106820 a7e885 106813->106820 106815 a43f74 59 API calls 106814->106815 106817 a4703f 106815->106817 106862 a434c2 106817->106862 106819 a7e89f 106820->106819 106868 a47908 61 API calls 106820->106868 106821 a47052 Mailbox 106821->106656 106823 a44ddd 136 API calls 106822->106823 106824 a4688f 106823->106824 106825 a7e031 106824->106825 106827 a44ddd 136 API calls 106824->106827 106826 aa955b 122 API calls 106825->106826 106828 a7e046 106826->106828 106829 a468a3 106827->106829 106830 a7e067 106828->106830 106831 a7e04a 106828->106831 106829->106825 106832 a468ab 106829->106832 106834 a60db6 Mailbox 59 API calls 106830->106834 106833 a44e4a 84 API calls 106831->106833 106835 a468b7 106832->106835 106836 a7e052 106832->106836 106833->106836 106855 a7e0ac Mailbox 106834->106855 106869 a46a8c 106835->106869 106968 aa42f8 90 API calls _wprintf 106836->106968 106840 a7e060 106840->106830 106841 a7e260 106842 a62d55 _free 58 API calls 106841->106842 106843 a7e268 106842->106843 106844 a44e4a 84 API calls 106843->106844 106849 a7e271 106844->106849 106845 a4750f 59 API calls 106845->106855 106848 a62d55 _free 58 API calls 106848->106849 106849->106848 106850 a44e4a 84 API calls 106849->106850 106972 a9f7a1 89 API calls 4 library calls 106849->106972 106850->106849 106852 a47de1 59 API calls 106852->106855 106855->106841 106855->106845 106855->106849 106855->106852 106962 a4735d 106855->106962 106969 a9f73d 59 API calls 2 library calls 106855->106969 106970 a9f65e 61 API calls 2 library calls 106855->106970 106971 aa737f 59 API calls Mailbox 106855->106971 106857 a4475d GetFullPathNameW 106856->106857 106857->106797 106857->106798 106859 a47734 106858->106859 106860 a47d2c 59 API calls 106859->106860 106861 a44794 106860->106861 106861->106804 106863 a434d4 106862->106863 106867 a434f3 _memmove 106862->106867 106865 a60db6 Mailbox 59 API calls 106863->106865 106864 a60db6 Mailbox 59 API calls 106866 a4350a 106864->106866 106865->106867 106866->106821 106867->106864 106868->106820 106870 a46ab5 106869->106870 106871 a7e41e 106869->106871 106978 a457a6 60 API calls Mailbox 106870->106978 106994 a9f7a1 89 API calls 4 library calls 106871->106994 106874 a46ad7 106979 a457f6 67 API calls 106874->106979 106875 a7e431 106995 a9f7a1 89 API calls 4 library calls 106875->106995 106877 a46aec 106877->106875 106878 a46af4 106877->106878 106880 a47667 59 API calls 106878->106880 106882 a46b00 106880->106882 106881 a7e44d 106884 a46b61 106881->106884 106980 a60957 60 API calls __write_nolock 106882->106980 106886 a7e460 106884->106886 106887 a46b6f 106884->106887 106885 a46b0c 106889 a47667 59 API calls 106885->106889 106890 a45c6f CloseHandle 106886->106890 106888 a47667 59 API calls 106887->106888 106892 a46b78 106888->106892 106893 a46b18 106889->106893 106891 a7e46c 106890->106891 106894 a44ddd 136 API calls 106891->106894 106895 a47667 59 API calls 106892->106895 106896 a44750 60 API calls 106893->106896 106897 a7e488 106894->106897 106898 a46b81 106895->106898 106899 a46b26 106896->106899 106900 a7e4b1 106897->106900 106903 aa955b 122 API calls 106897->106903 106901 a4459b 59 API calls 106898->106901 106981 a45850 ReadFile SetFilePointerEx 106899->106981 106996 a9f7a1 89 API calls 4 library calls 106900->106996 106904 a46b98 106901->106904 106907 a7e4a4 106903->106907 106908 a47b2e 59 API calls 106904->106908 106906 a46b52 106982 a45aee SetFilePointerEx SetFilePointerEx 106906->106982 106911 a7e4cd 106907->106911 106912 a7e4ac 106907->106912 106913 a46ba9 SetCurrentDirectoryW 106908->106913 106909 a7e4c8 106941 a46d0c Mailbox 106909->106941 106915 a44e4a 84 API calls 106911->106915 106914 a44e4a 84 API calls 106912->106914 106918 a46bbc Mailbox 106913->106918 106914->106900 106916 a7e4d2 106915->106916 106917 a60db6 Mailbox 59 API calls 106916->106917 106924 a7e506 106917->106924 106920 a60db6 Mailbox 59 API calls 106918->106920 106922 a46bcf 106920->106922 106921 a43bbb 106921->106515 106921->106524 106923 a4522e 59 API calls 106922->106923 106944 a46bda Mailbox __wsetenvp 106923->106944 106925 a4750f 59 API calls 106924->106925 106945 a7e54f Mailbox 106925->106945 106926 a46ce7 106990 a45c6f 106926->106990 106929 a7e740 107001 aa72df 59 API calls Mailbox 106929->107001 106933 a7e762 106937 a7e7d9 107005 a9f7a1 89 API calls 4 library calls 106937->107005 106973 a457d4 106941->106973 106943 a4750f 59 API calls 106943->106945 106944->106926 106944->106937 106947 a7e7d1 106944->106947 106949 a47de1 59 API calls 106944->106949 106983 a4586d 67 API calls _wcscpy 106944->106983 106984 a46f5d GetStringTypeW 106944->106984 106985 a46ecc 60 API calls __wcsnicmp 106944->106985 106986 a46faa GetStringTypeW __wsetenvp 106944->106986 106987 a6363d GetStringTypeW _iswctype 106944->106987 106988 a468dc 165 API calls 3 library calls 106944->106988 106989 a47213 59 API calls Mailbox 106944->106989 106945->106929 106945->106943 106953 a47de1 59 API calls 106945->106953 106956 a7e792 106945->106956 106997 a9f73d 59 API calls 2 library calls 106945->106997 106998 a9f65e 61 API calls 2 library calls 106945->106998 106999 aa737f 59 API calls Mailbox 106945->106999 107000 a47213 59 API calls Mailbox 106945->107000 107004 a9f5f7 59 API calls 4 library calls 106947->107004 106949->106944 106953->106945 107003 a9f7a1 89 API calls 4 library calls 106956->107003 106959 a7e7ab 106964 a47370 106962->106964 106967 a4741e 106962->106967 106963 a473a2 106966 a60db6 59 API calls Mailbox 106963->106966 106963->106967 106964->106963 106965 a60db6 Mailbox 59 API calls 106964->106965 106965->106963 106966->106963 106967->106855 106968->106840 106969->106855 106970->106855 106971->106855 106972->106849 106974 a45c6f CloseHandle 106973->106974 106975 a457dc Mailbox 106974->106975 106976 a45c6f CloseHandle 106975->106976 106977 a457eb 106976->106977 106977->106921 106978->106874 106979->106877 106980->106885 106981->106906 106982->106884 106983->106944 106984->106944 106985->106944 106986->106944 106987->106944 106988->106944 106989->106944 106994->106875 106995->106881 106996->106909 106997->106945 106998->106945 106999->106945 107000->106945 107001->106933 107003->106959 107004->106937 107049 a41055 107054 a42649 107049->107054 107052 a62d40 __cinit 67 API calls 107053 a41064 107052->107053 107055 a47667 59 API calls 107054->107055 107056 a426b7 107055->107056 107061 a43582 107056->107061 107059 a42754 107060 a4105a 107059->107060 107064 a43416 59 API calls 2 library calls 107059->107064 107060->107052 107065 a435b0 107061->107065 107064->107059 107066 a435bd 107065->107066 107067 a435a1 107065->107067 107066->107067 107068 a435c4 RegOpenKeyExW 107066->107068 107067->107059 107068->107067 107069 a435de RegQueryValueExW 107068->107069 107070 a43614 RegCloseKey 107069->107070 107071 a435ff 107069->107071 107070->107067 107071->107070 107072 a41016 107077 a44974 107072->107077 107075 a62d40 __cinit 67 API calls 107076 a41025 107075->107076 107078 a60db6 Mailbox 59 API calls 107077->107078 107079 a4497c 107078->107079 107080 a4101b 107079->107080 107084 a44936 107079->107084 107080->107075 107085 a44951 107084->107085 107086 a4493f 107084->107086 107088 a449a0 107085->107088 107087 a62d40 __cinit 67 API calls 107086->107087 107087->107085 107089 a47667 59 API calls 107088->107089 107090 a449b8 GetVersionExW 107089->107090 107091 a47bcc 59 API calls 107090->107091 107092 a449fb 107091->107092 107093 a47d2c 59 API calls 107092->107093 107101 a44a28 107092->107101 107094 a44a1c 107093->107094 107095 a47726 59 API calls 107094->107095 107095->107101 107096 a44a93 GetCurrentProcess IsWow64Process 107097 a44aac 107096->107097 107099 a44ac2 107097->107099 107100 a44b2b GetSystemInfo 107097->107100 107098 a7d864 107112 a44b37 107099->107112 107102 a44af8 107100->107102 107101->107096 107101->107098 107102->107080 107105 a44ad4 107108 a44b37 2 API calls 107105->107108 107106 a44b1f GetSystemInfo 107107 a44ae9 107106->107107 107107->107102 107109 a44aef FreeLibrary 107107->107109 107110 a44adc GetNativeSystemInfo 107108->107110 107109->107102 107110->107107 107113 a44ad0 107112->107113 107114 a44b40 LoadLibraryA 107112->107114 107113->107105 107113->107106 107114->107113 107115 a44b51 GetProcAddress 107114->107115 107115->107113 107116 a41066 107121 a4f76f 107116->107121 107118 a4106c 107119 a62d40 __cinit 67 API calls 107118->107119 107120 a41076 107119->107120 107122 a4f790 107121->107122 107154 a5ff03 107122->107154 107126 a4f7d7 107127 a47667 59 API calls 107126->107127 107128 a4f7e1 107127->107128 107129 a47667 59 API calls 107128->107129 107130 a4f7eb 107129->107130 107131 a47667 59 API calls 107130->107131 107132 a4f7f5 107131->107132 107133 a47667 59 API calls 107132->107133 107134 a4f833 107133->107134 107135 a47667 59 API calls 107134->107135 107136 a4f8fe 107135->107136 107164 a55f87 107136->107164 107140 a4f930 107141 a47667 59 API calls 107140->107141 107142 a4f93a 107141->107142 107192 a5fd9e 107142->107192 107144 a4f981 107145 a4f991 GetStdHandle 107144->107145 107146 a845ab 107145->107146 107147 a4f9dd 107145->107147 107146->107147 107149 a845b4 107146->107149 107148 a4f9e5 OleInitialize 107147->107148 107148->107118 107199 aa6b38 64 API calls Mailbox 107149->107199 107151 a845bb 107200 aa7207 CreateThread 107151->107200 107153 a845c7 CloseHandle 107153->107148 107201 a5ffdc 107154->107201 107157 a5ffdc 59 API calls 107158 a5ff45 107157->107158 107159 a47667 59 API calls 107158->107159 107160 a5ff51 107159->107160 107161 a47bcc 59 API calls 107160->107161 107162 a4f796 107161->107162 107163 a60162 6 API calls 107162->107163 107163->107126 107165 a47667 59 API calls 107164->107165 107166 a55f97 107165->107166 107167 a47667 59 API calls 107166->107167 107168 a55f9f 107167->107168 107208 a55a9d 107168->107208 107171 a55a9d 59 API calls 107172 a55faf 107171->107172 107173 a47667 59 API calls 107172->107173 107174 a55fba 107173->107174 107175 a60db6 Mailbox 59 API calls 107174->107175 107176 a4f908 107175->107176 107177 a560f9 107176->107177 107178 a56107 107177->107178 107179 a47667 59 API calls 107178->107179 107180 a56112 107179->107180 107181 a47667 59 API calls 107180->107181 107182 a5611d 107181->107182 107183 a47667 59 API calls 107182->107183 107184 a56128 107183->107184 107185 a47667 59 API calls 107184->107185 107186 a56133 107185->107186 107187 a55a9d 59 API calls 107186->107187 107188 a5613e 107187->107188 107189 a60db6 Mailbox 59 API calls 107188->107189 107190 a56145 RegisterWindowMessageW 107189->107190 107190->107140 107193 a9576f 107192->107193 107194 a5fdae 107192->107194 107211 aa9ae7 60 API calls 107193->107211 107196 a60db6 Mailbox 59 API calls 107194->107196 107198 a5fdb6 107196->107198 107197 a9577a 107198->107144 107199->107151 107200->107153 107212 aa71ed 65 API calls 107200->107212 107202 a47667 59 API calls 107201->107202 107203 a5ffe7 107202->107203 107204 a47667 59 API calls 107203->107204 107205 a5ffef 107204->107205 107206 a47667 59 API calls 107205->107206 107207 a5ff3b 107206->107207 107207->107157 107209 a47667 59 API calls 107208->107209 107210 a55aa5 107209->107210 107210->107171 107211->107197 107213 a43633 107214 a4366a 107213->107214 107215 a436e7 107214->107215 107216 a43688 107214->107216 107254 a436e5 107214->107254 107218 a436ed 107215->107218 107219 a7d0cc 107215->107219 107220 a43695 107216->107220 107221 a4374b PostQuitMessage 107216->107221 107217 a436ca DefWindowProcW 107247 a436d8 107217->107247 107222 a43715 SetTimer RegisterWindowMessageW 107218->107222 107223 a436f2 107218->107223 107268 a51070 10 API calls Mailbox 107219->107268 107225 a7d154 107220->107225 107226 a436a0 107220->107226 107221->107247 107230 a4373e CreatePopupMenu 107222->107230 107222->107247 107227 a7d06f 107223->107227 107228 a436f9 KillTimer 107223->107228 107273 aa2527 71 API calls _memset 107225->107273 107231 a43755 107226->107231 107232 a436a8 107226->107232 107239 a7d074 107227->107239 107240 a7d0a8 MoveWindow 107227->107240 107265 a4443a Shell_NotifyIconW _memset 107228->107265 107229 a7d0f3 107269 a51093 341 API calls Mailbox 107229->107269 107230->107247 107258 a444a0 107231->107258 107236 a436b3 107232->107236 107244 a7d139 107232->107244 107245 a436be 107236->107245 107246 a7d124 107236->107246 107237 a7d166 107237->107217 107237->107247 107241 a7d097 SetFocus 107239->107241 107242 a7d078 107239->107242 107240->107247 107241->107247 107242->107245 107248 a7d081 107242->107248 107243 a4370c 107266 a43114 DeleteObject DestroyWindow Mailbox 107243->107266 107244->107217 107272 a97c36 59 API calls Mailbox 107244->107272 107245->107217 107270 a4443a Shell_NotifyIconW _memset 107245->107270 107271 aa2d36 81 API calls _memset 107246->107271 107267 a51070 10 API calls Mailbox 107248->107267 107253 a7d134 107253->107247 107254->107217 107256 a7d118 107257 a4434a 68 API calls 107256->107257 107257->107254 107259 a444b7 _memset 107258->107259 107260 a44539 107258->107260 107261 a4407c 61 API calls 107259->107261 107260->107247 107263 a444de 107261->107263 107262 a44522 KillTimer SetTimer 107262->107260 107263->107262 107264 a7d4ab Shell_NotifyIconW 107263->107264 107264->107262 107265->107243 107266->107247 107267->107247 107268->107229 107269->107245 107270->107256 107271->107253 107272->107254 107273->107237 107274 a8416f 107278 a95fe6 107274->107278 107276 a8417a 107277 a95fe6 85 API calls 107276->107277 107277->107276 107284 a95ff3 107278->107284 107288 a96020 107278->107288 107279 a96022 107290 a49328 84 API calls Mailbox 107279->107290 107281 a96027 107282 a49837 84 API calls 107281->107282 107283 a9602e 107282->107283 107285 a47b2e 59 API calls 107283->107285 107284->107279 107284->107281 107286 a9601a 107284->107286 107284->107288 107285->107288 107289 a495a0 59 API calls _wcsstr 107286->107289 107288->107276 107289->107288 107290->107281 107291 a4107d 107296 a4708b 107291->107296 107293 a4108c 107294 a62d40 __cinit 67 API calls 107293->107294 107295 a41096 107294->107295 107297 a4709b __write_nolock 107296->107297 107298 a47667 59 API calls 107297->107298 107299 a47151 107298->107299 107300 a44706 61 API calls 107299->107300 107301 a4715a 107300->107301 107327 a6050b 107301->107327 107304 a47cab 59 API calls 107305 a47173 107304->107305 107306 a43f74 59 API calls 107305->107306 107307 a47182 107306->107307 107308 a47667 59 API calls 107307->107308 107309 a4718b 107308->107309 107310 a47d8c 59 API calls 107309->107310 107311 a47194 RegOpenKeyExW 107310->107311 107312 a7e8b1 RegQueryValueExW 107311->107312 107317 a471b6 Mailbox 107311->107317 107313 a7e943 RegCloseKey 107312->107313 107314 a7e8ce 107312->107314 107313->107317 107325 a7e955 _wcscat Mailbox __wsetenvp 107313->107325 107315 a60db6 Mailbox 59 API calls 107314->107315 107316 a7e8e7 107315->107316 107318 a4522e 59 API calls 107316->107318 107317->107293 107319 a7e8f2 RegQueryValueExW 107318->107319 107320 a7e90f 107319->107320 107322 a7e929 107319->107322 107321 a47bcc 59 API calls 107320->107321 107321->107322 107322->107313 107323 a47de1 59 API calls 107323->107325 107324 a43f74 59 API calls 107324->107325 107325->107317 107325->107323 107325->107324 107326 a479f2 59 API calls 107325->107326 107326->107325 107328 a71940 __write_nolock 107327->107328 107329 a60518 GetFullPathNameW 107328->107329 107330 a6053a 107329->107330 107331 a47bcc 59 API calls 107330->107331 107332 a47165 107331->107332 107332->107304 107333 a7fdfc 107372 a4ab30 Mailbox _memmove 107333->107372 107335 a9617e Mailbox 59 API calls 107353 a4a057 107335->107353 107339 a80055 107431 aa9e4a 89 API calls 4 library calls 107339->107431 107340 a4b900 60 API calls 107357 a49f37 Mailbox 107340->107357 107341 a4b475 107347 a48047 59 API calls 107341->107347 107344 a80064 107345 a60db6 59 API calls Mailbox 107345->107357 107347->107353 107348 a4b47a 107348->107339 107360 a809e5 107348->107360 107350 a48047 59 API calls 107350->107357 107352 a47667 59 API calls 107352->107357 107354 a96e8f 59 API calls 107354->107357 107355 a47de1 59 API calls 107355->107372 107356 a62d40 67 API calls __cinit 107356->107357 107357->107339 107357->107340 107357->107341 107357->107345 107357->107348 107357->107350 107357->107352 107357->107353 107357->107354 107357->107356 107358 a809d6 107357->107358 107361 a4a55a 107357->107361 107425 a4c8c0 341 API calls 2 library calls 107357->107425 107436 aa9e4a 89 API calls 4 library calls 107358->107436 107437 aa9e4a 89 API calls 4 library calls 107360->107437 107435 aa9e4a 89 API calls 4 library calls 107361->107435 107362 abbc6b 341 API calls 107362->107372 107364 a60db6 59 API calls Mailbox 107364->107372 107365 a4b2b6 107429 a4f6a3 341 API calls 107365->107429 107367 a49ea0 341 API calls 107367->107372 107368 a8086a 107433 a49c90 59 API calls Mailbox 107368->107433 107370 a80878 107434 aa9e4a 89 API calls 4 library calls 107370->107434 107372->107353 107372->107355 107372->107357 107372->107362 107372->107364 107372->107365 107372->107367 107372->107368 107372->107370 107373 a8085c 107372->107373 107374 a4b21c 107372->107374 107378 a4b525 107372->107378 107379 a96e8f 59 API calls 107372->107379 107381 abdf23 107372->107381 107384 abc2e0 107372->107384 107416 aa7956 107372->107416 107422 a9617e 107372->107422 107426 a49c90 59 API calls Mailbox 107372->107426 107430 abc193 85 API calls 2 library calls 107372->107430 107373->107335 107373->107353 107427 a49d3c 60 API calls Mailbox 107374->107427 107376 a4b22d 107428 a49d3c 60 API calls Mailbox 107376->107428 107432 aa9e4a 89 API calls 4 library calls 107378->107432 107379->107372 107382 abcadd 130 API calls 107381->107382 107383 abdf33 107382->107383 107383->107372 107385 a47667 59 API calls 107384->107385 107386 abc2f4 107385->107386 107387 a47667 59 API calls 107386->107387 107388 abc2fc 107387->107388 107389 a47667 59 API calls 107388->107389 107390 abc304 107389->107390 107391 a49837 84 API calls 107390->107391 107399 abc312 107391->107399 107392 a47bcc 59 API calls 107392->107399 107394 abc4e2 107396 a47cab 59 API calls 107394->107396 107395 abc4fd 107398 a47cab 59 API calls 107395->107398 107401 abc4ef 107396->107401 107397 abc528 Mailbox 107397->107372 107403 abc50c 107398->107403 107399->107392 107399->107394 107399->107395 107399->107397 107400 a48047 59 API calls 107399->107400 107402 a47924 59 API calls 107399->107402 107404 a47e4f 59 API calls 107399->107404 107407 a47e4f 59 API calls 107399->107407 107409 abc4fb 107399->107409 107413 a49837 84 API calls 107399->107413 107414 a47b2e 59 API calls 107399->107414 107415 a47cab 59 API calls 107399->107415 107400->107399 107405 a47b2e 59 API calls 107401->107405 107402->107399 107406 a47b2e 59 API calls 107403->107406 107408 abc3a9 CharUpperBuffW 107404->107408 107405->107409 107406->107409 107410 abc469 CharUpperBuffW 107407->107410 107438 a4843a 68 API calls 107408->107438 107409->107397 107440 a49a3c 59 API calls Mailbox 107409->107440 107439 a4c5a7 69 API calls 2 library calls 107410->107439 107413->107399 107414->107399 107415->107399 107417 aa7962 107416->107417 107418 a60db6 Mailbox 59 API calls 107417->107418 107419 aa7970 107418->107419 107420 aa797e 107419->107420 107421 a47667 59 API calls 107419->107421 107420->107372 107421->107420 107441 a960c0 107422->107441 107424 a9618c 107424->107372 107425->107357 107426->107372 107427->107376 107428->107365 107429->107378 107430->107372 107431->107344 107432->107373 107433->107373 107434->107373 107435->107353 107436->107360 107437->107353 107438->107399 107439->107399 107440->107397 107442 a960e8 107441->107442 107443 a960cb 107441->107443 107442->107424 107443->107442 107445 a960ab 59 API calls Mailbox 107443->107445 107445->107443 107446 a4be19 107447 a4c36a 107446->107447 107448 a4be22 107446->107448 107456 a4ba8b Mailbox 107447->107456 107461 a97bdb 59 API calls _memmove 107447->107461 107448->107447 107449 a49837 84 API calls 107448->107449 107450 a4be4d 107449->107450 107450->107447 107451 a4be5d 107450->107451 107453 a47a51 59 API calls 107451->107453 107453->107456 107454 a81085 107455 a48047 59 API calls 107454->107455 107455->107456 107458 a81361 107456->107458 107460 a4baab 107456->107460 107463 a48cd4 59 API calls Mailbox 107456->107463 107458->107460 107462 a63d46 59 API calls __wtof_l 107458->107462 107461->107454 107462->107460 107463->107456 107464 d52468 107478 d50078 107464->107478 107466 d52542 107481 d52358 107466->107481 107484 d53588 GetPEB 107478->107484 107480 d50703 107480->107466 107482 d52361 Sleep 107481->107482 107483 d5236f 107482->107483 107485 d535b2 107484->107485 107485->107480

                                            Executed Functions

                                            Function 00A43B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A43B68
                                            • IsDebuggerPresent.KERNEL32 ref: 00A43B7A
                                            • GetFullPathNameW.KERNEL32(00007FFF,?,?,00B052F8,00B052E0,?,?), ref: 00A43BEB
                                              • Part of subcall function 00A47BCC: _memmove.LIBCMT ref: 00A47C06
                                              • Part of subcall function 00A5092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A43C14,00B052F8,?,?,?), ref: 00A5096E
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00A43C6F
                                            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00AF7770,00000010), ref: 00A7D281
                                            • SetCurrentDirectoryW.KERNEL32(?,00B052F8,?,?,?), ref: 00A7D2B9
                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00AF4260,00B052F8,?,?,?), ref: 00A7D33F
                                            • ShellExecuteW.SHELL32(00000000,?,?), ref: 00A7D346
                                              • Part of subcall function 00A43A46: GetSysColorBrush.USER32(0000000F), ref: 00A43A50
                                              • Part of subcall function 00A43A46: LoadCursorW.USER32(00000000,00007F00), ref: 00A43A5F
                                              • Part of subcall function 00A43A46: LoadIconW.USER32(00000063), ref: 00A43A76
                                              • Part of subcall function 00A43A46: LoadIconW.USER32(000000A4), ref: 00A43A88
                                              • Part of subcall function 00A43A46: LoadIconW.USER32(000000A2), ref: 00A43A9A
                                              • Part of subcall function 00A43A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A43AC0
                                              • Part of subcall function 00A43A46: RegisterClassExW.USER32(?), ref: 00A43B16
                                              • Part of subcall function 00A439D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A43A03
                                              • Part of subcall function 00A439D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A43A24
                                              • Part of subcall function 00A439D5: ShowWindow.USER32(00000000,?,?), ref: 00A43A38
                                              • Part of subcall function 00A439D5: ShowWindow.USER32(00000000,?,?), ref: 00A43A41
                                              • Part of subcall function 00A4434A: _memset.LIBCMT ref: 00A44370
                                              • Part of subcall function 00A4434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A44415
                                            Strings
                                            • runas, xrefs: 00A7D33A
                                            • This is a third-party compiled AutoIt script., xrefs: 00A7D279
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                            • String ID: This is a third-party compiled AutoIt script.$runas
                                            • API String ID: 529118366-3287110873
                                            • Opcode ID: 1f6c42b20de23e70159d6f24d5116f94db8d7f4ad7c7760b6fcbac74a4e7de52
                                            • Instruction ID: c317986e9e91bf9fccfda2d30a46608d1b4361bc4a142811121132d06940c393
                                            • Opcode Fuzzy Hash: 1f6c42b20de23e70159d6f24d5116f94db8d7f4ad7c7760b6fcbac74a4e7de52
                                            • Instruction Fuzzy Hash: 3651B376D08248AEDF11EBF4DD45EEE7B79AF95700B008065F412A71A2DBB0564ACF21
                                            Function 00A449A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 942 a449a0-a44a00 call a47667 GetVersionExW call a47bcc 947 a44a06 942->947 948 a44b0b-a44b0d 942->948 950 a44a09-a44a0e 947->950 949 a7d767-a7d773 948->949 951 a7d774-a7d778 949->951 952 a44a14 950->952 953 a44b12-a44b13 950->953 955 a7d77b-a7d787 951->955 956 a7d77a 951->956 954 a44a15-a44a4c call a47d2c call a47726 952->954 953->954 964 a7d864-a7d867 954->964 965 a44a52-a44a53 954->965 955->951 958 a7d789-a7d78e 955->958 956->955 958->950 960 a7d794-a7d79b 958->960 960->949 962 a7d79d 960->962 966 a7d7a2-a7d7a5 962->966 967 a7d880-a7d884 964->967 968 a7d869 964->968 965->966 969 a44a59-a44a64 965->969 970 a44a93-a44aaa GetCurrentProcess IsWow64Process 966->970 971 a7d7ab-a7d7c9 966->971 976 a7d886-a7d88f 967->976 977 a7d86f-a7d878 967->977 972 a7d86c 968->972 973 a7d7ea-a7d7f0 969->973 974 a44a6a-a44a6c 969->974 978 a44aac 970->978 979 a44aaf-a44ac0 970->979 971->970 975 a7d7cf-a7d7d5 971->975 972->977 984 a7d7f2-a7d7f5 973->984 985 a7d7fa-a7d800 973->985 980 a7d805-a7d811 974->980 981 a44a72-a44a75 974->981 982 a7d7d7-a7d7da 975->982 983 a7d7df-a7d7e5 975->983 976->972 986 a7d891-a7d894 976->986 977->967 978->979 987 a44ac2-a44ad2 call a44b37 979->987 988 a44b2b-a44b35 GetSystemInfo 979->988 992 a7d813-a7d816 980->992 993 a7d81b-a7d821 980->993 989 a7d831-a7d834 981->989 990 a44a7b-a44a8a 981->990 982->970 983->970 984->970 985->970 986->977 999 a44ad4-a44ae1 call a44b37 987->999 1000 a44b1f-a44b29 GetSystemInfo 987->1000 991 a44af8-a44b08 988->991 989->970 998 a7d83a-a7d84f 989->998 995 a7d826-a7d82c 990->995 996 a44a90 990->996 992->970 993->970 995->970 996->970 1001 a7d851-a7d854 998->1001 1002 a7d859-a7d85f 998->1002 1007 a44ae3-a44ae7 GetNativeSystemInfo 999->1007 1008 a44b18-a44b1d 999->1008 1003 a44ae9-a44aed 1000->1003 1001->970 1002->970 1003->991 1005 a44aef-a44af2 FreeLibrary 1003->1005 1005->991 1007->1003 1008->1007
                                            APIs
                                            • GetVersionExW.KERNEL32(?), ref: 00A449CD
                                              • Part of subcall function 00A47BCC: _memmove.LIBCMT ref: 00A47C06
                                            • GetCurrentProcess.KERNEL32(?,00ACFAEC,00000000,00000000,?), ref: 00A44A9A
                                            • IsWow64Process.KERNEL32(00000000), ref: 00A44AA1
                                            • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00A44AE7
                                            • FreeLibrary.KERNEL32(00000000), ref: 00A44AF2
                                            • GetSystemInfo.KERNEL32(00000000), ref: 00A44B23
                                            • GetSystemInfo.KERNEL32(00000000), ref: 00A44B2F
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                            • String ID:
                                            • API String ID: 1986165174-0
                                            • Opcode ID: d78fb613376a3a52b4518347fa77204154065ab196b12505445044ecff7ec0d0
                                            • Instruction ID: d7e1eda82227bd19883a2e4f934cf33cd94189a2a54efa517e5a3c89ba101794
                                            • Opcode Fuzzy Hash: d78fb613376a3a52b4518347fa77204154065ab196b12505445044ecff7ec0d0
                                            • Instruction Fuzzy Hash: 5891B6359897C0DEC731DB7889506AAFFF5AF6D300B488D6DD0CB93A41D620A508C75A
                                            Function 00A44E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1039 a44e89-a44ea1 CreateStreamOnHGlobal 1040 a44ec1-a44ec6 1039->1040 1041 a44ea3-a44eba FindResourceExW 1039->1041 1042 a7d933-a7d942 LoadResource 1041->1042 1043 a44ec0 1041->1043 1042->1043 1044 a7d948-a7d956 SizeofResource 1042->1044 1043->1040 1044->1043 1045 a7d95c-a7d967 LockResource 1044->1045 1045->1043 1046 a7d96d-a7d98b 1045->1046 1046->1043
                                            APIs
                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00A44D8E,?,?,00000000,00000000), ref: 00A44E99
                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A44D8E,?,?,00000000,00000000), ref: 00A44EB0
                                            • LoadResource.KERNEL32(?,00000000,?,?,00A44D8E,?,?,00000000,00000000,?,?,?,?,?,?,00A44E2F), ref: 00A7D937
                                            • SizeofResource.KERNEL32(?,00000000,?,?,00A44D8E,?,?,00000000,00000000,?,?,?,?,?,?,00A44E2F), ref: 00A7D94C
                                            • LockResource.KERNEL32(00A44D8E,?,?,00A44D8E,?,?,00000000,00000000,?,?,?,?,?,?,00A44E2F,00000000), ref: 00A7D95F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                            • String ID: SCRIPT
                                            • API String ID: 3051347437-3967369404
                                            • Opcode ID: 8d2d9761cd004d99b09a107b6edc78f891798424e637732d92be1ebfba1ee730
                                            • Instruction ID: 968b5df95137f50408e3b100fb38484b44a05b5252ed472f44467a766ec829b6
                                            • Opcode Fuzzy Hash: 8d2d9761cd004d99b09a107b6edc78f891798424e637732d92be1ebfba1ee730
                                            • Instruction Fuzzy Hash: AA115E75240700BFD7218BA5EC49FA77BBEFBC9B51F11826CF50586250DB71E8018660
                                            Function 00A4FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: BuffCharUpper
                                            • String ID:
                                            • API String ID: 3964851224-0
                                            • Opcode ID: 24371198ac3dafceb51736a72de0ad3276cd45433714c01bb7ad0e5011d13a4f
                                            • Instruction ID: d1ccb0ad491e5c7f273ec534329cfdb0328a417c3ee0b634934709a65a6b3744
                                            • Opcode Fuzzy Hash: 24371198ac3dafceb51736a72de0ad3276cd45433714c01bb7ad0e5011d13a4f
                                            • Instruction Fuzzy Hash: 689238746083419FD724DF24C580B2BBBF1BF89304F14896DE89A9B262D775EC49CB92
                                            Function 00AA445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?,00A7E398), ref: 00AA446A
                                            • FindFirstFileW.KERNELBASE(?,?), ref: 00AA447B
                                            • FindClose.KERNEL32(00000000), ref: 00AA448B
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: FileFind$AttributesCloseFirst
                                            • String ID:
                                            • API String ID: 48322524-0
                                            • Opcode ID: 749517414b65507b883173a15d6fa1f245e67197464a26bdd38f20888404fdd7
                                            • Instruction ID: d98309296192427197459c68f7c041bd2a340be251473d9a84285dd64455d5f4
                                            • Opcode Fuzzy Hash: 749517414b65507b883173a15d6fa1f245e67197464a26bdd38f20888404fdd7
                                            • Instruction Fuzzy Hash: 14E0DF328109006B8210AB78EC0D8EA779D9E8E335F204726F835C21E0FBF499009696
                                            Function 00A4E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                            Download Yara Rule
                                            Strings
                                            • Variable must be of type 'Object'., xrefs: 00A83E62
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Variable must be of type 'Object'.
                                            • API String ID: 0-109567571
                                            • Opcode ID: 7dd16eb9e8721c807bb004f7af06b57648c58b3724cbb1e04da49a7feef8f0bc
                                            • Instruction ID: 276ec313ddccdf9289daab621d5972569335e84e4e82d3d2005f79910747e4e8
                                            • Opcode Fuzzy Hash: 7dd16eb9e8721c807bb004f7af06b57648c58b3724cbb1e04da49a7feef8f0bc
                                            • Instruction Fuzzy Hash: 2CA28C79A00205CFCF24DF58C480AAEB7B2FF99314F248569E945AB352D775ED82CB90
                                            Function 00A509D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A50A5B
                                            • timeGetTime.WINMM ref: 00A50D16
                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A50E53
                                            • Sleep.KERNEL32(0000000A), ref: 00A50E61
                                            • LockWindowUpdate.USER32(00000000,?,?), ref: 00A50EFA
                                            • DestroyWindow.USER32 ref: 00A50F06
                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A50F20
                                            • Sleep.KERNEL32(0000000A,?,?), ref: 00A84E83
                                            • TranslateMessage.USER32(?), ref: 00A85C60
                                            • DispatchMessageW.USER32(?), ref: 00A85C6E
                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A85C82
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                            • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                            • API String ID: 4212290369-3242690629
                                            • Opcode ID: af0dfd1e32a047cb9b5477426a85c06659070a8407203057af43ae361eb35db8
                                            • Instruction ID: b06328b170b860cae937f2b37f06c7c2522a740af28999c86118a8581c03ab76
                                            • Opcode Fuzzy Hash: af0dfd1e32a047cb9b5477426a85c06659070a8407203057af43ae361eb35db8
                                            • Instruction Fuzzy Hash: 09B2C170A08741DFD728EF24C985FAAB7F5BF85304F14491DE899972A1DB71E888CB42
                                            Function 00AA9155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 00AA8F5F: __time64.LIBCMT ref: 00AA8F69
                                              • Part of subcall function 00A44EE5: _fseek.LIBCMT ref: 00A44EFD
                                            • __wsplitpath.LIBCMT ref: 00AA9234
                                              • Part of subcall function 00A640FB: __wsplitpath_helper.LIBCMT ref: 00A6413B
                                            • _wcscpy.LIBCMT ref: 00AA9247
                                            • _wcscat.LIBCMT ref: 00AA925A
                                            • __wsplitpath.LIBCMT ref: 00AA927F
                                            • _wcscat.LIBCMT ref: 00AA9295
                                            • _wcscat.LIBCMT ref: 00AA92A8
                                              • Part of subcall function 00AA8FA5: _memmove.LIBCMT ref: 00AA8FDE
                                              • Part of subcall function 00AA8FA5: _memmove.LIBCMT ref: 00AA8FED
                                            • _wcscmp.LIBCMT ref: 00AA91EF
                                              • Part of subcall function 00AA9734: _wcscmp.LIBCMT ref: 00AA9824
                                              • Part of subcall function 00AA9734: _wcscmp.LIBCMT ref: 00AA9837
                                            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00AA9452
                                            • _wcsncpy.LIBCMT ref: 00AA94C5
                                            • DeleteFileW.KERNEL32(?,?), ref: 00AA94FB
                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00AA9511
                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AA9522
                                            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AA9534
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                            • String ID:
                                            • API String ID: 1500180987-0
                                            • Opcode ID: a29ab532c401df2bd0b5bac0b79f8725b96bde7ce8bc99175aff4a46d67e3f90
                                            • Instruction ID: e773bc901ad114e7a7083890c7b7330eec7493e1cf5c18fe8ca49814827ed590
                                            • Opcode Fuzzy Hash: a29ab532c401df2bd0b5bac0b79f8725b96bde7ce8bc99175aff4a46d67e3f90
                                            • Instruction Fuzzy Hash: EEC12CB1D00219AADF11DF95CD85ADFBBBDEF89310F0040AAF609E7191DB309A458F65
                                            Function 00A43015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetSysColorBrush.USER32(0000000F), ref: 00A43074
                                            • RegisterClassExW.USER32(00000030), ref: 00A4309E
                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A430AF
                                            • InitCommonControlsEx.COMCTL32(?), ref: 00A430CC
                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A430DC
                                            • LoadIconW.USER32(000000A9), ref: 00A430F2
                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A43101
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                            • API String ID: 2914291525-1005189915
                                            • Opcode ID: c48a2b46edbbec8d0db29fd42d139a4555dd055dc6db7145e91e210c4bce63b7
                                            • Instruction ID: 32ad61eb23d3ef8ae1cd0606b5ee830582efc654f80e5bcb6c3341510d2fc0a6
                                            • Opcode Fuzzy Hash: c48a2b46edbbec8d0db29fd42d139a4555dd055dc6db7145e91e210c4bce63b7
                                            • Instruction Fuzzy Hash: 983147B1841348AFDB10CFA4E889BDEBBF5FB18310F15856EE980E62A0E7B54581CF51
                                            Function 00A43041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetSysColorBrush.USER32(0000000F), ref: 00A43074
                                            • RegisterClassExW.USER32(00000030), ref: 00A4309E
                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A430AF
                                            • InitCommonControlsEx.COMCTL32(?), ref: 00A430CC
                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A430DC
                                            • LoadIconW.USER32(000000A9), ref: 00A430F2
                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A43101
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                            • API String ID: 2914291525-1005189915
                                            • Opcode ID: 4825494bcc211ad02df0911e8a45031f52377daa62c42755e19f120d58931639
                                            • Instruction ID: 84cf31472a3b82e027cd4203deb85f125a1d57ff560fbd72fc9d34de590d7f6f
                                            • Opcode Fuzzy Hash: 4825494bcc211ad02df0911e8a45031f52377daa62c42755e19f120d58931639
                                            • Instruction Fuzzy Hash: E921C5B1901718AFDB10DFE4E849B9EBBF5FB08700F01812AF911A76A0DBB145458F95
                                            Function 00A4708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 00A44706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B052F8,?,00A437AE,?), ref: 00A44724
                                              • Part of subcall function 00A6050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00A47165), ref: 00A6052D
                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A471A8
                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00A7E8C8
                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00A7E909
                                            • RegCloseKey.ADVAPI32(?), ref: 00A7E947
                                            • _wcscat.LIBCMT ref: 00A7E9A0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                            • API String ID: 2673923337-2727554177
                                            • Opcode ID: 67c892045c5bdaff92f56932285bda2dc39fddeb4850ca95b467c225196e8cd9
                                            • Instruction ID: a9a926e996f89f57d1c6438462cb33df1c03fbe184ca90fca7f07325bbc991b2
                                            • Opcode Fuzzy Hash: 67c892045c5bdaff92f56932285bda2dc39fddeb4850ca95b467c225196e8cd9
                                            • Instruction Fuzzy Hash: EE716C725083019EC704EF69ED819AFBBF8FF98350B40492EF545871A1EF719958CB92
                                            Function 00A43A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetSysColorBrush.USER32(0000000F), ref: 00A43A50
                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00A43A5F
                                            • LoadIconW.USER32(00000063), ref: 00A43A76
                                            • LoadIconW.USER32(000000A4), ref: 00A43A88
                                            • LoadIconW.USER32(000000A2), ref: 00A43A9A
                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A43AC0
                                            • RegisterClassExW.USER32(?), ref: 00A43B16
                                              • Part of subcall function 00A43041: GetSysColorBrush.USER32(0000000F), ref: 00A43074
                                              • Part of subcall function 00A43041: RegisterClassExW.USER32(00000030), ref: 00A4309E
                                              • Part of subcall function 00A43041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A430AF
                                              • Part of subcall function 00A43041: InitCommonControlsEx.COMCTL32(?), ref: 00A430CC
                                              • Part of subcall function 00A43041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A430DC
                                              • Part of subcall function 00A43041: LoadIconW.USER32(000000A9), ref: 00A430F2
                                              • Part of subcall function 00A43041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A43101
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                            • String ID: #$0$AutoIt v3
                                            • API String ID: 423443420-4155596026
                                            • Opcode ID: 6d9de697bbbeb9ae72c0bb52df63259d1271dd0adccde285db148515b651972c
                                            • Instruction ID: 5136fca87527d6e3382cd8d2bbbff9a57e56ad2b5055fe57548f9a59b40b25d7
                                            • Opcode Fuzzy Hash: 6d9de697bbbeb9ae72c0bb52df63259d1271dd0adccde285db148515b651972c
                                            • Instruction Fuzzy Hash: 84213575900308EFEF20DFA4EC09B9E7FB5EB18711F10412AE504AB6A1DBB55A508F94
                                            Function 00A43633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 767 a43633-a43681 769 a436e1-a436e3 767->769 770 a43683-a43686 767->770 769->770 773 a436e5 769->773 771 a436e7 770->771 772 a43688-a4368f 770->772 775 a436ed-a436f0 771->775 776 a7d0cc-a7d0fa call a51070 call a51093 771->776 777 a43695-a4369a 772->777 778 a4374b-a43753 PostQuitMessage 772->778 774 a436ca-a436d2 DefWindowProcW 773->774 785 a436d8-a436de 774->785 779 a43715-a4373c SetTimer RegisterWindowMessageW 775->779 780 a436f2-a436f3 775->780 814 a7d0ff-a7d106 776->814 782 a7d154-a7d168 call aa2527 777->782 783 a436a0-a436a2 777->783 784 a43711-a43713 778->784 779->784 789 a4373e-a43749 CreatePopupMenu 779->789 786 a7d06f-a7d072 780->786 787 a436f9-a4370c KillTimer call a4443a call a43114 780->787 782->784 808 a7d16e 782->808 790 a43755-a4375f call a444a0 783->790 791 a436a8-a436ad 783->791 784->785 799 a7d074-a7d076 786->799 800 a7d0a8-a7d0c7 MoveWindow 786->800 787->784 789->784 809 a43764 790->809 795 a436b3-a436b8 791->795 796 a7d139-a7d140 791->796 806 a7d124-a7d134 call aa2d36 795->806 807 a436be-a436c4 795->807 796->774 804 a7d146-a7d14f call a97c36 796->804 801 a7d097-a7d0a3 SetFocus 799->801 802 a7d078-a7d07b 799->802 800->784 801->784 802->807 810 a7d081-a7d092 call a51070 802->810 804->774 806->784 807->774 807->814 808->774 809->784 810->784 814->774 818 a7d10c-a7d11f call a4443a call a4434a 814->818 818->774
                                            APIs
                                            • DefWindowProcW.USER32(?,?,?,?), ref: 00A436D2
                                            • KillTimer.USER32(?,00000001), ref: 00A436FC
                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A4371F
                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A4372A
                                            • CreatePopupMenu.USER32 ref: 00A4373E
                                            • PostQuitMessage.USER32(00000000), ref: 00A4374D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                            • String ID: TaskbarCreated
                                            • API String ID: 129472671-2362178303
                                            • Opcode ID: 95d845446d39c7f34e96e07dcd0929edc324072f6a7575c5e33fb3bc1135b9c8
                                            • Instruction ID: bf429dbf2554053daeaaf9be779243e54b25a44e8521d273862474bff3b1b238
                                            • Opcode Fuzzy Hash: 95d845446d39c7f34e96e07dcd0929edc324072f6a7575c5e33fb3bc1135b9c8
                                            • Instruction Fuzzy Hash: AB4137BB200506FBDF249F68DC0DB7B3BA5EF94300F144125FA02972E2DE609E519B61
                                            Function 00A43766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                            • API String ID: 1825951767-3513169116
                                            • Opcode ID: b7dade7aab8fefec76dc7a324fe4980948ea07d2d696af43d4f78b8fe580ce34
                                            • Instruction ID: c35a2cbc47dddd35f0dc90c4afc7ecc54fdd9a96fed6ea3cf33923bc7d2a61ed
                                            • Opcode Fuzzy Hash: b7dade7aab8fefec76dc7a324fe4980948ea07d2d696af43d4f78b8fe580ce34
                                            • Instruction Fuzzy Hash: 04A16F7A91021DAACF14EBA4DD56EEFBBB9BF94700F400429F416B7192DF745A08CB60
                                            Function 00D50998 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1009 d50998-d509ea call d50898 CreateFileW 1012 d509f3-d50a00 1009->1012 1013 d509ec-d509ee 1009->1013 1016 d50a13-d50a2a VirtualAlloc 1012->1016 1017 d50a02-d50a0e 1012->1017 1014 d50b4c-d50b50 1013->1014 1018 d50a33-d50a59 CreateFileW 1016->1018 1019 d50a2c-d50a2e 1016->1019 1017->1014 1020 d50a7d-d50a97 ReadFile 1018->1020 1021 d50a5b-d50a78 1018->1021 1019->1014 1023 d50a99-d50ab6 1020->1023 1024 d50abb-d50abf 1020->1024 1021->1014 1023->1014 1026 d50ac1-d50ade 1024->1026 1027 d50ae0-d50af7 WriteFile 1024->1027 1026->1014 1028 d50b22-d50b47 CloseHandle VirtualFree 1027->1028 1029 d50af9-d50b20 1027->1029 1028->1014 1029->1014
                                            APIs
                                            • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00D509DD
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357601722.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_d50000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                            • Instruction ID: d6cc1b9adc7618d249c5bae929df4102c5ad46177d10c1e06ca8fabe299c3eb7
                                            • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                            • Instruction Fuzzy Hash: CC510F75A50208FBEF60DFA4CC49FDE7B79AF48701F108554FA49EB180DA749A44DB60
                                            Function 00A439D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1049 a439d5-a43a45 CreateWindowExW * 2 ShowWindow * 2
                                            APIs
                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A43A03
                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A43A24
                                            • ShowWindow.USER32(00000000,?,?), ref: 00A43A38
                                            • ShowWindow.USER32(00000000,?,?), ref: 00A43A41
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Window$CreateShow
                                            • String ID: AutoIt v3$edit
                                            • API String ID: 1584632944-3779509399
                                            • Opcode ID: 077116df53b6130fce80329147ec831647bb6f2c67857dfc9ebe43b774f507ad
                                            • Instruction ID: 5ca7002ae5e0f00acd9970f00344ba288207dca323df49002d52b5b4f88073b8
                                            • Opcode Fuzzy Hash: 077116df53b6130fce80329147ec831647bb6f2c67857dfc9ebe43b774f507ad
                                            • Instruction Fuzzy Hash: 13F03470600294BFEA305B23AC0CF2B2E7EEBD6F50B01406EB904A35B0CA710811CEB0
                                            Function 00A4407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1050 a4407c-a44092 1051 a4416f-a44173 1050->1051 1052 a44098-a440ad call a47a16 1050->1052 1055 a440b3-a440d3 call a47bcc 1052->1055 1056 a7d3c8-a7d3d7 LoadStringW 1052->1056 1059 a7d3e2-a7d3fa call a47b2e call a46fe3 1055->1059 1060 a440d9-a440dd 1055->1060 1056->1059 1070 a440ed-a4416a call a62de0 call a4454e call a62dbc Shell_NotifyIconW call a45904 1059->1070 1072 a7d400-a7d41e call a47cab call a46fe3 call a47cab 1059->1072 1062 a44174-a4417d call a48047 1060->1062 1063 a440e3-a440e8 call a47b2e 1060->1063 1062->1070 1063->1070 1070->1051 1072->1070
                                            APIs
                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00A7D3D7
                                              • Part of subcall function 00A47BCC: _memmove.LIBCMT ref: 00A47C06
                                            • _memset.LIBCMT ref: 00A440FC
                                            • _wcscpy.LIBCMT ref: 00A44150
                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A44160
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                            • String ID: Line:
                                            • API String ID: 3942752672-1585850449
                                            • Opcode ID: ebf104a6bd84d0e7a79c51d109ba961d36ec2ed9476ac2c91206d3623f075f50
                                            • Instruction ID: e49a6cbac490a13c2ef9c7b241d1d168e4817336e10c7d73b6a72aca414d6be4
                                            • Opcode Fuzzy Hash: ebf104a6bd84d0e7a79c51d109ba961d36ec2ed9476ac2c91206d3623f075f50
                                            • Instruction Fuzzy Hash: 1F319E75008744AFD771EB60DD4AFEF77E8AF94300F20451AF689920A1DF749648CB92
                                            Function 00A6541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1085 a6541d-a65436 1086 a65453 1085->1086 1087 a65438-a6543d 1085->1087 1089 a65455-a6545b 1086->1089 1087->1086 1088 a6543f-a65441 1087->1088 1090 a65443-a65448 call a68b28 1088->1090 1091 a6545c-a65461 1088->1091 1103 a6544e call a68db6 1090->1103 1092 a65463-a6546d 1091->1092 1093 a6546f-a65473 1091->1093 1092->1093 1095 a65493-a654a2 1092->1095 1096 a65475-a65480 call a62de0 1093->1096 1097 a65483-a65485 1093->1097 1101 a654a4-a654a7 1095->1101 1102 a654a9 1095->1102 1096->1097 1097->1090 1100 a65487-a65491 1097->1100 1100->1090 1100->1095 1105 a654ae-a654b3 1101->1105 1102->1105 1103->1086 1107 a6559c-a6559f 1105->1107 1108 a654b9-a654c0 1105->1108 1107->1089 1109 a654c2-a654ca 1108->1109 1110 a65501-a65503 1108->1110 1109->1110 1113 a654cc 1109->1113 1111 a65505-a65507 1110->1111 1112 a6556d-a6556e call a70ba7 1110->1112 1114 a6552b-a65536 1111->1114 1115 a65509-a65511 1111->1115 1122 a65573-a65577 1112->1122 1117 a654d2-a654d4 1113->1117 1118 a655ca 1113->1118 1123 a6553a-a6553d 1114->1123 1124 a65538 1114->1124 1120 a65513-a6551f 1115->1120 1121 a65521-a65525 1115->1121 1125 a654d6-a654d8 1117->1125 1126 a654db-a654e0 1117->1126 1119 a655ce-a655d7 1118->1119 1119->1089 1129 a65527-a65529 1120->1129 1121->1129 1122->1119 1130 a65579-a6557e 1122->1130 1128 a655a4-a655a8 1123->1128 1131 a6553f-a6554b call a646e6 call a70e5b 1123->1131 1124->1123 1125->1126 1127 a654e6-a654ff call a70cc8 1126->1127 1126->1128 1144 a65562-a6556b 1127->1144 1134 a655ba-a655c5 call a68b28 1128->1134 1135 a655aa-a655b7 call a62de0 1128->1135 1129->1123 1130->1128 1133 a65580-a65591 1130->1133 1146 a65550-a65555 1131->1146 1139 a65594-a65596 1133->1139 1134->1103 1135->1134 1139->1107 1139->1108 1144->1139 1147 a655dc-a655e0 1146->1147 1148 a6555b-a6555e 1146->1148 1147->1119 1148->1118 1149 a65560 1148->1149 1149->1144
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                            • String ID:
                                            • API String ID: 1559183368-0
                                            • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                            • Instruction ID: 024eeb4e4af4f0e3f89057156c96142c1d6a42c1d0de95309885797107f36384
                                            • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                            • Instruction Fuzzy Hash: C3519170E00B05DBDB249FB9D98866E77B6EF41321F248769F836962D0DB71DE908B40
                                            Function 00A4686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1150 a4686a-a46891 call a44ddd 1153 a46897-a468a5 call a44ddd 1150->1153 1154 a7e031-a7e041 call aa955b 1150->1154 1153->1154 1161 a468ab-a468b1 1153->1161 1157 a7e046-a7e048 1154->1157 1159 a7e067-a7e0af call a60db6 1157->1159 1160 a7e04a-a7e04d call a44e4a 1157->1160 1171 a7e0d4 1159->1171 1172 a7e0b1-a7e0bb 1159->1172 1165 a7e052-a7e061 call aa42f8 1160->1165 1164 a468b7-a468d9 call a46a8c 1161->1164 1161->1165 1165->1159 1173 a7e0d6-a7e0e9 1171->1173 1174 a7e0cf-a7e0d0 1172->1174 1177 a7e260-a7e263 call a62d55 1173->1177 1178 a7e0ef 1173->1178 1175 a7e0d2 1174->1175 1176 a7e0bd-a7e0cc 1174->1176 1175->1173 1176->1174 1181 a7e268-a7e271 call a44e4a 1177->1181 1180 a7e0f6-a7e0f9 call a47480 1178->1180 1184 a7e0fe-a7e120 call a45db2 call aa73e9 1180->1184 1187 a7e273-a7e283 call a47616 call a45d9b 1181->1187 1194 a7e134-a7e13e call aa73d3 1184->1194 1195 a7e122-a7e12f 1184->1195 1203 a7e288-a7e2b8 call a9f7a1 call a60e2c call a62d55 call a44e4a 1187->1203 1201 a7e140-a7e153 1194->1201 1202 a7e158-a7e162 call aa73bd 1194->1202 1197 a7e227-a7e237 call a4750f 1195->1197 1197->1184 1207 a7e23d-a7e247 call a4735d 1197->1207 1201->1197 1211 a7e176-a7e180 call a45e2a 1202->1211 1212 a7e164-a7e171 1202->1212 1203->1187 1214 a7e24c-a7e25a 1207->1214 1211->1197 1220 a7e186-a7e19e call a9f73d 1211->1220 1212->1197 1214->1177 1214->1180 1225 a7e1c1-a7e1c4 1220->1225 1226 a7e1a0-a7e1bf call a47de1 call a45904 1220->1226 1227 a7e1c6-a7e1e1 call a47de1 call a46839 call a45904 1225->1227 1228 a7e1f2-a7e1f5 1225->1228 1249 a7e1e2-a7e1f0 call a45db2 1226->1249 1227->1249 1232 a7e1f7-a7e200 call a9f65e 1228->1232 1233 a7e215-a7e218 call aa737f 1228->1233 1232->1203 1242 a7e206-a7e210 call a60e2c 1232->1242 1239 a7e21d-a7e226 call a60e2c 1233->1239 1239->1197 1242->1184 1249->1239
                                            APIs
                                              • Part of subcall function 00A44DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A44E0F
                                            • _free.LIBCMT ref: 00A7E263
                                            • _free.LIBCMT ref: 00A7E2AA
                                              • Part of subcall function 00A46A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A46BAD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _free$CurrentDirectoryLibraryLoad
                                            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                            • API String ID: 2861923089-1757145024
                                            • Opcode ID: 7ce331b2a776e9db9e782b86756d8e96dc838bb4f666c2dfcfc670d956d6d65e
                                            • Instruction ID: ec5110a26c1414419c2f6feec8e55c0794a133985f7a46e93f6065a2c7fbc785
                                            • Opcode Fuzzy Hash: 7ce331b2a776e9db9e782b86756d8e96dc838bb4f666c2dfcfc670d956d6d65e
                                            • Instruction Fuzzy Hash: D5917075900219EFCF04EFA4CD919EEB7B8FF19310F10856AF815AB2A2DB70A945CB50
                                            Function 00D52468 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 159fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00D52358: Sleep.KERNELBASE(000001F4), ref: 00D52369
                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D525AE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357601722.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_d50000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CreateFileSleep
                                            • String ID: 6SG9588H9A0FYV1EI2D2COE
                                            • API String ID: 2694422964-2310675744
                                            • Opcode ID: 7ffb0b48b6cd419c769aac5f2c62b2afad534bc4c84595f33b5ab8d64de10040
                                            • Instruction ID: 0e1a06a20d5e2ae5b30727e60a8d6a54747751f4899861051f7e2e8b805e0b58
                                            • Opcode Fuzzy Hash: 7ffb0b48b6cd419c769aac5f2c62b2afad534bc4c84595f33b5ab8d64de10040
                                            • Instruction Fuzzy Hash: 1C61A470D04288DBEF11DBA4C8547EEBBB4AF15301F144199EA487B2C1D6BA1B49CB65
                                            Function 00A435B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00A435A1,SwapMouseButtons,00000004,?), ref: 00A435D4
                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00A435A1,SwapMouseButtons,00000004,?,?,?,?,00A42754), ref: 00A435F5
                                            • RegCloseKey.KERNELBASE(00000000,?,?,00A435A1,SwapMouseButtons,00000004,?,?,?,?,00A42754), ref: 00A43617
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CloseOpenQueryValue
                                            • String ID: Control Panel\Mouse
                                            • API String ID: 3677997916-824357125
                                            • Opcode ID: 79ab1e0bb513b6c25bb6d4b7ef4444fdde58e455caeb8c97e0ec0c28ce7ef587
                                            • Instruction ID: d9e6cde46691b6d32844f2701cb5dd5318b7b45a7870e69bb3c766d1ecd96424
                                            • Opcode Fuzzy Hash: 79ab1e0bb513b6c25bb6d4b7ef4444fdde58e455caeb8c97e0ec0c28ce7ef587
                                            • Instruction Fuzzy Hash: 0911487A510209BFDF20DFA4DC40DAFF7B9EF44740F128469E805D7210E2719E419760
                                            Function 00A6470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                            • String ID:
                                            • API String ID: 2782032738-0
                                            • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                            • Instruction ID: 3b3f500920a1901b14743cac343a1fc9cef45010ae9f12f5b8df0e6abd0bd52c
                                            • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                            • Instruction Fuzzy Hash: 3D41C675B00746DFDB18DFA9C9809AE7BB5EF4A360B24853DE815C7680DB70DD408B50
                                            Function 00A444A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00A444CF
                                              • Part of subcall function 00A4407C: _memset.LIBCMT ref: 00A440FC
                                              • Part of subcall function 00A4407C: _wcscpy.LIBCMT ref: 00A44150
                                              • Part of subcall function 00A4407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A44160
                                            • KillTimer.USER32(?,00000001,?,?), ref: 00A44524
                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A44533
                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A7D4B9
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                            • String ID:
                                            • API String ID: 1378193009-0
                                            • Opcode ID: a1d8177ff6ffbddd20f8cc59822059d3b09f2695c10be4df50ec93825077ed81
                                            • Instruction ID: 1a68fc71fd7f89c8e11921c8ca4a0a331c31eb9d956348365db71a0a8b20fb48
                                            • Opcode Fuzzy Hash: a1d8177ff6ffbddd20f8cc59822059d3b09f2695c10be4df50ec93825077ed81
                                            • Instruction Fuzzy Hash: B921D074904784AFEB32CB24DC45BE7BBFCAF45314F04809DE68E5A181C7746A848B42
                                            Function 00A47285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00A7EA39
                                            • GetOpenFileNameW.COMDLG32(?), ref: 00A7EA83
                                              • Part of subcall function 00A44750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A44743,?,?,00A437AE,?), ref: 00A44770
                                              • Part of subcall function 00A60791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A607B0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Name$Path$FileFullLongOpen_memset
                                            • String ID: X
                                            • API String ID: 3777226403-3081909835
                                            • Opcode ID: c3dd74bc2f1eebe3880cdd94c9e5fbc67158d5fcd50aa28d2d43358d101adcce
                                            • Instruction ID: 973b929443996977fd7903d8ed1739dfbf45164ea94ad9c9701110a350c075c5
                                            • Opcode Fuzzy Hash: c3dd74bc2f1eebe3880cdd94c9e5fbc67158d5fcd50aa28d2d43358d101adcce
                                            • Instruction Fuzzy Hash: 5721AE30A002889BCB51DFD4CC45BEE7BF8AF89710F00805AE508AB241DBB859898FA1
                                            Function 00AA8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: __fread_nolock_memmove
                                            • String ID: EA06
                                            • API String ID: 1988441806-3962188686
                                            • Opcode ID: 96557a6b29330f605a9bbc4ea00c4a32749ea0ed315d20f089d32630f2f83c6b
                                            • Instruction ID: 810f4f44901cf9479369e189ce5282405e900ef46fa8e709e96876ef540d9eec
                                            • Opcode Fuzzy Hash: 96557a6b29330f605a9bbc4ea00c4a32749ea0ed315d20f089d32630f2f83c6b
                                            • Instruction Fuzzy Hash: E401B971D042187EDB18DBA8CC56EFE7BF8DB15311F00459AF552D21C1E979A60487A0
                                            Function 00D51078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 00D510BD
                                            • ExitProcess.KERNEL32(00000000), ref: 00D510DC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357601722.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_d50000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Process$CreateExit
                                            • String ID: D
                                            • API String ID: 126409537-2746444292
                                            • Opcode ID: eaefe38700dea64172a30051a10e55a487822181055063bbb51e2642d874e9cd
                                            • Instruction ID: f17ee38a40db747796dba0924c9135bfd678c74e2ab306a1d8efb4945d28c1a8
                                            • Opcode Fuzzy Hash: eaefe38700dea64172a30051a10e55a487822181055063bbb51e2642d874e9cd
                                            • Instruction Fuzzy Hash: 0DF0EC7554024CABDF60EFE4CC49FEE7778BF04701F548508BF0A9A184DA74964C8B61
                                            Function 00AA98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTempPathW.KERNEL32(00000104,?), ref: 00AA98F8
                                            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00AA990F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Temp$FileNamePath
                                            • String ID: aut
                                            • API String ID: 3285503233-3010740371
                                            • Opcode ID: 41f57aec96a4c2c4ae0f58d4a7b3d7e3a5436e515da17553387bb2af82d6696e
                                            • Instruction ID: 85713d41d33713c8ac6cff21d3bcb5eb23b072ce46089cd1255ec6be3ece7785
                                            • Opcode Fuzzy Hash: 41f57aec96a4c2c4ae0f58d4a7b3d7e3a5436e515da17553387bb2af82d6696e
                                            • Instruction Fuzzy Hash: 1FD0177A54030DABDA50DBE09C0AFEABB2CA704740F0006A1BA54920A1EAB095998A91
                                            Function 00ABCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3e25e8e1d19e4af0b9d83410fb8a238008aa54929693fd57c04350bafca79879
                                            • Instruction ID: 05beacf0b573d86641836dc2f7f81e6537eaaa2963a005fab6232adb23c3d8da
                                            • Opcode Fuzzy Hash: 3e25e8e1d19e4af0b9d83410fb8a238008aa54929693fd57c04350bafca79879
                                            • Instruction Fuzzy Hash: 28F12A756083019FC714DF28C580A6ABBE9FF89324F14896EF8999B252D731E945CF82
                                            Function 00A4F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A60162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A60193
                                              • Part of subcall function 00A60162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00A6019B
                                              • Part of subcall function 00A60162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A601A6
                                              • Part of subcall function 00A60162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A601B1
                                              • Part of subcall function 00A60162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00A601B9
                                              • Part of subcall function 00A60162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00A601C1
                                              • Part of subcall function 00A560F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00A4F930), ref: 00A56154
                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A4F9CD
                                            • OleInitialize.OLE32(00000000), ref: 00A4FA4A
                                            • CloseHandle.KERNEL32(00000000), ref: 00A845C8
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                            • String ID:
                                            • API String ID: 1986988660-0
                                            • Opcode ID: 8bc0dd7c60c6186ae865f396fc05b60b562ec9c930f88f0c0a3c7323d40e973a
                                            • Instruction ID: aade6c62d29a7c5ab7d5039b48159f5a90c9257af5b6330dffc0c6cd6b301fe1
                                            • Opcode Fuzzy Hash: 8bc0dd7c60c6186ae865f396fc05b60b562ec9c930f88f0c0a3c7323d40e973a
                                            • Instruction Fuzzy Hash: D381D0B0901A408EC7A4DF39AD8569F7BE5FBA8306750812A9419C7B7AEF7048848F15
                                            Function 00A4434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00A44370
                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A44415
                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A44432
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: IconNotifyShell_$_memset
                                            • String ID:
                                            • API String ID: 1505330794-0
                                            • Opcode ID: 333d943507dd6154d2057b66d581260eea242eaa9a035ff3fa128e5a09bdddb0
                                            • Instruction ID: 25171d20264ecb590f5c9c32ed0928cb19eea40b312fa676098da88adfd7b6e9
                                            • Opcode Fuzzy Hash: 333d943507dd6154d2057b66d581260eea242eaa9a035ff3fa128e5a09bdddb0
                                            • Instruction Fuzzy Hash: B3318FB4505B018FD720DF24D88479BBBF8FF98709F00092EE59A87251E771A944CB92
                                            Function 00A6571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __FF_MSGBANNER.LIBCMT ref: 00A65733
                                              • Part of subcall function 00A6A16B: __NMSG_WRITE.LIBCMT ref: 00A6A192
                                              • Part of subcall function 00A6A16B: __NMSG_WRITE.LIBCMT ref: 00A6A19C
                                            • __NMSG_WRITE.LIBCMT ref: 00A6573A
                                              • Part of subcall function 00A6A1C8: GetModuleFileNameW.KERNEL32(00000000,00B033BA,00000104,?,00000001,00000000), ref: 00A6A25A
                                              • Part of subcall function 00A6A1C8: ___crtMessageBoxW.LIBCMT ref: 00A6A308
                                              • Part of subcall function 00A6309F: ___crtCorExitProcess.LIBCMT ref: 00A630A5
                                              • Part of subcall function 00A6309F: ExitProcess.KERNEL32 ref: 00A630AE
                                              • Part of subcall function 00A68B28: __getptd_noexit.LIBCMT ref: 00A68B28
                                            • RtlAllocateHeap.NTDLL(00CC0000,00000000,00000001,00000000,?,?,?,00A60DD3,?), ref: 00A6575F
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                            • String ID:
                                            • API String ID: 1372826849-0
                                            • Opcode ID: 88b603d2ed8e063701999089e4d1201ee8be0daf87ea7a861b749715dbd63bc0
                                            • Instruction ID: 8bf0817067217093d22cffa532da3f765c869d8941a3e81dc565ac282e0de69c
                                            • Opcode Fuzzy Hash: 88b603d2ed8e063701999089e4d1201ee8be0daf87ea7a861b749715dbd63bc0
                                            • Instruction Fuzzy Hash: 6201F132A40B01DEDA103B39ED92A2E73BCCB92761F100A36F605AB2C2DE749C014660
                                            Function 00AA98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00AA9548,?,?,?,?,?,00000004), ref: 00AA98BB
                                            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00AA9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00AA98D1
                                            • CloseHandle.KERNEL32(00000000,?,00AA9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00AA98D8
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: File$CloseCreateHandleTime
                                            • String ID:
                                            • API String ID: 3397143404-0
                                            • Opcode ID: 654e1ada556fe5780cc296a1cd9a184870d233219cd2be6be596c9f5d76b8c7e
                                            • Instruction ID: f2082d4133e93eff8adc67e25678df13e0febd8f47f0d2a241ed2caba4fd3c4f
                                            • Opcode Fuzzy Hash: 654e1ada556fe5780cc296a1cd9a184870d233219cd2be6be596c9f5d76b8c7e
                                            • Instruction Fuzzy Hash: 2CE08632141214BBDB215B94EC09FCA7B5AAB06760F154221FB24690E0C7B115129798
                                            Function 00AA8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                            Download Yara Rule
                                            APIs
                                            • _free.LIBCMT ref: 00AA8D1B
                                              • Part of subcall function 00A62D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00A69A24), ref: 00A62D69
                                              • Part of subcall function 00A62D55: GetLastError.KERNEL32(00000000,?,00A69A24), ref: 00A62D7B
                                            • _free.LIBCMT ref: 00AA8D2C
                                            • _free.LIBCMT ref: 00AA8D3E
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _free$ErrorFreeHeapLast
                                            • String ID:
                                            • API String ID: 776569668-0
                                            • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                            • Instruction ID: 9db2e39065ddc641c7f3634aa4fb57d306dcacfa333ec4f2708a8245c6c18500
                                            • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                            • Instruction Fuzzy Hash: A0E012A1601A0187CB24A778AA40B9313EC5F59752714091DB55DE71C6DF68F8428224
                                            Function 00A4A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: CALL
                                            • API String ID: 0-4196123274
                                            • Opcode ID: ffd0e83c4348125ae1a484802fae85fe7ea9fca6ec7ab38d620e5280df98eb95
                                            • Instruction ID: 3cb8984944029c1a5ef11bcd3fdf4d99256880072658d1a1c43d022274f17982
                                            • Opcode Fuzzy Hash: ffd0e83c4348125ae1a484802fae85fe7ea9fca6ec7ab38d620e5280df98eb95
                                            • Instruction Fuzzy Hash: 13225778608201DFDB24DF14C590A6ABBF1FF94304F14896DE89A9B362D731ED85CB82
                                            Function 00A44C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _memmove
                                            • String ID: EA06
                                            • API String ID: 4104443479-3962188686
                                            • Opcode ID: d0e8cc7e8d0289408cf41b5f438f0fd6c4ae522996f9bc98582e79da5680a5db
                                            • Instruction ID: 9e86e9eadd946e50018b6400b7e0716e6d60bd8a1253b7f682981b3cbc33baff
                                            • Opcode Fuzzy Hash: d0e8cc7e8d0289408cf41b5f438f0fd6c4ae522996f9bc98582e79da5680a5db
                                            • Instruction Fuzzy Hash: 2B415D39E041589BDF219B649D927BE7FB29FCD300F284475FC869B286D6209D4483A2
                                            Function 00A47A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _memmove
                                            • String ID:
                                            • API String ID: 4104443479-0
                                            • Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                            • Instruction ID: f3f0db36177f928654d67f8029d5f62e33cb132dfca807334727dcfa56763a5d
                                            • Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                            • Instruction Fuzzy Hash: 7C31A2B5604606AFC704DF68C9D1E6DB3A9FF883607158639E519CB291EB30ED60CB90
                                            Function 00A447D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            • IsThemeActive.UXTHEME ref: 00A44834
                                              • Part of subcall function 00A6336C: __lock.LIBCMT ref: 00A63372
                                              • Part of subcall function 00A6336C: DecodePointer.KERNEL32(00000001,?,00A44849,00A97C74), ref: 00A6337E
                                              • Part of subcall function 00A6336C: EncodePointer.KERNEL32(?,?,00A44849,00A97C74), ref: 00A63389
                                              • Part of subcall function 00A448FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A44915
                                              • Part of subcall function 00A448FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A4492A
                                              • Part of subcall function 00A43B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A43B68
                                              • Part of subcall function 00A43B3A: IsDebuggerPresent.KERNEL32 ref: 00A43B7A
                                              • Part of subcall function 00A43B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00B052F8,00B052E0,?,?), ref: 00A43BEB
                                              • Part of subcall function 00A43B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00A43C6F
                                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A44874
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                            • String ID:
                                            • API String ID: 1438897964-0
                                            • Opcode ID: 2009ddcfd311e5260bf0f02df3ee478d38d0d731fcc6604dc31df2204d7f12e7
                                            • Instruction ID: 9b73f27ea945f66877282a983705187f120d6917f940257601cba92206021cfd
                                            • Opcode Fuzzy Hash: 2009ddcfd311e5260bf0f02df3ee478d38d0d731fcc6604dc31df2204d7f12e7
                                            • Instruction Fuzzy Hash: 69116A729083059BCB10DF69D945A0FBBE8EFA9750F10891AF040872A1DF709955CF92
                                            Function 00A60DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A6571C: __FF_MSGBANNER.LIBCMT ref: 00A65733
                                              • Part of subcall function 00A6571C: __NMSG_WRITE.LIBCMT ref: 00A6573A
                                              • Part of subcall function 00A6571C: RtlAllocateHeap.NTDLL(00CC0000,00000000,00000001,00000000,?,?,?,00A60DD3,?), ref: 00A6575F
                                            • std::exception::exception.LIBCMT ref: 00A60DEC
                                            • __CxxThrowException@8.LIBCMT ref: 00A60E01
                                              • Part of subcall function 00A6859B: RaiseException.KERNEL32(?,?,?,00AF9E78,00000000,?,?,?,?,00A60E06,?,00AF9E78,?,00000001), ref: 00A685F0
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                            • String ID:
                                            • API String ID: 3902256705-0
                                            • Opcode ID: 2e916c4f6c82e7c914bb963c506fa7920cda268216f0e0c2b15fbedacbb2431c
                                            • Instruction ID: 944117b473d7ab68a10d8675dda568d7f7c7a293a87657248aecb1b28744a8f3
                                            • Opcode Fuzzy Hash: 2e916c4f6c82e7c914bb963c506fa7920cda268216f0e0c2b15fbedacbb2431c
                                            • Instruction Fuzzy Hash: EDF0C87594031DA6DB10BBA4ED05EDF7BBCDF11351F104966FD0996281EF719A80C2D1
                                            Function 00A655FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: __lock_file_memset
                                            • String ID:
                                            • API String ID: 26237723-0
                                            • Opcode ID: ec4dcaafea327cc44af9bf61a1d04ea9ff0bd74cf7257ff360b0d223e5e411ac
                                            • Instruction ID: cd0f3979d2b54317a363f7bbe8dbac79c4f8e33cea12a50eaf2bf555fb28f0b3
                                            • Opcode Fuzzy Hash: ec4dcaafea327cc44af9bf61a1d04ea9ff0bd74cf7257ff360b0d223e5e411ac
                                            • Instruction Fuzzy Hash: 3F01DB76C00A08EBCF12AFB8DD068AE7B71BF51361F588215F8241B1D1EB758A51DF91
                                            Function 00A653A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A68B28: __getptd_noexit.LIBCMT ref: 00A68B28
                                            • __lock_file.LIBCMT ref: 00A653EB
                                              • Part of subcall function 00A66C11: __lock.LIBCMT ref: 00A66C34
                                            • __fclose_nolock.LIBCMT ref: 00A653F6
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                            • String ID:
                                            • API String ID: 2800547568-0
                                            • Opcode ID: 440637e9018c1065681ad8c576ad9da359d7ec2427e88777af003004ce1c45df
                                            • Instruction ID: 5cae9bf6b3eed2ee3713c4a985394b6b283bf234454f3dbdf7fa9efd0a6e6015
                                            • Opcode Fuzzy Hash: 440637e9018c1065681ad8c576ad9da359d7ec2427e88777af003004ce1c45df
                                            • Instruction Fuzzy Hash: EBF09071C00A049ADB20AF7599067AD76B46F41774F208309A424AF2C1CFBC89419F52
                                            Function 00D510E8 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00D50958: GetFileAttributesW.KERNELBASE(?), ref: 00D50963
                                            • CreateDirectoryW.KERNELBASE(?,00000000), ref: 00D51256
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357601722.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_d50000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: AttributesCreateDirectoryFile
                                            • String ID:
                                            • API String ID: 3401506121-0
                                            • Opcode ID: 9dc717d3b901d3ee61af3d1928b5bd425308698af91285b8d4f3bad25b062478
                                            • Instruction ID: bd664f789133bbdc869156b1d8442b31d3b2a7780897a006658680d8774e7f4c
                                            • Opcode Fuzzy Hash: 9dc717d3b901d3ee61af3d1928b5bd425308698af91285b8d4f3bad25b062478
                                            • Instruction Fuzzy Hash: C561A331A1020997EF14EFA0D854BEF733AEF58300F005569A90DE7290EB759E49CB75
                                            Function 00A60C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                            • Instruction ID: 927f21cc084c16a6bceedfba209c5813ebd50735fddaf410e8ce5865b6c42b4e
                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                            • Instruction Fuzzy Hash: 3831D2B4A001059FC718DF59C484A6AFBB6FB59300B6487A5E84ACB351DB31EDD1DBC0
                                            Function 00A7FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ClearVariant
                                            • String ID:
                                            • API String ID: 1473721057-0
                                            • Opcode ID: fe1740b047eda96e6eb5280ccc132b47766afb9959d30c75ac642eec0f480708
                                            • Instruction ID: 420c9b56794c8fb7ea9619f9718b1f1fcf44f8823e227e178e6d3dc661b743c2
                                            • Opcode Fuzzy Hash: fe1740b047eda96e6eb5280ccc132b47766afb9959d30c75ac642eec0f480708
                                            • Instruction Fuzzy Hash: 2D41E5746043519FDB24DF14C584B1ABBE1BF95318F0988ACE89A8B762C732E845CB52
                                            Function 00A47B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _memmove
                                            • String ID:
                                            • API String ID: 4104443479-0
                                            • Opcode ID: 3a0f7ea8cc1d5dd3ab960942b5e2cc3ba1733ec3be3ee8b3904ece29222867df
                                            • Instruction ID: 3b0828c5d59bc2327156d35e411331e2aaee3c1bf17f700103425e3146ad85f2
                                            • Opcode Fuzzy Hash: 3a0f7ea8cc1d5dd3ab960942b5e2cc3ba1733ec3be3ee8b3904ece29222867df
                                            • Instruction Fuzzy Hash: 36213676A04A08EBDB14CFA6EC41B7E7BB4FB58350F21C46DE88AC5090EB3080D0D781
                                            Function 00A44DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A44BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00A44BEF
                                              • Part of subcall function 00A6525B: __wfsopen.LIBCMT ref: 00A65266
                                            • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A44E0F
                                              • Part of subcall function 00A44B6A: FreeLibrary.KERNEL32(00000000), ref: 00A44BA4
                                              • Part of subcall function 00A44C70: _memmove.LIBCMT ref: 00A44CBA
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Library$Free$Load__wfsopen_memmove
                                            • String ID:
                                            • API String ID: 1396898556-0
                                            • Opcode ID: 58c24c343bb376a9f725956565d5c11e9dff4cc4e9b29b987ab30c2fa594cdbc
                                            • Instruction ID: 7e59881bdc3b8c25dd038f33e45d817dc10ff1eae109dbc9195e95c45c71a78f
                                            • Opcode Fuzzy Hash: 58c24c343bb376a9f725956565d5c11e9dff4cc4e9b29b987ab30c2fa594cdbc
                                            • Instruction Fuzzy Hash: 8E11A335600205ABCF15FFB0CD17FAE77B9AF88710F208829F541A7181EB719E159B51
                                            Function 00A7FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ClearVariant
                                            • String ID:
                                            • API String ID: 1473721057-0
                                            • Opcode ID: df7bea53610917128e7ab65199f34a090abad2a60668b958906fd4ca21360c55
                                            • Instruction ID: 06af306c650edfb4b04d1274d2a79fd87ee647d6e2655b0351bd34d0b0313912
                                            • Opcode Fuzzy Hash: df7bea53610917128e7ab65199f34a090abad2a60668b958906fd4ca21360c55
                                            • Instruction Fuzzy Hash: AE21F078A08301DFCB54DF64C444A1BBBE1BF88314F058968E88A57762D731E859CB92
                                            Function 00A64863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                            Download Yara Rule
                                            APIs
                                            • __lock_file.LIBCMT ref: 00A648A6
                                              • Part of subcall function 00A68B28: __getptd_noexit.LIBCMT ref: 00A68B28
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: __getptd_noexit__lock_file
                                            • String ID:
                                            • API String ID: 2597487223-0
                                            • Opcode ID: ba6e0e8ae884ca257b12bcd041951a77f6a531d4f06434dcce7bd724e773c88b
                                            • Instruction ID: 9b8e51d762d73d861223207f67d9528cb2fd9167a2a9c335fb8b8375848ba64d
                                            • Opcode Fuzzy Hash: ba6e0e8ae884ca257b12bcd041951a77f6a531d4f06434dcce7bd724e773c88b
                                            • Instruction Fuzzy Hash: F3F0C271900609EBDF11AFB88D067AE36B5AF04325F158514F4249B1D1CB7C8951DF51
                                            Function 00A44E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                            Download Yara Rule
                                            APIs
                                            • FreeLibrary.KERNEL32(?,?,00B052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A44E7E
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: FreeLibrary
                                            • String ID:
                                            • API String ID: 3664257935-0
                                            • Opcode ID: 87a59bc8a39256a2512572cf4bc1d53441ff062f89d6f69b53ffae08e2e706e6
                                            • Instruction ID: 0ac8e4ab01d757948674a32564993b5bd4e5b6bd907d23e10b3b9cfb62f53170
                                            • Opcode Fuzzy Hash: 87a59bc8a39256a2512572cf4bc1d53441ff062f89d6f69b53ffae08e2e706e6
                                            • Instruction Fuzzy Hash: 45F03979501711CFDB349FA4E495992BBF1BF983293248A3EE2D682620C7329840DF40
                                            Function 00A60791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A607B0
                                              • Part of subcall function 00A47BCC: _memmove.LIBCMT ref: 00A47C06
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: LongNamePath_memmove
                                            • String ID:
                                            • API String ID: 2514874351-0
                                            • Opcode ID: 26cfa5991cac81c248460c41cbb5ac16525baf079f4b559f786616de19628967
                                            • Instruction ID: c20a910d8b511b0cf80817c53a663342928aabaa2deee83efe7c9d4070e1c5f0
                                            • Opcode Fuzzy Hash: 26cfa5991cac81c248460c41cbb5ac16525baf079f4b559f786616de19628967
                                            • Instruction Fuzzy Hash: 4BE0CD36A041285BC721D69C9C05FEA77DDDFC87A0F0541B5FD0CD7204D9609C8186D0
                                            Function 00AA8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: __fread_nolock
                                            • String ID:
                                            • API String ID: 2638373210-0
                                            • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                            • Instruction ID: 6381fd78fa3263b4b57ea3215e73d3ab88026fd43a09820481e4efbf67a699ea
                                            • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                            • Instruction Fuzzy Hash: ABE092B0504B009BD7388B24D800BA373E1AB06304F00081DF2AA83241EB62B8418759
                                            Function 00D50958 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?), ref: 00D50963
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357601722.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_d50000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                            • Instruction ID: 5d3299f1e814d6a868637689c3358398843dceba0ba761414e9e6c927c03eab5
                                            • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                            • Instruction Fuzzy Hash: 80E08671505108DBEF10CAA889046ADB7A4AF05311F184654AC55C3281D5318E04DE64
                                            Function 00D50928 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?), ref: 00D50933
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357601722.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_d50000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                            • Instruction ID: 09dcba4f638de165559ab5ddeb309c53db2f9ea5a416ecac229d7f6626214da2
                                            • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                            • Instruction Fuzzy Hash: 1DD05E3190520CABDB20CAB499049DE77A8A705331F108754ED1983281D5319E049B60
                                            Function 00A6525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: __wfsopen
                                            • String ID:
                                            • API String ID: 197181222-0
                                            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                            • Instruction ID: 556b0dde5b50097e9627ab001444a348cd3cccf8d6e75082c6fe39cc4368cfc8
                                            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                            • Instruction Fuzzy Hash: C6B092B684020C77CE022AA2EC02A893B299B41764F408020FB0C18162A673A6649A89
                                            Function 00D52354 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNELBASE(000001F4), ref: 00D52369
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357601722.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_d50000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Sleep
                                            • String ID:
                                            • API String ID: 3472027048-0
                                            • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                            • Instruction ID: 75946ed411b9d818bb6817f07e582bda4b8754c33afa0554909115c8533c38a9
                                            • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                            • Instruction Fuzzy Hash: 5EE0BF7494110EEFDB00DFE8D5496ED7BB4EF04302F1006A5FD05D7680DB309E548A62
                                            Function 00D52358 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNELBASE(000001F4), ref: 00D52369
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357601722.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_d50000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Sleep
                                            • String ID:
                                            • API String ID: 3472027048-0
                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                            • Instruction ID: 1cfe4d20982072934df9f5d053a40668d7ee6665d098402fbc8e2dc05df0b6d9
                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                            • Instruction Fuzzy Hash: 0DE0E67494110EDFDB00DFF8D5496AD7BF4EF04302F100265FD01D2280D6309D548A72

                                            Non-executed Functions

                                            Function 00ACCABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A42612: GetWindowLongW.USER32(?,000000EB), ref: 00A42623
                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00ACCB37
                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00ACCB95
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00ACCBD6
                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00ACCC00
                                            • SendMessageW.USER32 ref: 00ACCC29
                                            • _wcsncpy.LIBCMT ref: 00ACCC95
                                            • GetKeyState.USER32(00000011), ref: 00ACCCB6
                                            • GetKeyState.USER32(00000009), ref: 00ACCCC3
                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00ACCCD9
                                            • GetKeyState.USER32(00000010), ref: 00ACCCE3
                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00ACCD0C
                                            • SendMessageW.USER32 ref: 00ACCD33
                                            • SendMessageW.USER32(?,00001030,?,00ACB348), ref: 00ACCE37
                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00ACCE4D
                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00ACCE60
                                            • SetCapture.USER32(?), ref: 00ACCE69
                                            • ClientToScreen.USER32(?,?), ref: 00ACCECE
                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00ACCEDB
                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00ACCEF5
                                            • ReleaseCapture.USER32 ref: 00ACCF00
                                            • GetCursorPos.USER32(?), ref: 00ACCF3A
                                            • ScreenToClient.USER32(?,?), ref: 00ACCF47
                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00ACCFA3
                                            • SendMessageW.USER32 ref: 00ACCFD1
                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00ACD00E
                                            • SendMessageW.USER32 ref: 00ACD03D
                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00ACD05E
                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00ACD06D
                                            • GetCursorPos.USER32(?), ref: 00ACD08D
                                            • ScreenToClient.USER32(?,?), ref: 00ACD09A
                                            • GetParent.USER32(?), ref: 00ACD0BA
                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00ACD123
                                            • SendMessageW.USER32 ref: 00ACD154
                                            • ClientToScreen.USER32(?,?), ref: 00ACD1B2
                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00ACD1E2
                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00ACD20C
                                            • SendMessageW.USER32 ref: 00ACD22F
                                            • ClientToScreen.USER32(?,?), ref: 00ACD281
                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00ACD2B5
                                              • Part of subcall function 00A425DB: GetWindowLongW.USER32(?,000000EB), ref: 00A425EC
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00ACD351
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                            • String ID: @GUI_DRAGID$F
                                            • API String ID: 3977979337-4164748364
                                            • Opcode ID: 2df78231e729c49fc43d4318a29bc54ba7593949e1f55aca08c2aa2c50438726
                                            • Instruction ID: 374b9b583927449e96188c957aa61b38949f054381f2f54d06a072ede9f11b2e
                                            • Opcode Fuzzy Hash: 2df78231e729c49fc43d4318a29bc54ba7593949e1f55aca08c2aa2c50438726
                                            • Instruction Fuzzy Hash: 23428A74204281AFDB24CF68C849FAABBE5FF49320F16052DF699972A0D731DC51DB52
                                            Function 00A56F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _memmove$_memset
                                            • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                            • API String ID: 1357608183-1798697756
                                            • Opcode ID: 6d0b6f36102546f03dff0bcbe9dd3978be4fe66f3f7bbdcd43c52a22464ec38e
                                            • Instruction ID: c4160558ec0b8f56af9ef5aea5f6813dc1f85b1c2e44349e03faa171dcb90364
                                            • Opcode Fuzzy Hash: 6d0b6f36102546f03dff0bcbe9dd3978be4fe66f3f7bbdcd43c52a22464ec38e
                                            • Instruction Fuzzy Hash: E1938F76B04219DBDF24CF98D881BADB7F1FF48310F25816AE955AB291E7709E81CB40
                                            Function 00A448D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetForegroundWindow.USER32(00000000,?), ref: 00A448DF
                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A7D665
                                            • IsIconic.USER32(?), ref: 00A7D66E
                                            • ShowWindow.USER32(?,00000009), ref: 00A7D67B
                                            • SetForegroundWindow.USER32(?), ref: 00A7D685
                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A7D69B
                                            • GetCurrentThreadId.KERNEL32 ref: 00A7D6A2
                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00A7D6AE
                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00A7D6BF
                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00A7D6C7
                                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 00A7D6CF
                                            • SetForegroundWindow.USER32(?), ref: 00A7D6D2
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A7D6E7
                                            • keybd_event.USER32(00000012,00000000), ref: 00A7D6F2
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A7D6FC
                                            • keybd_event.USER32(00000012,00000000), ref: 00A7D701
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A7D70A
                                            • keybd_event.USER32(00000012,00000000), ref: 00A7D70F
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A7D719
                                            • keybd_event.USER32(00000012,00000000), ref: 00A7D71E
                                            • SetForegroundWindow.USER32(?), ref: 00A7D721
                                            • AttachThreadInput.USER32(?,?,00000000), ref: 00A7D748
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                            • String ID: Shell_TrayWnd
                                            • API String ID: 4125248594-2988720461
                                            • Opcode ID: 86957179b76bee4d2dfb15c16086327b44db406b0ce6d19be9abeee06c0396b0
                                            • Instruction ID: 753b7a987307dfe6473f13e6c5b7b8641028828bfe403e1d0c752484a3381144
                                            • Opcode Fuzzy Hash: 86957179b76bee4d2dfb15c16086327b44db406b0ce6d19be9abeee06c0396b0
                                            • Instruction Fuzzy Hash: EF315271A4031CBFEB206BA19C89F7F7E7DEF44B50F118025FA05EA1D1C6B05911ABA1
                                            Function 00A98310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A987E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A9882B
                                              • Part of subcall function 00A987E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A98858
                                              • Part of subcall function 00A987E1: GetLastError.KERNEL32 ref: 00A98865
                                            • _memset.LIBCMT ref: 00A98353
                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00A983A5
                                            • CloseHandle.KERNEL32(?), ref: 00A983B6
                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A983CD
                                            • GetProcessWindowStation.USER32 ref: 00A983E6
                                            • SetProcessWindowStation.USER32(00000000), ref: 00A983F0
                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A9840A
                                              • Part of subcall function 00A981CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A98309), ref: 00A981E0
                                              • Part of subcall function 00A981CB: CloseHandle.KERNEL32(?,?,00A98309), ref: 00A981F2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                            • String ID: $default$winsta0
                                            • API String ID: 2063423040-1027155976
                                            • Opcode ID: ca44a3d43802bfbc5bb9c08282ec0bbf064a2a4b9c0cd378bbdd61c2977bde15
                                            • Instruction ID: 6405338534d8a4b26853ff32121070fcbba2480ed77003f9b93eb9ce05689dd9
                                            • Opcode Fuzzy Hash: ca44a3d43802bfbc5bb9c08282ec0bbf064a2a4b9c0cd378bbdd61c2977bde15
                                            • Instruction Fuzzy Hash: 428177B1A00209AFDF11DFA4CD45EFEBBB9EF05304F154169F910A6261DB398E19DB20
                                            Function 00AAC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?), ref: 00AAC78D
                                            • FindClose.KERNEL32(00000000), ref: 00AAC7E1
                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AAC806
                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AAC81D
                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00AAC844
                                            • __swprintf.LIBCMT ref: 00AAC890
                                            • __swprintf.LIBCMT ref: 00AAC8D3
                                              • Part of subcall function 00A47DE1: _memmove.LIBCMT ref: 00A47E22
                                            • __swprintf.LIBCMT ref: 00AAC927
                                              • Part of subcall function 00A63698: __woutput_l.LIBCMT ref: 00A636F1
                                            • __swprintf.LIBCMT ref: 00AAC975
                                              • Part of subcall function 00A63698: __flsbuf.LIBCMT ref: 00A63713
                                              • Part of subcall function 00A63698: __flsbuf.LIBCMT ref: 00A6372B
                                            • __swprintf.LIBCMT ref: 00AAC9C4
                                            • __swprintf.LIBCMT ref: 00AACA13
                                            • __swprintf.LIBCMT ref: 00AACA62
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                            • API String ID: 3953360268-2428617273
                                            • Opcode ID: 57efbb9d97456c940bbbd44f26bd96dd66cf047e6a180b8601b4c9d4f9ecbd61
                                            • Instruction ID: 4ad6230f0d977ce1d55ef68b7668489ba5cbbc094e80acba1dfd541557c23832
                                            • Opcode Fuzzy Hash: 57efbb9d97456c940bbbd44f26bd96dd66cf047e6a180b8601b4c9d4f9ecbd61
                                            • Instruction Fuzzy Hash: DFA13CB6408245ABD740EFA4C986DAFB7ECFFD9700F400919F59587192EB34DA09CB62
                                            Function 00AAEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00AAEFB6
                                            • _wcscmp.LIBCMT ref: 00AAEFCB
                                            • _wcscmp.LIBCMT ref: 00AAEFE2
                                            • GetFileAttributesW.KERNEL32(?), ref: 00AAEFF4
                                            • SetFileAttributesW.KERNEL32(?,?), ref: 00AAF00E
                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00AAF026
                                            • FindClose.KERNEL32(00000000), ref: 00AAF031
                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00AAF04D
                                            • _wcscmp.LIBCMT ref: 00AAF074
                                            • _wcscmp.LIBCMT ref: 00AAF08B
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00AAF09D
                                            • SetCurrentDirectoryW.KERNEL32(00AF8920), ref: 00AAF0BB
                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AAF0C5
                                            • FindClose.KERNEL32(00000000), ref: 00AAF0D2
                                            • FindClose.KERNEL32(00000000), ref: 00AAF0E4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                            • String ID: *.*
                                            • API String ID: 1803514871-438819550
                                            • Opcode ID: 690c8eae01a41173e2c61f43e6511ed1e8b003f843d132f397d08e8c5b58a770
                                            • Instruction ID: c30b822ee949c2e0a8e877ba37882ebb0d2d2550982217f900163d7072c4c868
                                            • Opcode Fuzzy Hash: 690c8eae01a41173e2c61f43e6511ed1e8b003f843d132f397d08e8c5b58a770
                                            • Instruction Fuzzy Hash: 4831AE325012187EDF18DBE4EC48EEEB7ADAF4A360F104176E814E30E1EB70DA45CA65
                                            Function 00AC0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AC0953
                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00ACF910,00000000,?,00000000,?,?), ref: 00AC09C1
                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00AC0A09
                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00AC0A92
                                            • RegCloseKey.ADVAPI32(?), ref: 00AC0DB2
                                            • RegCloseKey.ADVAPI32(00000000), ref: 00AC0DBF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Close$ConnectCreateRegistryValue
                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                            • API String ID: 536824911-966354055
                                            • Opcode ID: 6fdcab39c61a420c6800ff28d85415f118daf5ab07636be1673221309fc57cfd
                                            • Instruction ID: dfb2702ae38c81d9fce6c5ea0b6215424977df5288b58d3baf9afb689a4b5000
                                            • Opcode Fuzzy Hash: 6fdcab39c61a420c6800ff28d85415f118daf5ab07636be1673221309fc57cfd
                                            • Instruction Fuzzy Hash: EB0237796046019FCB14EF28C941E2BB7E5FF89714F05895CF89A9B2A2DB31EC45CB81
                                            Function 00AAF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00AAF113
                                            • _wcscmp.LIBCMT ref: 00AAF128
                                            • _wcscmp.LIBCMT ref: 00AAF13F
                                              • Part of subcall function 00AA4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00AA43A0
                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00AAF16E
                                            • FindClose.KERNEL32(00000000), ref: 00AAF179
                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00AAF195
                                            • _wcscmp.LIBCMT ref: 00AAF1BC
                                            • _wcscmp.LIBCMT ref: 00AAF1D3
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00AAF1E5
                                            • SetCurrentDirectoryW.KERNEL32(00AF8920), ref: 00AAF203
                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AAF20D
                                            • FindClose.KERNEL32(00000000), ref: 00AAF21A
                                            • FindClose.KERNEL32(00000000), ref: 00AAF22C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                            • String ID: *.*
                                            • API String ID: 1824444939-438819550
                                            • Opcode ID: 98ff4b60fefb08a273546d2d69077f467cd918906c30011c8092f3b6e4ebc4ab
                                            • Instruction ID: 4a0d7e7cbccf873ef27079157f8d382fb8b71eb269880aec25e38abf35e48f17
                                            • Opcode Fuzzy Hash: 98ff4b60fefb08a273546d2d69077f467cd918906c30011c8092f3b6e4ebc4ab
                                            • Instruction Fuzzy Hash: 103190365002197EDF18EBE4EC49FEE77AD9F46360F100265E910A31E1EB70DE4ACA54
                                            Function 00AAA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00AAA20F
                                            • __swprintf.LIBCMT ref: 00AAA231
                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00AAA26E
                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00AAA293
                                            • _memset.LIBCMT ref: 00AAA2B2
                                            • _wcsncpy.LIBCMT ref: 00AAA2EE
                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00AAA323
                                            • CloseHandle.KERNEL32(00000000), ref: 00AAA32E
                                            • RemoveDirectoryW.KERNEL32(?), ref: 00AAA337
                                            • CloseHandle.KERNEL32(00000000), ref: 00AAA341
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                            • String ID: :$\$\??\%s
                                            • API String ID: 2733774712-3457252023
                                            • Opcode ID: 37c64489abd2ae2f2179019ea41638025343123049a4b313bac54f57e4a0567f
                                            • Instruction ID: 328458c4313816ec8c790a4b719b5f656e7240948fd8cd43ec50bd98dc51da0c
                                            • Opcode Fuzzy Hash: 37c64489abd2ae2f2179019ea41638025343123049a4b313bac54f57e4a0567f
                                            • Instruction Fuzzy Hash: EF31C1B5900109ABDB21DFA0DC49FEB77BDEF89740F1041B6F608D61A0EB749645CB25
                                            Function 00A97CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A98202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A9821E
                                              • Part of subcall function 00A98202: GetLastError.KERNEL32(?,00A97CE2,?,?,?), ref: 00A98228
                                              • Part of subcall function 00A98202: GetProcessHeap.KERNEL32(00000008,?,?,00A97CE2,?,?,?), ref: 00A98237
                                              • Part of subcall function 00A98202: HeapAlloc.KERNEL32(00000000,?,00A97CE2,?,?,?), ref: 00A9823E
                                              • Part of subcall function 00A98202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A98255
                                              • Part of subcall function 00A9829F: GetProcessHeap.KERNEL32(00000008,00A97CF8,00000000,00000000,?,00A97CF8,?), ref: 00A982AB
                                              • Part of subcall function 00A9829F: HeapAlloc.KERNEL32(00000000,?,00A97CF8,?), ref: 00A982B2
                                              • Part of subcall function 00A9829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00A97CF8,?), ref: 00A982C3
                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A97D13
                                            • _memset.LIBCMT ref: 00A97D28
                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A97D47
                                            • GetLengthSid.ADVAPI32(?), ref: 00A97D58
                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00A97D95
                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A97DB1
                                            • GetLengthSid.ADVAPI32(?), ref: 00A97DCE
                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00A97DDD
                                            • HeapAlloc.KERNEL32(00000000), ref: 00A97DE4
                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A97E05
                                            • CopySid.ADVAPI32(00000000), ref: 00A97E0C
                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A97E3D
                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A97E63
                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A97E77
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                            • String ID:
                                            • API String ID: 3996160137-0
                                            • Opcode ID: c49ad1b024a1f06805d58155fd34eedf02517d3170d28f20eafde1e76adb3da4
                                            • Instruction ID: 58c5de2cfb82c19c4fbd13b3e9a09c9474fe3834778471f76c7922d28f216d7d
                                            • Opcode Fuzzy Hash: c49ad1b024a1f06805d58155fd34eedf02517d3170d28f20eafde1e76adb3da4
                                            • Instruction Fuzzy Hash: 70614E71A04509EFDF01DF94DC45EEEBBBAFF04700F148269E915AA291DB359E05CB60
                                            Function 00A566E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                            • API String ID: 0-4052911093
                                            • Opcode ID: 06f2fbdc1b6fdb146fd85a6e3c71364294ef42ecd520262bc0ad5a02cc1d663d
                                            • Instruction ID: d8c4e4fca2c9edaf32a9a074b68b6328534263d0e1dbc817dff589aa1e7b6fcf
                                            • Opcode Fuzzy Hash: 06f2fbdc1b6fdb146fd85a6e3c71364294ef42ecd520262bc0ad5a02cc1d663d
                                            • Instruction Fuzzy Hash: DC726E75E0021A9BDF14CF59C8807AEB7F5FF48311F55816AE909EB291EB309E85CB90
                                            Function 00AA001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetKeyboardState.USER32(?), ref: 00AA0097
                                            • SetKeyboardState.USER32(?), ref: 00AA0102
                                            • GetAsyncKeyState.USER32(000000A0), ref: 00AA0122
                                            • GetKeyState.USER32(000000A0), ref: 00AA0139
                                            • GetAsyncKeyState.USER32(000000A1), ref: 00AA0168
                                            • GetKeyState.USER32(000000A1), ref: 00AA0179
                                            • GetAsyncKeyState.USER32(00000011), ref: 00AA01A5
                                            • GetKeyState.USER32(00000011), ref: 00AA01B3
                                            • GetAsyncKeyState.USER32(00000012), ref: 00AA01DC
                                            • GetKeyState.USER32(00000012), ref: 00AA01EA
                                            • GetAsyncKeyState.USER32(0000005B), ref: 00AA0213
                                            • GetKeyState.USER32(0000005B), ref: 00AA0221
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: State$Async$Keyboard
                                            • String ID:
                                            • API String ID: 541375521-0
                                            • Opcode ID: d6c7434ed9a9dbe24b8cf00883a6231125fc7b91c20808e6323f69d3c8274c74
                                            • Instruction ID: 452508bf1fc810240b38badf68025fff6bb034638e58e22b9d71b80a8465861c
                                            • Opcode Fuzzy Hash: d6c7434ed9a9dbe24b8cf00883a6231125fc7b91c20808e6323f69d3c8274c74
                                            • Instruction Fuzzy Hash: 2851C72090478829FB35DBA08954FEABFB49F13380F08469E95C65B5C2DBA49B8CC761
                                            Function 00AC03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00AC0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ABFDAD,?,?), ref: 00AC0E31
                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AC04AC
                                              • Part of subcall function 00A49837: __itow.LIBCMT ref: 00A49862
                                              • Part of subcall function 00A49837: __swprintf.LIBCMT ref: 00A498AC
                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00AC054B
                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00AC05E3
                                            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00AC0822
                                            • RegCloseKey.ADVAPI32(00000000), ref: 00AC082F
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                            • String ID:
                                            • API String ID: 1240663315-0
                                            • Opcode ID: 36e0c7407b8f9bf249260eb3b26ed877f3f327dcb5647f3c1fb309ae854bbe92
                                            • Instruction ID: b260fa47a9772deebd13b2c47ee28c186e94d89d3ec78ae80d9b8dd14449b1f2
                                            • Opcode Fuzzy Hash: 36e0c7407b8f9bf249260eb3b26ed877f3f327dcb5647f3c1fb309ae854bbe92
                                            • Instruction Fuzzy Hash: EFE15D71604204EFCB14DF28C991E2BBBE9EF89714B05896DF84ADB262D730E901CB91
                                            Function 00AB83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A49837: __itow.LIBCMT ref: 00A49862
                                              • Part of subcall function 00A49837: __swprintf.LIBCMT ref: 00A498AC
                                            • CoInitialize.OLE32 ref: 00AB8403
                                            • CoUninitialize.OLE32 ref: 00AB840E
                                            • CoCreateInstance.OLE32(?,00000000,00000017,00AD2BEC,?), ref: 00AB846E
                                            • IIDFromString.OLE32(?,?), ref: 00AB84E1
                                            • VariantInit.OLEAUT32(?), ref: 00AB857B
                                            • VariantClear.OLEAUT32(?), ref: 00AB85DC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                            • API String ID: 834269672-1287834457
                                            • Opcode ID: ae7587a241841c8b8e4bcc3119dd48a73ab4048704bf36f58aceb3d74324f0f8
                                            • Instruction ID: cbb610918e921bb15dd092b7d4bfaeabe676fcc22bd1c5d8b2a2f6dfc46611f4
                                            • Opcode Fuzzy Hash: ae7587a241841c8b8e4bcc3119dd48a73ab4048704bf36f58aceb3d74324f0f8
                                            • Instruction Fuzzy Hash: 11618E70608312AFC710DF58C948FABBBECAF85754F144919F9859B292CB74ED44CB92
                                            Function 00AB4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                            • String ID:
                                            • API String ID: 1737998785-0
                                            • Opcode ID: f44e2de544c3acb3f4526afb7b661b97caef89f015b75f50f1059ea67457d70d
                                            • Instruction ID: 8ab461f6d26b5ead9c9fc7373ef676a0c1d76489fe69ddce1a651ae05f9a60df
                                            • Opcode Fuzzy Hash: f44e2de544c3acb3f4526afb7b661b97caef89f015b75f50f1059ea67457d70d
                                            • Instruction Fuzzy Hash: 9D2192356016109FDB10AF68ED09FAE7BADFF58711F118029F946DB2A2DB30AC41CB54
                                            Function 00AA37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A44750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A44743,?,?,00A437AE,?), ref: 00A44770
                                              • Part of subcall function 00AA4A31: GetFileAttributesW.KERNEL32(?,00AA370B), ref: 00AA4A32
                                            • FindFirstFileW.KERNEL32(?,?), ref: 00AA38A3
                                            • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00AA394B
                                            • MoveFileW.KERNEL32(?,?), ref: 00AA395E
                                            • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00AA397B
                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AA399D
                                            • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00AA39B9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                            • String ID: \*.*
                                            • API String ID: 4002782344-1173974218
                                            • Opcode ID: a1058a7a716434f0e9da5db49a9bfaaa2de7c9ca4348d913ee90155a947087bd
                                            • Instruction ID: 6dbe939ee92c05388729835cef257c34617bd177089275d681515efaf4641c60
                                            • Opcode Fuzzy Hash: a1058a7a716434f0e9da5db49a9bfaaa2de7c9ca4348d913ee90155a947087bd
                                            • Instruction Fuzzy Hash: D4515E3680514CAACF05EBA0DA92DFEB779AF55300F604069F406B71D2EB716F09CB61
                                            Function 00AAF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A47DE1: _memmove.LIBCMT ref: 00A47E22
                                            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00AAF440
                                            • Sleep.KERNEL32(0000000A), ref: 00AAF470
                                            • _wcscmp.LIBCMT ref: 00AAF484
                                            • _wcscmp.LIBCMT ref: 00AAF49F
                                            • FindNextFileW.KERNEL32(?,?), ref: 00AAF53D
                                            • FindClose.KERNEL32(00000000), ref: 00AAF553
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                            • String ID: *.*
                                            • API String ID: 713712311-438819550
                                            • Opcode ID: 68bd18cd8cad9b9979fc160a9b5346a0e1bfaf5f980028f0283030e31f3ee835
                                            • Instruction ID: 90a794c79d5ca72df0968884882909f2c66aa8a302572c41c6ec9447f5d5c7e2
                                            • Opcode Fuzzy Hash: 68bd18cd8cad9b9979fc160a9b5346a0e1bfaf5f980028f0283030e31f3ee835
                                            • Instruction Fuzzy Hash: 9E416A71D4020AAFCF18DFA4CC85AEEBBB4FF0A310F14456AE815A7191EB309E45CB50
                                            Function 00A55760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _memmove
                                            • String ID:
                                            • API String ID: 4104443479-0
                                            • Opcode ID: efe69b9e61f4d4c8cd7fb7303e6a226ec5c7fdadf9705cbd4576bbeb2c57574f
                                            • Instruction ID: a78137cd8d3e912155d163d0508e31d91f1d1d21a995173fb7f20e4e68afbcda
                                            • Opcode Fuzzy Hash: efe69b9e61f4d4c8cd7fb7303e6a226ec5c7fdadf9705cbd4576bbeb2c57574f
                                            • Instruction Fuzzy Hash: E9128970E00609DFDF14DFA5DA91AAEB7F5FF88300F104529E846A7291EB3AAD15CB50
                                            Function 00AA3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A44750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A44743,?,?,00A437AE,?), ref: 00A44770
                                              • Part of subcall function 00AA4A31: GetFileAttributesW.KERNEL32(?,00AA370B), ref: 00AA4A32
                                            • FindFirstFileW.KERNEL32(?,?), ref: 00AA3B89
                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 00AA3BD9
                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AA3BEA
                                            • FindClose.KERNEL32(00000000), ref: 00AA3C01
                                            • FindClose.KERNEL32(00000000), ref: 00AA3C0A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                            • String ID: \*.*
                                            • API String ID: 2649000838-1173974218
                                            • Opcode ID: c6eb41e03e878035afc081ca9aa17e1c86f161aed359b8c5aa54cea114bbf329
                                            • Instruction ID: 26c5703cc807962cacb7b2985b6ca58918a6cdb9bcfee1b87d2cccaa8e192b1d
                                            • Opcode Fuzzy Hash: c6eb41e03e878035afc081ca9aa17e1c86f161aed359b8c5aa54cea114bbf329
                                            • Instruction Fuzzy Hash: 29317E36008385AFC701EF64D991DAFB7E9AE96314F404D2DF4E593192EB219A09C763
                                            Function 00AA51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A987E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A9882B
                                              • Part of subcall function 00A987E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A98858
                                              • Part of subcall function 00A987E1: GetLastError.KERNEL32 ref: 00A98865
                                            • ExitWindowsEx.USER32(?,00000000), ref: 00AA51F9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                            • String ID: $@$SeShutdownPrivilege
                                            • API String ID: 2234035333-194228
                                            • Opcode ID: 0db68f676e0a76b6c9c4c42beab83e409198720738399fcb4710b4e0b0bfc2eb
                                            • Instruction ID: 9247d2c9a370c7746df23b9a3f49ce9c284f65990ec8c03a795d35107cba04a1
                                            • Opcode Fuzzy Hash: 0db68f676e0a76b6c9c4c42beab83e409198720738399fcb4710b4e0b0bfc2eb
                                            • Instruction Fuzzy Hash: CF01F731F916156FEB2863B89C8AFFA72A8AB07750F200520F913E30D2EB611C058598
                                            Function 00AB6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00AB62DC
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00AB62EB
                                            • bind.WSOCK32(00000000,?,00000010), ref: 00AB6307
                                            • listen.WSOCK32(00000000,00000005), ref: 00AB6316
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00AB6330
                                            • closesocket.WSOCK32(00000000,00000000), ref: 00AB6344
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ErrorLast$bindclosesocketlistensocket
                                            • String ID:
                                            • API String ID: 1279440585-0
                                            • Opcode ID: 5eedf9fe78ea418af8882341dae4e257359342b8a5934e4cf8be12c28db17f01
                                            • Instruction ID: ef62377588e72284ffbcb85bdbdc91b11514a12dcab372e35475cdea3c2c17a1
                                            • Opcode Fuzzy Hash: 5eedf9fe78ea418af8882341dae4e257359342b8a5934e4cf8be12c28db17f01
                                            • Instruction Fuzzy Hash: CA21A0356002049FCB10EF68C945FAEB7FDEF88720F154159E816AB392C774AD02CB51
                                            Function 00A55520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A60DB6: std::exception::exception.LIBCMT ref: 00A60DEC
                                              • Part of subcall function 00A60DB6: __CxxThrowException@8.LIBCMT ref: 00A60E01
                                            • _memmove.LIBCMT ref: 00A90258
                                            • _memmove.LIBCMT ref: 00A9036D
                                            • _memmove.LIBCMT ref: 00A90414
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _memmove$Exception@8Throwstd::exception::exception
                                            • String ID:
                                            • API String ID: 1300846289-0
                                            • Opcode ID: 379decd747af42bc77081a4996c267b7fbd7b4d340d1dbd3707f4d19705082b7
                                            • Instruction ID: b1f88302854193b0da66c13dc0fcc133c54096fceeadcc2f26fcf2590b2144b5
                                            • Opcode Fuzzy Hash: 379decd747af42bc77081a4996c267b7fbd7b4d340d1dbd3707f4d19705082b7
                                            • Instruction Fuzzy Hash: 6B028CB0A00209DFCF04DFA8D991AAEBBF5FF84340F148469E80ADB255EB35D955CB91
                                            Function 00A41287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A42612: GetWindowLongW.USER32(?,000000EB), ref: 00A42623
                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 00A419FA
                                            • GetSysColor.USER32(0000000F), ref: 00A41A4E
                                            • SetBkColor.GDI32(?,00000000), ref: 00A41A61
                                              • Part of subcall function 00A41290: DefDlgProcW.USER32(?,00000020,?), ref: 00A412D8
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ColorProc$LongWindow
                                            • String ID:
                                            • API String ID: 3744519093-0
                                            • Opcode ID: 2f85feb63d1234241b0aec23f1f0cba0c3364fd150fbf23124764a9a5ed11164
                                            • Instruction ID: 7645c4f4359c36607d5d464da3a677c33d46e5313cede5201bd1531a8fac4250
                                            • Opcode Fuzzy Hash: 2f85feb63d1234241b0aec23f1f0cba0c3364fd150fbf23124764a9a5ed11164
                                            • Instruction Fuzzy Hash: A5A17AB9122544BEE638AF288D48FBF39ADDFC13C5F158129F506D6192CF20CD8196B2
                                            Function 00AABCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?), ref: 00AABCE6
                                            • _wcscmp.LIBCMT ref: 00AABD16
                                            • _wcscmp.LIBCMT ref: 00AABD2B
                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00AABD3C
                                            • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00AABD6C
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Find$File_wcscmp$CloseFirstNext
                                            • String ID:
                                            • API String ID: 2387731787-0
                                            • Opcode ID: 1e0c3b4ec0e7219caa7134ca1ae71fd039ffb5bd5498e2ae07368adb9b77541d
                                            • Instruction ID: a52d87c9f0185734eb786ff464a53b753fe90918540ebdd032aa6c4c20386c42
                                            • Opcode Fuzzy Hash: 1e0c3b4ec0e7219caa7134ca1ae71fd039ffb5bd5498e2ae07368adb9b77541d
                                            • Instruction Fuzzy Hash: A4517B75604602DFDB14DF68C590EAAB7E8FF4A320F14461DE9568B3A2DB30ED05CBA1
                                            Function 00AB6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00AB7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00AB7DB6
                                            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00AB679E
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00AB67C7
                                            • bind.WSOCK32(00000000,?,00000010), ref: 00AB6800
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00AB680D
                                            • closesocket.WSOCK32(00000000,00000000), ref: 00AB6821
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                            • String ID:
                                            • API String ID: 99427753-0
                                            • Opcode ID: 749833d23cfdb69f39e6c4c06aa74935d4c41d1e120e5dc4204a0f866649391b
                                            • Instruction ID: a6422b6f6efa37baf0b62e01a62a03b3fa93d5fc4171295ccf5b06798c46f071
                                            • Opcode Fuzzy Hash: 749833d23cfdb69f39e6c4c06aa74935d4c41d1e120e5dc4204a0f866649391b
                                            • Instruction Fuzzy Hash: 7141D379A00200AFDB10BF688D86F6F77E8DF85B14F048468F915AB3D3CA749D118791
                                            Function 00AC5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                            • String ID:
                                            • API String ID: 292994002-0
                                            • Opcode ID: 38ddfdf05c5cdffb57508c3e805a70ebe6e826895ee0f8e391e07c88e839f3e2
                                            • Instruction ID: df14deeaa50dba7d172a2074152c977eed99e55f66d7ea9f56cddf9900551a7b
                                            • Opcode Fuzzy Hash: 38ddfdf05c5cdffb57508c3e805a70ebe6e826895ee0f8e391e07c88e839f3e2
                                            • Instruction Fuzzy Hash: 8D11C432B009516FDB219F76DC54F6F7B99EF847A1B42402CF846DB241DBB0EC428AA4
                                            Function 00A980A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A980C0
                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A980CA
                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A980D9
                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A980E0
                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A980F6
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                            • String ID:
                                            • API String ID: 44706859-0
                                            • Opcode ID: e30a1c00db3a1d442b6eebf97fe217f8ac371786ca6abd1418c102f938ae4acf
                                            • Instruction ID: d085bb26ca9cc46f404807eae053ecc80acc36239cf71d6bef2899521bd70f1d
                                            • Opcode Fuzzy Hash: e30a1c00db3a1d442b6eebf97fe217f8ac371786ca6abd1418c102f938ae4acf
                                            • Instruction Fuzzy Hash: 48F0C234340204BFEB104FA5EC8CE673FADFF4A754B100139F905D6150DB649C02DA60
                                            Function 00A44B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00A44AD0), ref: 00A44B45
                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A44B57
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                            • API String ID: 2574300362-192647395
                                            • Opcode ID: 3a0014079ed3f8eda53391a3f6203f41b7ebbf070fa7ed31d5eefd542fec1f29
                                            • Instruction ID: 28da38cbaa6a828c65e95c9d60a1c76c3538fd30bf4e45e09dd8076fd4f3b838
                                            • Opcode Fuzzy Hash: 3a0014079ed3f8eda53391a3f6203f41b7ebbf070fa7ed31d5eefd542fec1f29
                                            • Instruction Fuzzy Hash: 7BD01274A10713DFD720DF71D818F0676D5AF45351B16CC3E9486D6150D770D881C655
                                            Function 00A53030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: __itow__swprintf
                                            • String ID:
                                            • API String ID: 674341424-0
                                            • Opcode ID: 9a244e8ccb053be4eeb80bf30aa8b152e89b9fc8b0d5c04d238e2be478a1f44e
                                            • Instruction ID: 1f354cb288dee7c7105e951aef329be9542db8a685fa170b4ecc6ae50f3b1b09
                                            • Opcode Fuzzy Hash: 9a244e8ccb053be4eeb80bf30aa8b152e89b9fc8b0d5c04d238e2be478a1f44e
                                            • Instruction Fuzzy Hash: 462267726083009BDB24EF24C991BABB7F5BFC4351F10491CF99A97291DB71E948CB92
                                            Function 00ABEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00ABEE3D
                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00ABEE4B
                                              • Part of subcall function 00A47DE1: _memmove.LIBCMT ref: 00A47E22
                                            • Process32NextW.KERNEL32(00000000,?), ref: 00ABEF0B
                                            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00ABEF1A
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                            • String ID:
                                            • API String ID: 2576544623-0
                                            • Opcode ID: f6ddcfcfbad2ae3990a1ca1c379dde28e5476fde4bbd0015efe48770586a51a1
                                            • Instruction ID: 31397cf2123a8c59cdab6de6a555bf8a44eeca8612e461c0ad6b475a916ad53d
                                            • Opcode Fuzzy Hash: f6ddcfcfbad2ae3990a1ca1c379dde28e5476fde4bbd0015efe48770586a51a1
                                            • Instruction Fuzzy Hash: D0518C75504300AFD320EF24DC85EAFB7E8EF98750F10482DF595962A2EB70E909CB92
                                            Function 00A9E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00A9E628
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: lstrlen
                                            • String ID: ($|
                                            • API String ID: 1659193697-1631851259
                                            • Opcode ID: 7f68c32937130f2e752583af9652e78489c81ff967e65c530dff8fe98a7bba68
                                            • Instruction ID: 8e8dd36c403ef3ec1c78a52060f1879bd43a722c59cdeb5577450ee1bcdd8c5d
                                            • Opcode Fuzzy Hash: 7f68c32937130f2e752583af9652e78489c81ff967e65c530dff8fe98a7bba68
                                            • Instruction Fuzzy Hash: 5A323575A007059FDB28CF59C48096AB7F0FF48320B15C56EE99ADB3A2EB70E941CB40
                                            Function 00AB22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00AB180A,00000000), ref: 00AB23E1
                                            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00AB2418
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Internet$AvailableDataFileQueryRead
                                            • String ID:
                                            • API String ID: 599397726-0
                                            • Opcode ID: b49c87a9f7ee14b89f2aa75b7fe071feb314d876280150725c82c377602f02bd
                                            • Instruction ID: c692ae831823b6d98393c4f1a2a5008af6cebb3bdbbcb1563070e39c908d0b81
                                            • Opcode Fuzzy Hash: b49c87a9f7ee14b89f2aa75b7fe071feb314d876280150725c82c377602f02bd
                                            • Instruction Fuzzy Hash: F841AF71A04209BFEB209BA5DD85FFBB7FCEB40724F10406BF601AA542EA759E419760
                                            Function 00AAB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNEL32(00000001), ref: 00AAB40B
                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00AAB465
                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00AAB4B2
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ErrorMode$DiskFreeSpace
                                            • String ID:
                                            • API String ID: 1682464887-0
                                            • Opcode ID: 946df05add78aaf0f7e158f0f227f674fa7de73c9e94ac7443e54a284de78768
                                            • Instruction ID: 2d061ee7bcf66df0e375f1b6c745066cf775eb25196bc56a0dfd7a10faa95851
                                            • Opcode Fuzzy Hash: 946df05add78aaf0f7e158f0f227f674fa7de73c9e94ac7443e54a284de78768
                                            • Instruction Fuzzy Hash: E1214435A10108DFCB00DFA5D984EEEBBB8FF89314F1580A9E905AB352DB319955CB51
                                            Function 00A987E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A60DB6: std::exception::exception.LIBCMT ref: 00A60DEC
                                              • Part of subcall function 00A60DB6: __CxxThrowException@8.LIBCMT ref: 00A60E01
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A9882B
                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A98858
                                            • GetLastError.KERNEL32 ref: 00A98865
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                            • String ID:
                                            • API String ID: 1922334811-0
                                            • Opcode ID: ce2657565172ab4c64b299d53b63c026d582ffe42cb946e4790947e4fbe06442
                                            • Instruction ID: f39304afa60ad8aaa876a4fe3770bfc5752e7bf07dd634603a2ef0c62295524e
                                            • Opcode Fuzzy Hash: ce2657565172ab4c64b299d53b63c026d582ffe42cb946e4790947e4fbe06442
                                            • Instruction Fuzzy Hash: A5118FB2514204AFEB18DFA4DC85D6BB7F9EB45750B20C52EF45597241EB34BC418B60
                                            Function 00A9874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00A98774
                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A9878B
                                            • FreeSid.ADVAPI32(?), ref: 00A9879B
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                            • String ID:
                                            • API String ID: 3429775523-0
                                            • Opcode ID: 21b56f81b8423c2ed5f3bfe706c25378aa4f7cebf09cf905a27df834c47d99e2
                                            • Instruction ID: 3f18eaeae71d9c151d531654a82f082fa9eb560023c6ace6fdc7bcd03b9eca73
                                            • Opcode Fuzzy Hash: 21b56f81b8423c2ed5f3bfe706c25378aa4f7cebf09cf905a27df834c47d99e2
                                            • Instruction Fuzzy Hash: 8AF04975A1130CBFDF00DFF4DC89EAEBBBDEF08601F1044A9A901E2181E6756A048B50
                                            Function 00AAC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?), ref: 00AAC6FB
                                            • FindClose.KERNEL32(00000000), ref: 00AAC72B
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Find$CloseFileFirst
                                            • String ID:
                                            • API String ID: 2295610775-0
                                            • Opcode ID: 2ea2423700e774cbbb0d64d48df396f4727f10fac78258bfc6c4767742ab2eaf
                                            • Instruction ID: 115c1c59c031ad475f8cb14445514c4e3a605f719d52aed20c6786b5e47c8804
                                            • Opcode Fuzzy Hash: 2ea2423700e774cbbb0d64d48df396f4727f10fac78258bfc6c4767742ab2eaf
                                            • Instruction Fuzzy Hash: 98115E766006049FDB10DF29D845A6AF7E9EF85324F01851DF9A997291DB30A815CB81
                                            Function 00AAA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00AB9468,?,00ACFB84,?), ref: 00AAA097
                                            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00AB9468,?,00ACFB84,?), ref: 00AAA0A9
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ErrorFormatLastMessage
                                            • String ID:
                                            • API String ID: 3479602957-0
                                            • Opcode ID: 57593ba025a066109578bca492029b389cfdd264d80902e0e3a82d48a806e356
                                            • Instruction ID: 91a9db5e3417a1c9bbb7590998b088fb651ab17d59a3fc065dc623b8bf8daa6f
                                            • Opcode Fuzzy Hash: 57593ba025a066109578bca492029b389cfdd264d80902e0e3a82d48a806e356
                                            • Instruction Fuzzy Hash: 35F0823550522DBBDB619FA4CC48FEA77ADBF09361F008165F919D7181DB309940CBA1
                                            Function 00A981CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                            Download Yara Rule
                                            APIs
                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A98309), ref: 00A981E0
                                            • CloseHandle.KERNEL32(?,?,00A98309), ref: 00A981F2
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: AdjustCloseHandlePrivilegesToken
                                            • String ID:
                                            • API String ID: 81990902-0
                                            • Opcode ID: eb93a3fa4c6f11aa0e9d8d7ffefb6a4126dd67ba250c9af283e77ad108df0550
                                            • Instruction ID: a5776a8e929eb7c31dde751453aa627b8e7d932476ee199ba19b7c215f4094e7
                                            • Opcode Fuzzy Hash: eb93a3fa4c6f11aa0e9d8d7ffefb6a4126dd67ba250c9af283e77ad108df0550
                                            • Instruction Fuzzy Hash: 74E0EC72111620AFEB256B64EC09D777BFAEF043107258D2DF8A684471DB62AC91DB10
                                            Function 00A6A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00A68D57,?,?,?,00000001), ref: 00A6A15A
                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00A6A163
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled
                                            • String ID:
                                            • API String ID: 3192549508-0
                                            • Opcode ID: 3f87e6c769d82440616ce3015f45a999bd889dead0fe6d2e99b464c1429cd384
                                            • Instruction ID: b575883745350ac7a1c8c00f9d28a733e591dabd330bf124529558c62156e2e6
                                            • Opcode Fuzzy Hash: 3f87e6c769d82440616ce3015f45a999bd889dead0fe6d2e99b464c1429cd384
                                            • Instruction Fuzzy Hash: D2B09231054248BFCA006BD1EC09F883F6AEB84AA2F414020FA1D88260CB6256528A91
                                            Function 00A6F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bec9dfbe8da665c7312242fff476238aa3f414bb6075e0f8361559ed3da3c3fd
                                            • Instruction ID: f4fe2e87d6d39be6f2406eb2cbdae8756cbbbdf6338ae2545257aaeea75b681f
                                            • Opcode Fuzzy Hash: bec9dfbe8da665c7312242fff476238aa3f414bb6075e0f8361559ed3da3c3fd
                                            • Instruction Fuzzy Hash: C9320422D2AF414DD7279634D83233AA369AFB73C5F55D737E81AB59A9EF28C4834100
                                            Function 00A7242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 536f720e4002f8c39616cab707ecdcab2b582a598dc3a5e30ad7364b72e14e34
                                            • Instruction ID: d1adffad05fb85b08d955d14ab322a0dda3086e9df645a369948856354fc3465
                                            • Opcode Fuzzy Hash: 536f720e4002f8c39616cab707ecdcab2b582a598dc3a5e30ad7364b72e14e34
                                            • Instruction Fuzzy Hash: A7B1DD21E2AF414DD62396798831336BB5CAFBB2C5B52D71BFC2B74D22EB2185834241
                                            Function 00AA8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            • __time64.LIBCMT ref: 00AA889B
                                              • Part of subcall function 00A6520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00AA8F6E,00000000,?,?,?,?,00AA911F,00000000,?), ref: 00A65213
                                              • Part of subcall function 00A6520A: __aulldiv.LIBCMT ref: 00A65233
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Time$FileSystem__aulldiv__time64
                                            • String ID:
                                            • API String ID: 2893107130-0
                                            • Opcode ID: fbd65697c07e3b3e30df85afeb270b4573454c3bb9d783c094bd5a783035fa55
                                            • Instruction ID: db0ca45a2497347371299dc326c589a3de64d4c723caa9db5a86c3cbf3273336
                                            • Opcode Fuzzy Hash: fbd65697c07e3b3e30df85afeb270b4573454c3bb9d783c094bd5a783035fa55
                                            • Instruction Fuzzy Hash: 2421AF326256108BC729CF39D851A52B7E1EBA9311B688E6CD0F5CB2D0CF38A905CB54
                                            Function 00AA4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00AA4C4A
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: mouse_event
                                            • String ID:
                                            • API String ID: 2434400541-0
                                            • Opcode ID: 8d3630aeacd7c6ba8248480b92865377ffc8117aaad6c9141a5efc5c84759382
                                            • Instruction ID: 300b0169af360212b8b03a13e00f9a37cdb1a3142b7dd094f70bf5241b9980f8
                                            • Opcode Fuzzy Hash: 8d3630aeacd7c6ba8248480b92865377ffc8117aaad6c9141a5efc5c84759382
                                            • Instruction Fuzzy Hash: 15D05EA916520978FC1C0F20DE0FF7B4108E3CA7A2FD0814972098B0C1EFD06C416030
                                            Function 00A987B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00A98389), ref: 00A987D1
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: LogonUser
                                            • String ID:
                                            • API String ID: 1244722697-0
                                            • Opcode ID: 04f0bc2a5afcaaa5b371c16644020df1272f81f7e67cd29d8ed1f198c91d027a
                                            • Instruction ID: 42870116de2e7a8a21e5bc990a70926c5855afe0bebeaf40733228016b959350
                                            • Opcode Fuzzy Hash: 04f0bc2a5afcaaa5b371c16644020df1272f81f7e67cd29d8ed1f198c91d027a
                                            • Instruction Fuzzy Hash: A6D05E3226050EAFEF018EA4DC01EAE3B6AEB04B01F408111FE15C50A1C775D835AB60
                                            Function 00A6A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00A6A12A
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled
                                            • String ID:
                                            • API String ID: 3192549508-0
                                            • Opcode ID: cbf299ac551e9d134a683ca6a1ffcc3324e2cad59c05d9265c2533515c928869
                                            • Instruction ID: e587c9961824bf4830c36c8a057778f7d24f5f5f19d228dbb1c8bae18b8ed3df
                                            • Opcode Fuzzy Hash: cbf299ac551e9d134a683ca6a1ffcc3324e2cad59c05d9265c2533515c928869
                                            • Instruction Fuzzy Hash: 68A0123000010CBB8A001B81EC048447F5DD6401907004020F40C44121C73255114580
                                            Function 00A58808 Relevance: .6, Instructions: 590COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 43cd6f430376609cde4e40740eb074d752122a555bfc5e6e006857314b9eedde
                                            • Instruction ID: aa1182ae62acf11e9aa12a57406667b9a992f2b30197381964da48a5cb237820
                                            • Opcode Fuzzy Hash: 43cd6f430376609cde4e40740eb074d752122a555bfc5e6e006857314b9eedde
                                            • Instruction Fuzzy Hash: 4E224530B04506CBDF3ACB64C49467C77F1FB01386F29816ADE96AB592DB389C89C741
                                            Function 00A621C5 Relevance: .3, Instructions: 345COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                            • Instruction ID: 1f5eb6524177fdda093121b4e81b2b413c2e6d847f8ae496f6596dcc9643b302
                                            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                            • Instruction Fuzzy Hash: 14C170322055934ADB6D473A847423EBEB19EA27B131E076DD8B3CF1D4EE24C965E720
                                            Function 00A625FA Relevance: .3, Instructions: 341COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                            • Instruction ID: b58106bf6ab24dfb09577ca169e98a1ffdca1ed0b397dfe328830521cf5d9180
                                            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                            • Instruction Fuzzy Hash: 62C170322055934ADF6D473AC83463EBEB19EA27B131E076DD4B2DB1D4EE20C925A720
                                            Function 00A61D90 Relevance: .3, Instructions: 331COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                            • Instruction ID: f6faa112dc9d060267defedb4794e371078ffbb099884fa04726c788665960e7
                                            • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                            • Instruction Fuzzy Hash: 1AC170322091934ADF6D473A847413EBEB19EA27B131E076ED8B3DB1D4EE20C965D760
                                            Function 00A61978 Relevance: .3, Instructions: 323COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                            • Instruction ID: eb2df9381f719cc3d1d52012c1d64ae7ad629f279bdba3973536ba4d85a475fb
                                            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                            • Instruction Fuzzy Hash: 71C16D322091934ADF6D473AC47413EBEB19EA27B231E176DD4B3CB1D4EE20C965D660
                                            Function 00D536F8 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357601722.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_d50000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                            • Instruction ID: 38adac086b9939e4867401cfe415234b69fa940cdb4b7506e28b2389ec51c6e9
                                            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                            • Instruction Fuzzy Hash: 2D41B571D1051CDBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB50
                                            Function 00D535E8 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357601722.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_d50000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                            • Instruction ID: d33483059522f423939d989b264849815d0cfae7a21b83c091de9e32fead1bd0
                                            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                            • Instruction Fuzzy Hash: F9018C78E00209EFCB44DF98C5909AEF7B5FB48350F208699EC09A7301D730AE42DB90
                                            Function 00D53588 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357601722.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_d50000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                            • Instruction ID: f417e7d85c8327f1c8d7e2248629222d8c979aea9401ec6006906cca7614585a
                                            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                            • Instruction Fuzzy Hash: 1A018C78A00209EFCB48DF98C5909AEF7B5FB48351F208599EC09A7301E730AE41DBA0
                                            Function 00D51F28 Relevance: .0, Instructions: 6COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357601722.0000000000D50000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_d50000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                            Function 00AB7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DeleteObject.GDI32(00000000), ref: 00AB785B
                                            • DeleteObject.GDI32(00000000), ref: 00AB786D
                                            • DestroyWindow.USER32 ref: 00AB787B
                                            • GetDesktopWindow.USER32 ref: 00AB7895
                                            • GetWindowRect.USER32(00000000), ref: 00AB789C
                                            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00AB79DD
                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00AB79ED
                                            • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AB7A35
                                            • GetClientRect.USER32(00000000,?), ref: 00AB7A41
                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00AB7A7B
                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AB7A9D
                                            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AB7AB0
                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AB7ABB
                                            • GlobalLock.KERNEL32(00000000), ref: 00AB7AC4
                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AB7AD3
                                            • GlobalUnlock.KERNEL32(00000000), ref: 00AB7ADC
                                            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AB7AE3
                                            • GlobalFree.KERNEL32(00000000), ref: 00AB7AEE
                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AB7B00
                                            • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00AD2CAC,00000000), ref: 00AB7B16
                                            • GlobalFree.KERNEL32(00000000), ref: 00AB7B26
                                            • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00AB7B4C
                                            • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00AB7B6B
                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AB7B8D
                                            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AB7D7A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                            • String ID: $AutoIt v3$DISPLAY$static
                                            • API String ID: 2211948467-2373415609
                                            • Opcode ID: aed6de95b6dd82bcdb1bf1d374074d9eaf38e31fdf9daf96a3320ddef504b370
                                            • Instruction ID: 7effea52149381fcc89bf77a278782e93b780884898a47ac245f409a45389d08
                                            • Opcode Fuzzy Hash: aed6de95b6dd82bcdb1bf1d374074d9eaf38e31fdf9daf96a3320ddef504b370
                                            • Instruction Fuzzy Hash: B0024B75900115EFDB14DFA8DD89EAF7BB9EF89310F148158F915AB2A1CB70AD02CB60
                                            Function 00AC356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CharUpperBuffW.USER32(?,?,00ACF910), ref: 00AC3627
                                            • IsWindowVisible.USER32(?), ref: 00AC364B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: BuffCharUpperVisibleWindow
                                            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                            • API String ID: 4105515805-45149045
                                            • Opcode ID: 483905536d4e993fe3c70404b91737eb047a742c2b79ed72c1e673941e7e65a0
                                            • Instruction ID: e6afb34ee1ac50d840d61dbedf4d66546f86bf172cb13a95c8b9f08b86ade6ec
                                            • Opcode Fuzzy Hash: 483905536d4e993fe3c70404b91737eb047a742c2b79ed72c1e673941e7e65a0
                                            • Instruction Fuzzy Hash: 67D15A362043019FCE04EF54C651F6F77E5AF95394F16846CF8865B2A2DB31EA4ACB81
                                            Function 00ACA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetTextColor.GDI32(?,00000000), ref: 00ACA630
                                            • GetSysColorBrush.USER32(0000000F), ref: 00ACA661
                                            • GetSysColor.USER32(0000000F), ref: 00ACA66D
                                            • SetBkColor.GDI32(?,000000FF), ref: 00ACA687
                                            • SelectObject.GDI32(?,00000000), ref: 00ACA696
                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 00ACA6C1
                                            • GetSysColor.USER32(00000010), ref: 00ACA6C9
                                            • CreateSolidBrush.GDI32(00000000), ref: 00ACA6D0
                                            • FrameRect.USER32(?,?,00000000), ref: 00ACA6DF
                                            • DeleteObject.GDI32(00000000), ref: 00ACA6E6
                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 00ACA731
                                            • FillRect.USER32(?,?,00000000), ref: 00ACA763
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00ACA78E
                                              • Part of subcall function 00ACA8CA: GetSysColor.USER32(00000012), ref: 00ACA903
                                              • Part of subcall function 00ACA8CA: SetTextColor.GDI32(?,?), ref: 00ACA907
                                              • Part of subcall function 00ACA8CA: GetSysColorBrush.USER32(0000000F), ref: 00ACA91D
                                              • Part of subcall function 00ACA8CA: GetSysColor.USER32(0000000F), ref: 00ACA928
                                              • Part of subcall function 00ACA8CA: GetSysColor.USER32(00000011), ref: 00ACA945
                                              • Part of subcall function 00ACA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00ACA953
                                              • Part of subcall function 00ACA8CA: SelectObject.GDI32(?,00000000), ref: 00ACA964
                                              • Part of subcall function 00ACA8CA: SetBkColor.GDI32(?,00000000), ref: 00ACA96D
                                              • Part of subcall function 00ACA8CA: SelectObject.GDI32(?,?), ref: 00ACA97A
                                              • Part of subcall function 00ACA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00ACA999
                                              • Part of subcall function 00ACA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00ACA9B0
                                              • Part of subcall function 00ACA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00ACA9C5
                                              • Part of subcall function 00ACA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00ACA9ED
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                            • String ID:
                                            • API String ID: 3521893082-0
                                            • Opcode ID: 579d5babfe372883f98f707e4245f8d7d5e8b40fb4a12d2ab9130e4abf58e379
                                            • Instruction ID: a6a95c472f77b8b458fe0168552df1eb1cfa120598ab9e6463dda8d41d9f174c
                                            • Opcode Fuzzy Hash: 579d5babfe372883f98f707e4245f8d7d5e8b40fb4a12d2ab9130e4abf58e379
                                            • Instruction Fuzzy Hash: 31915C72008309AFD710DFA4DC08E6B7BBAFB88325F154B29FA62961A0D771D945CB52
                                            Function 00A42C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DestroyWindow.USER32(?,?,?), ref: 00A42CA2
                                            • DeleteObject.GDI32(00000000), ref: 00A42CE8
                                            • DeleteObject.GDI32(00000000), ref: 00A42CF3
                                            • DestroyIcon.USER32(00000000,?,?,?), ref: 00A42CFE
                                            • DestroyWindow.USER32(00000000,?,?,?), ref: 00A42D09
                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 00A7C43B
                                            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00A7C474
                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00A7C89D
                                              • Part of subcall function 00A41B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A42036,?,00000000,?,?,?,?,00A416CB,00000000,?), ref: 00A41B9A
                                            • SendMessageW.USER32(?,00001053), ref: 00A7C8DA
                                            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00A7C8F1
                                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00A7C907
                                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00A7C912
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                            • String ID: 0
                                            • API String ID: 464785882-4108050209
                                            • Opcode ID: 156097f8db60248f12be38ab3767ad2246a5b09de201842db37697800ac25ba2
                                            • Instruction ID: 2cbd7815cd3c843830277ec7adaf4c97ccec6a48f85283c55175b6a0a7db2645
                                            • Opcode Fuzzy Hash: 156097f8db60248f12be38ab3767ad2246a5b09de201842db37697800ac25ba2
                                            • Instruction Fuzzy Hash: EA125B34604201EFDB25CF24C988BA9BBE5BF45320F54C56DF999DB262CB71E842CB91
                                            Function 00AB74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DestroyWindow.USER32(00000000), ref: 00AB74DE
                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00AB759D
                                            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00AB75DB
                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00AB75ED
                                            • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00AB7633
                                            • GetClientRect.USER32(00000000,?), ref: 00AB763F
                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00AB7683
                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00AB7692
                                            • GetStockObject.GDI32(00000011), ref: 00AB76A2
                                            • SelectObject.GDI32(00000000,00000000), ref: 00AB76A6
                                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00AB76B6
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AB76BF
                                            • DeleteDC.GDI32(00000000), ref: 00AB76C8
                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00AB76F4
                                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 00AB770B
                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00AB7746
                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00AB775A
                                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00AB776B
                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00AB779B
                                            • GetStockObject.GDI32(00000011), ref: 00AB77A6
                                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00AB77B1
                                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00AB77BB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                            • API String ID: 2910397461-517079104
                                            • Opcode ID: 509444c138c9a0eb3f2f3aa0a19bae41aa6dc7e6f04e087518163a0fab7d5b8e
                                            • Instruction ID: 3578c33a2908c1e0b30fd528c5e7a484032c2c6b821b9bf628874d663b6da65c
                                            • Opcode Fuzzy Hash: 509444c138c9a0eb3f2f3aa0a19bae41aa6dc7e6f04e087518163a0fab7d5b8e
                                            • Instruction Fuzzy Hash: D9A16171A40619BFEB24DBA4DD4AFAF7B6AEF44710F014214FA15A72E1DB70AD01CB60
                                            Function 00AAAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNEL32(00000001), ref: 00AAAD1E
                                            • GetDriveTypeW.KERNEL32(?,00ACFAC0,?,\\.\,00ACF910), ref: 00AAADFB
                                            • SetErrorMode.KERNEL32(00000000,00ACFAC0,?,\\.\,00ACF910), ref: 00AAAF59
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ErrorMode$DriveType
                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                            • API String ID: 2907320926-4222207086
                                            • Opcode ID: 8c2834283cd4a0e56404cfd451695ce6853538fb30f92266394e87ec46b2065f
                                            • Instruction ID: 50da6c480bb0cb4b5422e78d64b669533bbb64e08fd2a5bb4a95916e887525e4
                                            • Opcode Fuzzy Hash: 8c2834283cd4a0e56404cfd451695ce6853538fb30f92266394e87ec46b2065f
                                            • Instruction Fuzzy Hash: E45181B4645209AF8B18EB90CA82CBEB3F1FB6A7407208857F507A72D1DB359D05DB53
                                            Function 00A468DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: __wcsnicmp
                                            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                            • API String ID: 1038674560-86951937
                                            • Opcode ID: 70f38b7b159b7716c9a7660a67a375a8b1d64b26979e199afb9d2a4c513373a6
                                            • Instruction ID: 03293169152143c2dba02f5105c02775d4543e313f6cabc9caae47bf1287f34f
                                            • Opcode Fuzzy Hash: 70f38b7b159b7716c9a7660a67a375a8b1d64b26979e199afb9d2a4c513373a6
                                            • Instruction Fuzzy Hash: 1881E4B5600605BEDF20EB60DD42FBF37B8EF56740F048025F905AA192EBB1DE45C6A2
                                            Function 00AC9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00AC9AD2
                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00AC9B8B
                                            • SendMessageW.USER32(?,00001102,00000002,?), ref: 00AC9BA7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window
                                            • String ID: 0
                                            • API String ID: 2326795674-4108050209
                                            • Opcode ID: 87ea2daa82bac6fc375b75ae2e2e403a68b770165edc0a8d9ac84413d5955255
                                            • Instruction ID: 1182e874eb7f798eeb20e77b9ef88dde1f007827b9846254b5e0a8471c710751
                                            • Opcode Fuzzy Hash: 87ea2daa82bac6fc375b75ae2e2e403a68b770165edc0a8d9ac84413d5955255
                                            • Instruction Fuzzy Hash: 2B02CC30108341AFEB25CF24C849FABBBE5FF99314F05852DF999962A1CB34D945CB92
                                            Function 00ACA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSysColor.USER32(00000012), ref: 00ACA903
                                            • SetTextColor.GDI32(?,?), ref: 00ACA907
                                            • GetSysColorBrush.USER32(0000000F), ref: 00ACA91D
                                            • GetSysColor.USER32(0000000F), ref: 00ACA928
                                            • CreateSolidBrush.GDI32(?), ref: 00ACA92D
                                            • GetSysColor.USER32(00000011), ref: 00ACA945
                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00ACA953
                                            • SelectObject.GDI32(?,00000000), ref: 00ACA964
                                            • SetBkColor.GDI32(?,00000000), ref: 00ACA96D
                                            • SelectObject.GDI32(?,?), ref: 00ACA97A
                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 00ACA999
                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00ACA9B0
                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00ACA9C5
                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00ACA9ED
                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00ACAA14
                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 00ACAA32
                                            • DrawFocusRect.USER32(?,?), ref: 00ACAA3D
                                            • GetSysColor.USER32(00000011), ref: 00ACAA4B
                                            • SetTextColor.GDI32(?,00000000), ref: 00ACAA53
                                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00ACAA67
                                            • SelectObject.GDI32(?,00ACA5FA), ref: 00ACAA7E
                                            • DeleteObject.GDI32(?), ref: 00ACAA89
                                            • SelectObject.GDI32(?,?), ref: 00ACAA8F
                                            • DeleteObject.GDI32(?), ref: 00ACAA94
                                            • SetTextColor.GDI32(?,?), ref: 00ACAA9A
                                            • SetBkColor.GDI32(?,?), ref: 00ACAAA4
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                            • String ID:
                                            • API String ID: 1996641542-0
                                            • Opcode ID: 50f89b4cc29a66a5ccdd8ab5573439c828d151915017f77e601e887a96bb16d5
                                            • Instruction ID: 203df006d1e19c04dffe4cb672d3ad1a5e18121c4249a54c5a4f7a3c84d350cd
                                            • Opcode Fuzzy Hash: 50f89b4cc29a66a5ccdd8ab5573439c828d151915017f77e601e887a96bb16d5
                                            • Instruction Fuzzy Hash: 48512B71900208EFDB11DFA4DC49EAE7BBAEB08320F164625FA11AB2A1D7719941DB90
                                            Function 00AC89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00AC8AC1
                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AC8AD2
                                            • CharNextW.USER32(0000014E), ref: 00AC8B01
                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00AC8B42
                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00AC8B58
                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AC8B69
                                            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00AC8B86
                                            • SetWindowTextW.USER32(?,0000014E), ref: 00AC8BD8
                                            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00AC8BEE
                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00AC8C1F
                                            • _memset.LIBCMT ref: 00AC8C44
                                            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00AC8C8D
                                            • _memset.LIBCMT ref: 00AC8CEC
                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00AC8D16
                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 00AC8D6E
                                            • SendMessageW.USER32(?,0000133D,?,?), ref: 00AC8E1B
                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00AC8E3D
                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AC8E87
                                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AC8EB4
                                            • DrawMenuBar.USER32(?), ref: 00AC8EC3
                                            • SetWindowTextW.USER32(?,0000014E), ref: 00AC8EEB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                            • String ID: 0
                                            • API String ID: 1073566785-4108050209
                                            • Opcode ID: 910a66d8161a026c76813ff19957faae34db8196fa56c723d2adc4eaeb27f9fb
                                            • Instruction ID: 7025bd52c6b82bfdbf7418451e77cbac6f3177264ccd4d89c3ecb7fd3d7a05b3
                                            • Opcode Fuzzy Hash: 910a66d8161a026c76813ff19957faae34db8196fa56c723d2adc4eaeb27f9fb
                                            • Instruction Fuzzy Hash: 1CE14C75900218AEDF21DFA0CC84FEE7BB9FB05750F12815AF915AA290DB788981DF60
                                            Function 00AC488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCursorPos.USER32(?), ref: 00AC49CA
                                            • GetDesktopWindow.USER32 ref: 00AC49DF
                                            • GetWindowRect.USER32(00000000), ref: 00AC49E6
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00AC4A48
                                            • DestroyWindow.USER32(?), ref: 00AC4A74
                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00AC4A9D
                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AC4ABB
                                            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00AC4AE1
                                            • SendMessageW.USER32(?,00000421,?,?), ref: 00AC4AF6
                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00AC4B09
                                            • IsWindowVisible.USER32(?), ref: 00AC4B29
                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00AC4B44
                                            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00AC4B58
                                            • GetWindowRect.USER32(?,?), ref: 00AC4B70
                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 00AC4B96
                                            • GetMonitorInfoW.USER32(00000000,?), ref: 00AC4BB0
                                            • CopyRect.USER32(?,?), ref: 00AC4BC7
                                            • SendMessageW.USER32(?,00000412,00000000), ref: 00AC4C32
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                            • String ID: ($0$tooltips_class32
                                            • API String ID: 698492251-4156429822
                                            • Opcode ID: 543c19a856f8ecf6a2ba63deb7cf2fd8962f879a796aef7b85fb6624866ef4d4
                                            • Instruction ID: 986994dd7219d48f247e36226d6a358f16f9d6b91e85f07eb55c475dac3357b5
                                            • Opcode Fuzzy Hash: 543c19a856f8ecf6a2ba63deb7cf2fd8962f879a796aef7b85fb6624866ef4d4
                                            • Instruction Fuzzy Hash: 99B15771608340AFDB04DF64C998F6BBBE5EB88310F01891CF9999B2A1D771EC15CB99
                                            Function 00AA449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00AA44AC
                                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00AA44D2
                                            • _wcscpy.LIBCMT ref: 00AA4500
                                            • _wcscmp.LIBCMT ref: 00AA450B
                                            • _wcscat.LIBCMT ref: 00AA4521
                                            • _wcsstr.LIBCMT ref: 00AA452C
                                            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00AA4548
                                            • _wcscat.LIBCMT ref: 00AA4591
                                            • _wcscat.LIBCMT ref: 00AA4598
                                            • _wcsncpy.LIBCMT ref: 00AA45C3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                            • API String ID: 699586101-1459072770
                                            • Opcode ID: 3c8d2fa20acd56b47678697c264d73b5d57ec5b9d1836ca2b13b461cd17379ac
                                            • Instruction ID: 65efb2f71c394370cd07aeb4437468329cf65f6313e89ddf7caf9c64728e3ef6
                                            • Opcode Fuzzy Hash: 3c8d2fa20acd56b47678697c264d73b5d57ec5b9d1836ca2b13b461cd17379ac
                                            • Instruction Fuzzy Hash: 1541F472A00205BFEB10AB748D47FBF77BCEF86710F00046AF905E61C2EB759A0196A5
                                            Function 00A427D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A428BC
                                            • GetSystemMetrics.USER32(00000007), ref: 00A428C4
                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A428EF
                                            • GetSystemMetrics.USER32(00000008), ref: 00A428F7
                                            • GetSystemMetrics.USER32(00000004), ref: 00A4291C
                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A42939
                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A42949
                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A4297C
                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A42990
                                            • GetClientRect.USER32(00000000,000000FF), ref: 00A429AE
                                            • GetStockObject.GDI32(00000011), ref: 00A429CA
                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00A429D5
                                              • Part of subcall function 00A42344: GetCursorPos.USER32(?), ref: 00A42357
                                              • Part of subcall function 00A42344: ScreenToClient.USER32(00B057B0,?), ref: 00A42374
                                              • Part of subcall function 00A42344: GetAsyncKeyState.USER32(00000001), ref: 00A42399
                                              • Part of subcall function 00A42344: GetAsyncKeyState.USER32(00000002), ref: 00A423A7
                                            • SetTimer.USER32(00000000,00000000,00000028,00A41256), ref: 00A429FC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                            • String ID: AutoIt v3 GUI
                                            • API String ID: 1458621304-248962490
                                            • Opcode ID: 56b705ebedeb08334835f09b74c3f6d34a2011d1606418db268cfe3518414c09
                                            • Instruction ID: 3bac733fa8757d0aa754ad5a552bb2a96ababae2e2944a872d9783908b2ed9f7
                                            • Opcode Fuzzy Hash: 56b705ebedeb08334835f09b74c3f6d34a2011d1606418db268cfe3518414c09
                                            • Instruction Fuzzy Hash: F5B14E7560020AEFDB24DFA8DD45BAE7BB5FB48310F518229FA15E72A0DB749841CF50
                                            Function 00AC3DE2 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CharUpperBuffW.USER32(?,?), ref: 00AC3E6F
                                            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00AC3F2F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: BuffCharMessageSendUpper
                                            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                            • API String ID: 3974292440-719923060
                                            • Opcode ID: dc3bbad163fe4f11225eef1145cf27fd7d8a8a9d907b1717d77d7f0899a55716
                                            • Instruction ID: 0ad0894324e4dfcc637a91b68d343e5bdde84c2d461dfd2d40f56781d734239f
                                            • Opcode Fuzzy Hash: dc3bbad163fe4f11225eef1145cf27fd7d8a8a9d907b1717d77d7f0899a55716
                                            • Instruction Fuzzy Hash: 3FA18D352043019BCB14EF64CA62F6BB3E5EF94354F16896CB8A65B292CB31ED05CB41
                                            Function 00A9A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClassNameW.USER32(?,?,00000100), ref: 00A9A47A
                                            • __swprintf.LIBCMT ref: 00A9A51B
                                            • _wcscmp.LIBCMT ref: 00A9A52E
                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A9A583
                                            • _wcscmp.LIBCMT ref: 00A9A5BF
                                            • GetClassNameW.USER32(?,?,00000400), ref: 00A9A5F6
                                            • GetDlgCtrlID.USER32(?), ref: 00A9A648
                                            • GetWindowRect.USER32(?,?), ref: 00A9A67E
                                            • GetParent.USER32(?), ref: 00A9A69C
                                            • ScreenToClient.USER32(00000000), ref: 00A9A6A3
                                            • GetClassNameW.USER32(?,?,00000100), ref: 00A9A71D
                                            • _wcscmp.LIBCMT ref: 00A9A731
                                            • GetWindowTextW.USER32(?,?,00000400), ref: 00A9A757
                                            • _wcscmp.LIBCMT ref: 00A9A76B
                                              • Part of subcall function 00A6362C: _iswctype.LIBCMT ref: 00A63634
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                            • String ID: %s%u
                                            • API String ID: 3744389584-679674701
                                            • Opcode ID: a3db06586034386d335fa0ac87e34613747edfca72091dd997b2e4e4047d27c4
                                            • Instruction ID: 55ca78647af3684aa866401c93e6b6321e06157a7754826089db70a1c050fdb7
                                            • Opcode Fuzzy Hash: a3db06586034386d335fa0ac87e34613747edfca72091dd997b2e4e4047d27c4
                                            • Instruction Fuzzy Hash: 1BA1AE71304606AFDB14DFA4C885FAAB7E8FF54314F10852AF999D2190DB30E956CBD2
                                            Function 00A9AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClassNameW.USER32(00000008,?,00000400), ref: 00A9AF18
                                            • _wcscmp.LIBCMT ref: 00A9AF29
                                            • GetWindowTextW.USER32(00000001,?,00000400), ref: 00A9AF51
                                            • CharUpperBuffW.USER32(?,00000000), ref: 00A9AF6E
                                            • _wcscmp.LIBCMT ref: 00A9AF8C
                                            • _wcsstr.LIBCMT ref: 00A9AF9D
                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00A9AFD5
                                            • _wcscmp.LIBCMT ref: 00A9AFE5
                                            • GetWindowTextW.USER32(00000002,?,00000400), ref: 00A9B00C
                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00A9B055
                                            • _wcscmp.LIBCMT ref: 00A9B065
                                            • GetClassNameW.USER32(00000010,?,00000400), ref: 00A9B08D
                                            • GetWindowRect.USER32(00000004,?), ref: 00A9B0F6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                            • String ID: @$ThumbnailClass
                                            • API String ID: 1788623398-1539354611
                                            • Opcode ID: d1b4d88889cc27e4b9a479f3f47ea5fe5a81c8c2f1cd4f2f8dafd57174a0d2aa
                                            • Instruction ID: 80f205751b22a0d8af2214159c1ca63602b93377cf90e4b27f330eed520a49d9
                                            • Opcode Fuzzy Hash: d1b4d88889cc27e4b9a479f3f47ea5fe5a81c8c2f1cd4f2f8dafd57174a0d2aa
                                            • Instruction Fuzzy Hash: 5081D1712082059FDF04DF10DA85FAA7BE8FF94714F14856AFD858A092DB30DD4ACBA1
                                            Function 00A9ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: __wcsnicmp
                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                            • API String ID: 1038674560-1810252412
                                            • Opcode ID: 7d8a9c2bd3f1551f110b8806577863fe6e21ac532fe7e7264a17cb290090c376
                                            • Instruction ID: ab1a70ab9ebf52ed70e3e83641c5c95080893650eb1b79403fe6b6945441ca5e
                                            • Opcode Fuzzy Hash: 7d8a9c2bd3f1551f110b8806577863fe6e21ac532fe7e7264a17cb290090c376
                                            • Instruction Fuzzy Hash: F6312F35A48209AADF14FBE0DF43EBE77B4AB20B50F60092AF542750D2EB516F148692
                                            Function 00AB4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 00AB5013
                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00AB501E
                                            • LoadCursorW.USER32(00000000,00007F03), ref: 00AB5029
                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 00AB5034
                                            • LoadCursorW.USER32(00000000,00007F01), ref: 00AB503F
                                            • LoadCursorW.USER32(00000000,00007F81), ref: 00AB504A
                                            • LoadCursorW.USER32(00000000,00007F88), ref: 00AB5055
                                            • LoadCursorW.USER32(00000000,00007F80), ref: 00AB5060
                                            • LoadCursorW.USER32(00000000,00007F86), ref: 00AB506B
                                            • LoadCursorW.USER32(00000000,00007F83), ref: 00AB5076
                                            • LoadCursorW.USER32(00000000,00007F85), ref: 00AB5081
                                            • LoadCursorW.USER32(00000000,00007F82), ref: 00AB508C
                                            • LoadCursorW.USER32(00000000,00007F84), ref: 00AB5097
                                            • LoadCursorW.USER32(00000000,00007F04), ref: 00AB50A2
                                            • LoadCursorW.USER32(00000000,00007F02), ref: 00AB50AD
                                            • LoadCursorW.USER32(00000000,00007F89), ref: 00AB50B8
                                            • GetCursorInfo.USER32(?), ref: 00AB50C8
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Cursor$Load$Info
                                            • String ID:
                                            • API String ID: 2577412497-0
                                            • Opcode ID: cbb309cda47a3de3030b685fa136945170a4e1c566b33a4ca712b8e943facadc
                                            • Instruction ID: 32fa68a1f1d1475e50be10d5fd02353ede0f5d3b69696607d9a4a9c7ae691cb1
                                            • Opcode Fuzzy Hash: cbb309cda47a3de3030b685fa136945170a4e1c566b33a4ca712b8e943facadc
                                            • Instruction Fuzzy Hash: C131F4B1D48319AADF109FB69C8999FBFECFF04750F50452AA50DE7281DA7865008F91
                                            Function 00ACA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00ACA259
                                            • DestroyWindow.USER32(?,?), ref: 00ACA2D3
                                              • Part of subcall function 00A47BCC: _memmove.LIBCMT ref: 00A47C06
                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00ACA34D
                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00ACA36F
                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00ACA382
                                            • DestroyWindow.USER32(00000000), ref: 00ACA3A4
                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A40000,00000000), ref: 00ACA3DB
                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00ACA3F4
                                            • GetDesktopWindow.USER32 ref: 00ACA40D
                                            • GetWindowRect.USER32(00000000), ref: 00ACA414
                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00ACA42C
                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00ACA444
                                              • Part of subcall function 00A425DB: GetWindowLongW.USER32(?,000000EB), ref: 00A425EC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                            • String ID: 0$tooltips_class32
                                            • API String ID: 1297703922-3619404913
                                            • Opcode ID: 568d3798c0ae4c10636af01bfcf8067482f6968747f33ddf6b90649b31754104
                                            • Instruction ID: 8ace181c0676c21ac836b88e5682a99fc966e733d4082baab7c7affc3f7a54e9
                                            • Opcode Fuzzy Hash: 568d3798c0ae4c10636af01bfcf8067482f6968747f33ddf6b90649b31754104
                                            • Instruction Fuzzy Hash: 0D718C75140249AFDB25CF28CC49F7A7BE6FB98304F05452DF9868B2A0DB74E906CB52
                                            Function 00ACC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A42612: GetWindowLongW.USER32(?,000000EB), ref: 00A42623
                                            • DragQueryPoint.SHELL32(?,?), ref: 00ACC627
                                              • Part of subcall function 00ACAB37: ClientToScreen.USER32(?,?), ref: 00ACAB60
                                              • Part of subcall function 00ACAB37: GetWindowRect.USER32(?,?), ref: 00ACABD6
                                              • Part of subcall function 00ACAB37: PtInRect.USER32(?,?,00ACC014), ref: 00ACABE6
                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00ACC690
                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00ACC69B
                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00ACC6BE
                                            • _wcscat.LIBCMT ref: 00ACC6EE
                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00ACC705
                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00ACC71E
                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00ACC735
                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00ACC757
                                            • DragFinish.SHELL32(?), ref: 00ACC75E
                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00ACC851
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                            • API String ID: 169749273-3440237614
                                            • Opcode ID: 81d7312546f9913f7424c51673f553b1fe98595458710dd26bd5d3041036bee5
                                            • Instruction ID: 8a6ac3b38ef125498578ae7022804f0792eb5e9630f8954e8b1362373733322d
                                            • Opcode Fuzzy Hash: 81d7312546f9913f7424c51673f553b1fe98595458710dd26bd5d3041036bee5
                                            • Instruction Fuzzy Hash: 9D615A71508304AFC701EFA4DD85EAFBBE9FF88710F00092EF695921A1DB709A49CB52
                                            Function 00AC4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CharUpperBuffW.USER32(?,?), ref: 00AC4424
                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00AC446F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: BuffCharMessageSendUpper
                                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                            • API String ID: 3974292440-4258414348
                                            • Opcode ID: ac6e558c320ad36a1ab46a285e6901b4c8e0d5f522ea1e7ab8f4ffcb1315db5b
                                            • Instruction ID: e3699520e242c0fdb223d2a2c968a6e47896a040f9a9bb8fb83b5263e9227aa5
                                            • Opcode Fuzzy Hash: ac6e558c320ad36a1ab46a285e6901b4c8e0d5f522ea1e7ab8f4ffcb1315db5b
                                            • Instruction Fuzzy Hash: D4915A342043019FCB14EF24C661E6BB7E5AF99390F15486CF8965B3A2CB31ED5ACB85
                                            Function 00ACB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00ACB8B4
                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00AC91C2), ref: 00ACB910
                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00ACB949
                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00ACB98C
                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00ACB9C3
                                            • FreeLibrary.KERNEL32(?), ref: 00ACB9CF
                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00ACB9DF
                                            • DestroyIcon.USER32(?,?,?,?,?,00AC91C2), ref: 00ACB9EE
                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00ACBA0B
                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00ACBA17
                                              • Part of subcall function 00A62EFD: __wcsicmp_l.LIBCMT ref: 00A62F86
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                            • String ID: .dll$.exe$.icl
                                            • API String ID: 1212759294-1154884017
                                            • Opcode ID: ffdb57af6d78b4f31370e1363a478cff0fbaffcba6c0d00832d1679b0451a058
                                            • Instruction ID: 6493598cd44ef542861cbbd99a67dacff378b11c11d7a9df39b4ad437449a620
                                            • Opcode Fuzzy Hash: ffdb57af6d78b4f31370e1363a478cff0fbaffcba6c0d00832d1679b0451a058
                                            • Instruction Fuzzy Hash: 3561ED71910219BEEB14DFA4CD42FBE7BACFB08B10F104519FA15D61C0DB769991DBA0
                                            Function 00AADC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLocalTime.KERNEL32(?), ref: 00AADCDC
                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00AADCEC
                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00AADCF8
                                            • __wsplitpath.LIBCMT ref: 00AADD56
                                            • _wcscat.LIBCMT ref: 00AADD6E
                                            • _wcscat.LIBCMT ref: 00AADD80
                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AADD95
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00AADDA9
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00AADDDB
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00AADDFC
                                            • _wcscpy.LIBCMT ref: 00AADE08
                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00AADE47
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                            • String ID: *.*
                                            • API String ID: 3566783562-438819550
                                            • Opcode ID: 9124673cf3906ff3921b47642bc465089ad2f67bf9042b1d36d4e8d638076d61
                                            • Instruction ID: 28328e75a407f7b4fdf35da56d2ddd273e6d3cc25cce31d32eeb3dea688da41e
                                            • Opcode Fuzzy Hash: 9124673cf3906ff3921b47642bc465089ad2f67bf9042b1d36d4e8d638076d61
                                            • Instruction Fuzzy Hash: 46615C765042059FCB10EF64C944AAFB3E8FF8A314F04491EF98A97291EB31E955CB92
                                            Function 00AA9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00AA9C7F
                                              • Part of subcall function 00A47DE1: _memmove.LIBCMT ref: 00A47E22
                                            • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00AA9CA0
                                            • __swprintf.LIBCMT ref: 00AA9CF9
                                            • __swprintf.LIBCMT ref: 00AA9D12
                                            • _wprintf.LIBCMT ref: 00AA9DB9
                                            • _wprintf.LIBCMT ref: 00AA9DD7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: LoadString__swprintf_wprintf$_memmove
                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                            • API String ID: 311963372-3080491070
                                            • Opcode ID: 944dcfd432482f168a5ae2287c265a0daf37ab0c2f6f2e0dd964e3140ce93f3b
                                            • Instruction ID: fb3c1fe001e20ceb31431c3e3166a5d40e88ac2960de2afb0388ac25ae99727d
                                            • Opcode Fuzzy Hash: 944dcfd432482f168a5ae2287c265a0daf37ab0c2f6f2e0dd964e3140ce93f3b
                                            • Instruction Fuzzy Hash: 1F516D32900609BACF15EBE0CE86EEEB778AF54300F500565F506731A2EB352E59DB60
                                            Function 00AAA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A49837: __itow.LIBCMT ref: 00A49862
                                              • Part of subcall function 00A49837: __swprintf.LIBCMT ref: 00A498AC
                                            • CharLowerBuffW.USER32(?,?), ref: 00AAA3CB
                                            • GetDriveTypeW.KERNEL32 ref: 00AAA418
                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AAA460
                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AAA497
                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AAA4C5
                                              • Part of subcall function 00A47BCC: _memmove.LIBCMT ref: 00A47C06
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                            • API String ID: 2698844021-4113822522
                                            • Opcode ID: 6d8f36b0491b2567e4aa2783cd6695c4ebc17d2b36b92108f2fb5a57f7380910
                                            • Instruction ID: 72565cf4014d6951b8d2a973e3e8414d6a578e7c86d04ee020d1cc87b121783a
                                            • Opcode Fuzzy Hash: 6d8f36b0491b2567e4aa2783cd6695c4ebc17d2b36b92108f2fb5a57f7380910
                                            • Instruction Fuzzy Hash: 4D515A751043059FC700EF24C98186FB7E4FF99758F00886DF88A972A2DB71AD0ACB52
                                            Function 00A9F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00A7E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00A9F8DF
                                            • LoadStringW.USER32(00000000,?,00A7E029,00000001), ref: 00A9F8E8
                                              • Part of subcall function 00A47DE1: _memmove.LIBCMT ref: 00A47E22
                                            • GetModuleHandleW.KERNEL32(00000000,00B05310,?,00000FFF,?,?,00A7E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00A9F90A
                                            • LoadStringW.USER32(00000000,?,00A7E029,00000001), ref: 00A9F90D
                                            • __swprintf.LIBCMT ref: 00A9F95D
                                            • __swprintf.LIBCMT ref: 00A9F96E
                                            • _wprintf.LIBCMT ref: 00A9FA17
                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A9FA2E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                            • API String ID: 984253442-2268648507
                                            • Opcode ID: 4cd6fba522769dfcdd4b14eccfd6f5258abfb610dedceda30c9e8b2df5da5339
                                            • Instruction ID: 334e25fd5f7f5c21a3ec4b345e8e9403d8a69b10d6e48203ab066f2b57d7ecab
                                            • Opcode Fuzzy Hash: 4cd6fba522769dfcdd4b14eccfd6f5258abfb610dedceda30c9e8b2df5da5339
                                            • Instruction Fuzzy Hash: 5D413E7690414DAACF04FBE0DE86EEEB778AF58300F500465F506B60A2EB756F49CB61
                                            Function 00ACBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00AC9207,?,?), ref: 00ACBA56
                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00AC9207,?,?,00000000,?), ref: 00ACBA6D
                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00AC9207,?,?,00000000,?), ref: 00ACBA78
                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00AC9207,?,?,00000000,?), ref: 00ACBA85
                                            • GlobalLock.KERNEL32(00000000), ref: 00ACBA8E
                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00AC9207,?,?,00000000,?), ref: 00ACBA9D
                                            • GlobalUnlock.KERNEL32(00000000), ref: 00ACBAA6
                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00AC9207,?,?,00000000,?), ref: 00ACBAAD
                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00AC9207,?,?,00000000,?), ref: 00ACBABE
                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00AD2CAC,?), ref: 00ACBAD7
                                            • GlobalFree.KERNEL32(00000000), ref: 00ACBAE7
                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 00ACBB0B
                                            • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00ACBB36
                                            • DeleteObject.GDI32(00000000), ref: 00ACBB5E
                                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00ACBB74
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                            • String ID:
                                            • API String ID: 3840717409-0
                                            • Opcode ID: 45a287a4e42cdafccd3ecda155c134e8bc53101c5e470702f8f7cab8064c0667
                                            • Instruction ID: 9e9b961f7844f01b187d110dffa85f8442309ede898d237cde2529fc947e903d
                                            • Opcode Fuzzy Hash: 45a287a4e42cdafccd3ecda155c134e8bc53101c5e470702f8f7cab8064c0667
                                            • Instruction Fuzzy Hash: B6412675600208EFDB11DFA5DC89EABBBB9FB89711F124069F915DB260D7319E02CB60
                                            Function 00AAD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                            Download Yara Rule
                                            APIs
                                            • __wsplitpath.LIBCMT ref: 00AADA10
                                            • _wcscat.LIBCMT ref: 00AADA28
                                            • _wcscat.LIBCMT ref: 00AADA3A
                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AADA4F
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00AADA63
                                            • GetFileAttributesW.KERNEL32(?), ref: 00AADA7B
                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00AADA95
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00AADAA7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                            • String ID: *.*
                                            • API String ID: 34673085-438819550
                                            • Opcode ID: de90230747b6655ba65afe720dfb4b286cd53f537cadddd72fcda8cd6ac45803
                                            • Instruction ID: 07b50105eb4ee324a03670209d2def0b3a5b98a19526176125ccd8db5c4add44
                                            • Opcode Fuzzy Hash: de90230747b6655ba65afe720dfb4b286cd53f537cadddd72fcda8cd6ac45803
                                            • Instruction Fuzzy Hash: FB8191715043419FCB24DF64C944AAFB7E8AF8A710F14882EF8CADBA91E730D945CB52
                                            Function 00ACC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A42612: GetWindowLongW.USER32(?,000000EB), ref: 00A42623
                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00ACC1FC
                                            • GetFocus.USER32 ref: 00ACC20C
                                            • GetDlgCtrlID.USER32(00000000), ref: 00ACC217
                                            • _memset.LIBCMT ref: 00ACC342
                                            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00ACC36D
                                            • GetMenuItemCount.USER32(?), ref: 00ACC38D
                                            • GetMenuItemID.USER32(?,00000000), ref: 00ACC3A0
                                            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00ACC3D4
                                            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00ACC41C
                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00ACC454
                                            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00ACC489
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                            • String ID: 0
                                            • API String ID: 1296962147-4108050209
                                            • Opcode ID: 94ce02dd67ffdd9f06a431a8802db1edf1a4bb619d147ec65fc0ccc6bf8ca54b
                                            • Instruction ID: 262ab81458b855046c044aad6feccbea64e04b961d6a7e052c75289eb0b1105a
                                            • Opcode Fuzzy Hash: 94ce02dd67ffdd9f06a431a8802db1edf1a4bb619d147ec65fc0ccc6bf8ca54b
                                            • Instruction Fuzzy Hash: 7781AD712083419FDB14DF14D998FABBBE9FB88324F01892DF99997291C730D905CB62
                                            Function 00AB731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDC.USER32(00000000), ref: 00AB738F
                                            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00AB739B
                                            • CreateCompatibleDC.GDI32(?), ref: 00AB73A7
                                            • SelectObject.GDI32(00000000,?), ref: 00AB73B4
                                            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00AB7408
                                            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00AB7444
                                            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00AB7468
                                            • SelectObject.GDI32(00000006,?), ref: 00AB7470
                                            • DeleteObject.GDI32(?), ref: 00AB7479
                                            • DeleteDC.GDI32(00000006), ref: 00AB7480
                                            • ReleaseDC.USER32(00000000,?), ref: 00AB748B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                            • String ID: (
                                            • API String ID: 2598888154-3887548279
                                            • Opcode ID: cabf7d9cd19920a000a8bb0f22e682b8b3b2283b4abed61994e1d67e19a73905
                                            • Instruction ID: 51c16870a2189b063710baf159b059ee27e405bb94950de57ddec60537c6fea8
                                            • Opcode Fuzzy Hash: cabf7d9cd19920a000a8bb0f22e682b8b3b2283b4abed61994e1d67e19a73905
                                            • Instruction Fuzzy Hash: 55514871904309EFCB14CFA8DC84EAEBBB9EF88710F14852DF99A97211D771A941CB60
                                            Function 00A46A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A60957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00A46B0C,?,00008000), ref: 00A60973
                                              • Part of subcall function 00A44750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A44743,?,?,00A437AE,?), ref: 00A44770
                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A46BAD
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00A46CFA
                                              • Part of subcall function 00A4586D: _wcscpy.LIBCMT ref: 00A458A5
                                              • Part of subcall function 00A6363D: _iswctype.LIBCMT ref: 00A63645
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                            • API String ID: 537147316-1018226102
                                            • Opcode ID: 59585fdba9036721c4828812f8ff8ac4c29ca44af92e5f0ccf5aca1651d6c2b2
                                            • Instruction ID: 09da335a1d4eaa750ffa5d55f23c8267aad5d831c11cf77433766645c37ee10b
                                            • Opcode Fuzzy Hash: 59585fdba9036721c4828812f8ff8ac4c29ca44af92e5f0ccf5aca1651d6c2b2
                                            • Instruction Fuzzy Hash: FC027A755083409FCB24EF24C981AAFBBF5AFD9314F10891DF48A972A2DB30D949CB52
                                            Function 00AA2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00AA2D50
                                            • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00AA2DDD
                                            • GetMenuItemCount.USER32(00B05890), ref: 00AA2E66
                                            • DeleteMenu.USER32(00B05890,00000005,00000000,000000F5,?,?), ref: 00AA2EF6
                                            • DeleteMenu.USER32(00B05890,00000004,00000000), ref: 00AA2EFE
                                            • DeleteMenu.USER32(00B05890,00000006,00000000), ref: 00AA2F06
                                            • DeleteMenu.USER32(00B05890,00000003,00000000), ref: 00AA2F0E
                                            • GetMenuItemCount.USER32(00B05890), ref: 00AA2F16
                                            • SetMenuItemInfoW.USER32(00B05890,00000004,00000000,00000030), ref: 00AA2F4C
                                            • GetCursorPos.USER32(?), ref: 00AA2F56
                                            • SetForegroundWindow.USER32(00000000), ref: 00AA2F5F
                                            • TrackPopupMenuEx.USER32(00B05890,00000000,?,00000000,00000000,00000000), ref: 00AA2F72
                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00AA2F7E
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                            • String ID:
                                            • API String ID: 3993528054-0
                                            • Opcode ID: 5319c77530d9acc8dffc2a733979b8c3cc6b749e47e3f9dbe9485b829c266ad5
                                            • Instruction ID: 3bc351a5cd5e75ce0075d3aba36ea3f4cdf07e279563fcc6581633a75566a0e0
                                            • Opcode Fuzzy Hash: 5319c77530d9acc8dffc2a733979b8c3cc6b749e47e3f9dbe9485b829c266ad5
                                            • Instruction Fuzzy Hash: C771A070641209BEEB218F58DC85FAABF65FB06364F144226F615AB1E1C7B19C70DB90
                                            Function 00A977DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A47BCC: _memmove.LIBCMT ref: 00A47C06
                                            • _memset.LIBCMT ref: 00A9786B
                                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00A978A0
                                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00A978BC
                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00A978D8
                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00A97902
                                            • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00A9792A
                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A97935
                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A9793A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                            • API String ID: 1411258926-22481851
                                            • Opcode ID: aea552ae38a7aa87604de3d4c7803ce42464c07d6bfba7ffd2bc60fb3c97d8d2
                                            • Instruction ID: 8f0cb68376f5fbddb32443f578e4b51c8b3d501721341d55f6758adf83dd5414
                                            • Opcode Fuzzy Hash: aea552ae38a7aa87604de3d4c7803ce42464c07d6bfba7ffd2bc60fb3c97d8d2
                                            • Instruction Fuzzy Hash: A5410576D2422DABCF11EBA4DD85DEDB7B8FF44710B014469E905A3262EB305E05CBA0
                                            Function 00AC0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ABFDAD,?,?), ref: 00AC0E31
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: BuffCharUpper
                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                            • API String ID: 3964851224-909552448
                                            • Opcode ID: ea1b8295389508f5566c14c62769e09bcb960704ff0fef0237dba25feb44f555
                                            • Instruction ID: e16f7ad5f9543939738bbc41b7b3bcf7fc7b39a81eda92d34d3827e86ca64a74
                                            • Opcode Fuzzy Hash: ea1b8295389508f5566c14c62769e09bcb960704ff0fef0237dba25feb44f555
                                            • Instruction Fuzzy Hash: 1541383510024ACBCF10EF90DA55FEF37A4AF61384F56445CFC951B2A2DB30999ADBA0
                                            Function 00A9F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00A7E2A0,00000010,?,Bad directive syntax error,00ACF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00A9F7C2
                                            • LoadStringW.USER32(00000000,?,00A7E2A0,00000010), ref: 00A9F7C9
                                              • Part of subcall function 00A47DE1: _memmove.LIBCMT ref: 00A47E22
                                            • _wprintf.LIBCMT ref: 00A9F7FC
                                            • __swprintf.LIBCMT ref: 00A9F81E
                                            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00A9F88D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                            • API String ID: 1506413516-4153970271
                                            • Opcode ID: 4fb6f1822895307003071aeaeb223e7a94f1efde66f7ec94264fc4eea3c5b717
                                            • Instruction ID: f797b8bdbf3827fae7a16b7b5e705f8fc8fc067914b8a543993851b0a6a8e1ab
                                            • Opcode Fuzzy Hash: 4fb6f1822895307003071aeaeb223e7a94f1efde66f7ec94264fc4eea3c5b717
                                            • Instruction Fuzzy Hash: 6D21393290025EBFCF11EFA0CD4AEEE7779BF18300F044865B615660A2EB75A619DB50
                                            Function 00AA52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A47BCC: _memmove.LIBCMT ref: 00A47C06
                                              • Part of subcall function 00A47924: _memmove.LIBCMT ref: 00A479AD
                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00AA5330
                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00AA5346
                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AA5357
                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00AA5369
                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00AA537A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: SendString$_memmove
                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                            • API String ID: 2279737902-1007645807
                                            • Opcode ID: 4e748b0d6874ec03f60bd8c9cfccc55f003ffcaf597de2cd7be0f46f80affb51
                                            • Instruction ID: 6004447d8dd5ac87f504fc9b28ba08f382145906fca954899f80f02af18dc126
                                            • Opcode Fuzzy Hash: 4e748b0d6874ec03f60bd8c9cfccc55f003ffcaf597de2cd7be0f46f80affb51
                                            • Instruction Fuzzy Hash: B9115E25E5016D79DB60B7B2CC5AEFFAABCFBD2B40F000829B511A60D2EFA01D05C5B0
                                            Function 00AA46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                            • String ID: 0.0.0.0
                                            • API String ID: 208665112-3771769585
                                            • Opcode ID: f4be02d5cb6ed1b963c4e259f962dba3a42732c67854a019a1778170a95b2616
                                            • Instruction ID: 44cb3c5d854b1ae951294177d34c55881d94020404fa55dac6ac1acd4c5e6d25
                                            • Opcode Fuzzy Hash: f4be02d5cb6ed1b963c4e259f962dba3a42732c67854a019a1778170a95b2616
                                            • Instruction Fuzzy Hash: 2211D271900114AFDB20AB709C4AEEA77BCEB46711F0441BAF445970E1EFB18A828B50
                                            Function 00AA4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • timeGetTime.WINMM ref: 00AA4F7A
                                              • Part of subcall function 00A6049F: timeGetTime.WINMM(?,75A4B400,00A50E7B), ref: 00A604A3
                                            • Sleep.KERNEL32(0000000A), ref: 00AA4FA6
                                            • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00AA4FCA
                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00AA4FEC
                                            • SetActiveWindow.USER32 ref: 00AA500B
                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00AA5019
                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00AA5038
                                            • Sleep.KERNEL32(000000FA), ref: 00AA5043
                                            • IsWindow.USER32 ref: 00AA504F
                                            • EndDialog.USER32(00000000), ref: 00AA5060
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                            • String ID: BUTTON
                                            • API String ID: 1194449130-3405671355
                                            • Opcode ID: 8e42426a3ef2ae9f75cb109daebd398b78d817467a0fc7d159709ba7920e4da3
                                            • Instruction ID: b72d60a7a412590950b8960e996ff68fab2c63cfa97d3e7f2f71712c348b4256
                                            • Opcode Fuzzy Hash: 8e42426a3ef2ae9f75cb109daebd398b78d817467a0fc7d159709ba7920e4da3
                                            • Instruction Fuzzy Hash: D2219370604609BFE7109FB0ED89E2A3BAAEB6A745F051039F101872F1DFB18D519B61
                                            Function 00AAD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A49837: __itow.LIBCMT ref: 00A49862
                                              • Part of subcall function 00A49837: __swprintf.LIBCMT ref: 00A498AC
                                            • CoInitialize.OLE32(00000000), ref: 00AAD5EA
                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00AAD67D
                                            • SHGetDesktopFolder.SHELL32(?), ref: 00AAD691
                                            • CoCreateInstance.OLE32(00AD2D7C,00000000,00000001,00AF8C1C,?), ref: 00AAD6DD
                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00AAD74C
                                            • CoTaskMemFree.OLE32(?,?), ref: 00AAD7A4
                                            • _memset.LIBCMT ref: 00AAD7E1
                                            • SHBrowseForFolderW.SHELL32(?), ref: 00AAD81D
                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00AAD840
                                            • CoTaskMemFree.OLE32(00000000), ref: 00AAD847
                                            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00AAD87E
                                            • CoUninitialize.OLE32(00000001,00000000), ref: 00AAD880
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                            • String ID:
                                            • API String ID: 1246142700-0
                                            • Opcode ID: cbf2143d38cae179f9488174f8fca9c672cd9d2d23d42912f3d11e03809b4cec
                                            • Instruction ID: 925066341d878d704fb03c69d671d72cba466c44ba7bbf2edabb9d1485c0e050
                                            • Opcode Fuzzy Hash: cbf2143d38cae179f9488174f8fca9c672cd9d2d23d42912f3d11e03809b4cec
                                            • Instruction Fuzzy Hash: 14B1EB75A00109AFDB14DFA4C988DAEBBB9FF49314F148469F90AEB261DB30ED45CB50
                                            Function 00A9C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,00000001), ref: 00A9C283
                                            • GetWindowRect.USER32(00000000,?), ref: 00A9C295
                                            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00A9C2F3
                                            • GetDlgItem.USER32(?,00000002), ref: 00A9C2FE
                                            • GetWindowRect.USER32(00000000,?), ref: 00A9C310
                                            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00A9C364
                                            • GetDlgItem.USER32(?,000003E9), ref: 00A9C372
                                            • GetWindowRect.USER32(00000000,?), ref: 00A9C383
                                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00A9C3C6
                                            • GetDlgItem.USER32(?,000003EA), ref: 00A9C3D4
                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A9C3F1
                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00A9C3FE
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Window$ItemMoveRect$Invalidate
                                            • String ID:
                                            • API String ID: 3096461208-0
                                            • Opcode ID: c6f504f8dd44ebbd91c9d188c97472b29ef186636d9a9cd6cd7219f24b99a22c
                                            • Instruction ID: 0225d5afeb5199373ba63d7c72912e3e8e90e046b5070b259fd05288a835ebbe
                                            • Opcode Fuzzy Hash: c6f504f8dd44ebbd91c9d188c97472b29ef186636d9a9cd6cd7219f24b99a22c
                                            • Instruction Fuzzy Hash: F2512B71B00605AFDF18CFA9DD99EAEBBBAEB88711F14812DF516E7290D7709D018B10
                                            Function 00A4201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A41B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A42036,?,00000000,?,?,?,?,00A416CB,00000000,?), ref: 00A41B9A
                                            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00A420D3
                                            • KillTimer.USER32(-00000001,?,?,?,?,00A416CB,00000000,?,?,00A41AE2,?,?), ref: 00A4216E
                                            • DestroyAcceleratorTable.USER32(00000000), ref: 00A7BCA6
                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A416CB,00000000,?,?,00A41AE2,?,?), ref: 00A7BCD7
                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A416CB,00000000,?,?,00A41AE2,?,?), ref: 00A7BCEE
                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A416CB,00000000,?,?,00A41AE2,?,?), ref: 00A7BD0A
                                            • DeleteObject.GDI32(00000000), ref: 00A7BD1C
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                            • String ID:
                                            • API String ID: 641708696-0
                                            • Opcode ID: 6ca3571374accc20d6ae01ff4fd71e6e133a72e00608e0314aac64ba2ff6dce5
                                            • Instruction ID: 2f9acad50f0c3e54cc1e4935833de5236138062ca33c9eb76bfd9d690de4a375
                                            • Opcode Fuzzy Hash: 6ca3571374accc20d6ae01ff4fd71e6e133a72e00608e0314aac64ba2ff6dce5
                                            • Instruction Fuzzy Hash: 83615879110A00DFDB359F18D948B2AB7F2FB94316F90C528E9468B971CB70AC81DF60
                                            Function 00A421A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A425DB: GetWindowLongW.USER32(?,000000EB), ref: 00A425EC
                                            • GetSysColor.USER32(0000000F), ref: 00A421D3
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ColorLongWindow
                                            • String ID:
                                            • API String ID: 259745315-0
                                            • Opcode ID: 57c787c9deec753163d96992704299320705ca7abe18ac0a85e03fe6601c1199
                                            • Instruction ID: 1a3162821af84da303864cc4b7958e932beb1fbbf9eea3a644b4ff1e3b9cc6ba
                                            • Opcode Fuzzy Hash: 57c787c9deec753163d96992704299320705ca7abe18ac0a85e03fe6601c1199
                                            • Instruction Fuzzy Hash: D941C235000150EFDB219F68EC88BF93B66EB86331F598365FE658A1E1C7718C42DB21
                                            Function 00AAA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharLowerBuffW.USER32(?,?,00ACF910), ref: 00AAA90B
                                            • GetDriveTypeW.KERNEL32(00000061,00AF89A0,00000061), ref: 00AAA9D5
                                            • _wcscpy.LIBCMT ref: 00AAA9FF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: BuffCharDriveLowerType_wcscpy
                                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                            • API String ID: 2820617543-1000479233
                                            • Opcode ID: 84a6fd5f28800e4ccff2579753fe5528b1001734fad9c845afe807276ea02720
                                            • Instruction ID: 3740a0a37d445d52b051250e7b90623b2c0a6576bd8dcb742c9154547b8e43ad
                                            • Opcode Fuzzy Hash: 84a6fd5f28800e4ccff2579753fe5528b1001734fad9c845afe807276ea02720
                                            • Instruction Fuzzy Hash: 4151A935108301AFC700EF54CA92AAFB7E9EFA6380F50482DF596572E2DB71D909CA53
                                            Function 00A49837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: __i64tow__itow__swprintf
                                            • String ID: %.15g$0x%p$False$True
                                            • API String ID: 421087845-2263619337
                                            • Opcode ID: aaa5225cc510ebaf3ca5a9c47c5a144e645fcf7c89817ad6cb58dbf63e8bbdb5
                                            • Instruction ID: 7262cc6653e152eb38f1dbf44c20dead4dc113d434078dd3031403d4da7cfee4
                                            • Opcode Fuzzy Hash: aaa5225cc510ebaf3ca5a9c47c5a144e645fcf7c89817ad6cb58dbf63e8bbdb5
                                            • Instruction Fuzzy Hash: 9D41D675604205AFEB24DF78DD42E7B73F8FF85300F20886EE549D7292EA319A418B11
                                            Function 00AC7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00AC716A
                                            • CreateMenu.USER32 ref: 00AC7185
                                            • SetMenu.USER32(?,00000000), ref: 00AC7194
                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AC7221
                                            • IsMenu.USER32(?), ref: 00AC7237
                                            • CreatePopupMenu.USER32 ref: 00AC7241
                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00AC726E
                                            • DrawMenuBar.USER32 ref: 00AC7276
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                            • String ID: 0$F
                                            • API String ID: 176399719-3044882817
                                            • Opcode ID: b69cba0b00617262ba24dfbd6dc1edf681573c2c06339be4d65ad3162d00ec1e
                                            • Instruction ID: 3ee6e60c15cd604f646d10f9fea9e3d29d667083d790b1446d04d05d8bfd7ada
                                            • Opcode Fuzzy Hash: b69cba0b00617262ba24dfbd6dc1edf681573c2c06339be4d65ad3162d00ec1e
                                            • Instruction Fuzzy Hash: 4F412575A01209EFDB20DFA4D988F9ABBF5FB48350F164029FA45A7361D731A910CF90
                                            Function 00AC74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00AC755E
                                            • CreateCompatibleDC.GDI32(00000000), ref: 00AC7565
                                            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00AC7578
                                            • SelectObject.GDI32(00000000,00000000), ref: 00AC7580
                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00AC758B
                                            • DeleteDC.GDI32(00000000), ref: 00AC7594
                                            • GetWindowLongW.USER32(?,000000EC), ref: 00AC759E
                                            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00AC75B2
                                            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00AC75BE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                            • String ID: static
                                            • API String ID: 2559357485-2160076837
                                            • Opcode ID: 521c5d8d3dafaa482aadcfc7b67bbb16c78a2291c40f1844c96a0e899b90fd28
                                            • Instruction ID: 105c5efba7f49b6aec19d0d2fb293889e90f153a10b6141e93eba75db7371154
                                            • Opcode Fuzzy Hash: 521c5d8d3dafaa482aadcfc7b67bbb16c78a2291c40f1844c96a0e899b90fd28
                                            • Instruction Fuzzy Hash: 4D314B72104219BFDF129FA4DC09FDB3B6AFF09760F124229FA55A61A0D731D812DBA4
                                            Function 00A66E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00A66E3E
                                              • Part of subcall function 00A68B28: __getptd_noexit.LIBCMT ref: 00A68B28
                                            • __gmtime64_s.LIBCMT ref: 00A66ED7
                                            • __gmtime64_s.LIBCMT ref: 00A66F0D
                                            • __gmtime64_s.LIBCMT ref: 00A66F2A
                                            • __allrem.LIBCMT ref: 00A66F80
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A66F9C
                                            • __allrem.LIBCMT ref: 00A66FB3
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A66FD1
                                            • __allrem.LIBCMT ref: 00A66FE8
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A67006
                                            • __invoke_watson.LIBCMT ref: 00A67077
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                            • String ID:
                                            • API String ID: 384356119-0
                                            • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                            • Instruction ID: 0c8d0c19b8a6118e06a1a54af46068f81fd3ec8d03ba18d0612db96272b1e31f
                                            • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                            • Instruction Fuzzy Hash: 72711676A00717EBDB14EF79DC42B6AB7B8AF04364F14822AF514E7281E771DE008790
                                            Function 00AA2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00AA2542
                                            • GetMenuItemInfoW.USER32(00B05890,000000FF,00000000,00000030), ref: 00AA25A3
                                            • SetMenuItemInfoW.USER32(00B05890,00000004,00000000,00000030), ref: 00AA25D9
                                            • Sleep.KERNEL32(000001F4), ref: 00AA25EB
                                            • GetMenuItemCount.USER32(?), ref: 00AA262F
                                            • GetMenuItemID.USER32(?,00000000), ref: 00AA264B
                                            • GetMenuItemID.USER32(?,-00000001), ref: 00AA2675
                                            • GetMenuItemID.USER32(?,?), ref: 00AA26BA
                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AA2700
                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AA2714
                                            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AA2735
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                            • String ID:
                                            • API String ID: 4176008265-0
                                            • Opcode ID: 3697da5a5aec34ea507483869bdb43f5b134d05ad3673192b8c1dbb357aff8d2
                                            • Instruction ID: e6aa7031473a5a90305b5508816e0838ac5f268666cd548cdc5b44d71299685b
                                            • Opcode Fuzzy Hash: 3697da5a5aec34ea507483869bdb43f5b134d05ad3673192b8c1dbb357aff8d2
                                            • Instruction Fuzzy Hash: A661A070901249AFDB21CFA8CD88FBF7BB9FB46344F140159E941A7291D731AE26DB20
                                            Function 00AC6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00AC6FA5
                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00AC6FA8
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00AC6FCC
                                            • _memset.LIBCMT ref: 00AC6FDD
                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AC6FEF
                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00AC7067
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend$LongWindow_memset
                                            • String ID:
                                            • API String ID: 830647256-0
                                            • Opcode ID: 74eab803cd1667ebc72c83f643467c01980a10c514534dcf5eec8ef635118469
                                            • Instruction ID: a20443ee0f9111096534fbc4a734a4ad438c49431eb52a15aba1a885fa4da287
                                            • Opcode Fuzzy Hash: 74eab803cd1667ebc72c83f643467c01980a10c514534dcf5eec8ef635118469
                                            • Instruction Fuzzy Hash: B5614875900248AFDB21DFA4CD81FEE77F8AB09710F154199FA14AB2A1CB71AD41DFA0
                                            Function 00A96B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00A96BBF
                                            • SafeArrayAllocData.OLEAUT32(?), ref: 00A96C18
                                            • VariantInit.OLEAUT32(?), ref: 00A96C2A
                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 00A96C4A
                                            • VariantCopy.OLEAUT32(?,?), ref: 00A96C9D
                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00A96CB1
                                            • VariantClear.OLEAUT32(?), ref: 00A96CC6
                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 00A96CD3
                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A96CDC
                                            • VariantClear.OLEAUT32(?), ref: 00A96CEE
                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A96CF9
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                            • String ID:
                                            • API String ID: 2706829360-0
                                            • Opcode ID: b67a829cf4532890fa14d4309ee8e5ae49076d023206aa30b800374d27731517
                                            • Instruction ID: 2f9051a2424ff3a23531ffc65afefb31009d3dffc93e06b916346a6051405aad
                                            • Opcode Fuzzy Hash: b67a829cf4532890fa14d4309ee8e5ae49076d023206aa30b800374d27731517
                                            • Instruction Fuzzy Hash: 9F412E75A00219AFCF04DFA8D944DAEBBF9EF48354F018069F955E7261DB30A946CBA0
                                            Function 00AB5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WSAStartup.WSOCK32(00000101,?), ref: 00AB5793
                                            • inet_addr.WSOCK32(?,?,?), ref: 00AB57D8
                                            • gethostbyname.WSOCK32(?), ref: 00AB57E4
                                            • IcmpCreateFile.IPHLPAPI ref: 00AB57F2
                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00AB5862
                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00AB5878
                                            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00AB58ED
                                            • WSACleanup.WSOCK32 ref: 00AB58F3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                            • String ID: Ping
                                            • API String ID: 1028309954-2246546115
                                            • Opcode ID: c4845898301f78feaff31ca6a8dfaae20226f7b63da8cd8f0fb35cff10f763e5
                                            • Instruction ID: 943808248b426ac98f8cf1303f3aa26c2faf5360355a6ff4ca87d34e746cdab6
                                            • Opcode Fuzzy Hash: c4845898301f78feaff31ca6a8dfaae20226f7b63da8cd8f0fb35cff10f763e5
                                            • Instruction Fuzzy Hash: 6E517E35A046009FDB10DFB5DD45B6A7BE8EF48710F044969F956DB2A2DB70E801DB41
                                            Function 00AAB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNEL32(00000001), ref: 00AAB4D0
                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00AAB546
                                            • GetLastError.KERNEL32 ref: 00AAB550
                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 00AAB5BD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Error$Mode$DiskFreeLastSpace
                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                            • API String ID: 4194297153-14809454
                                            • Opcode ID: bdead29582cc8e61f179d8344dee8b36b2eccb7af589d8027f9aea1349c61832
                                            • Instruction ID: 78498b9e06cbe7a2b60d9d58406c0fbeca68e85a127472e60b4a1a5a9f4d9302
                                            • Opcode Fuzzy Hash: bdead29582cc8e61f179d8344dee8b36b2eccb7af589d8027f9aea1349c61832
                                            • Instruction Fuzzy Hash: F7316135E1020AEFCB10DBA8C945EBE7BB4FF4A310F144569F606972D2DB719A42CB61
                                            Function 00A98F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A47DE1: _memmove.LIBCMT ref: 00A47E22
                                              • Part of subcall function 00A9AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A9AABC
                                            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00A99014
                                            • GetDlgCtrlID.USER32 ref: 00A9901F
                                            • GetParent.USER32 ref: 00A9903B
                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00A9903E
                                            • GetDlgCtrlID.USER32(?), ref: 00A99047
                                            • GetParent.USER32(?), ref: 00A99063
                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00A99066
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                            • String ID: ComboBox$ListBox
                                            • API String ID: 1536045017-1403004172
                                            • Opcode ID: 4e196797232eb53bc76dfe55079aee17164b65f5aabde93a15e2e2388dba01ed
                                            • Instruction ID: 729a2db2c9125dec4d1d2071f4616a93fe4fd4056b0f7b9f1335cdbd164b6664
                                            • Opcode Fuzzy Hash: 4e196797232eb53bc76dfe55079aee17164b65f5aabde93a15e2e2388dba01ed
                                            • Instruction Fuzzy Hash: 5321CF74A00108BFDF04EBA4CC85EFEBBF5EF89310F10411AB961972A2DB755819DB20
                                            Function 00A9907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A47DE1: _memmove.LIBCMT ref: 00A47E22
                                              • Part of subcall function 00A9AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A9AABC
                                            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00A990FD
                                            • GetDlgCtrlID.USER32 ref: 00A99108
                                            • GetParent.USER32 ref: 00A99124
                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00A99127
                                            • GetDlgCtrlID.USER32(?), ref: 00A99130
                                            • GetParent.USER32(?), ref: 00A9914C
                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00A9914F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                            • String ID: ComboBox$ListBox
                                            • API String ID: 1536045017-1403004172
                                            • Opcode ID: a3c081b7d41abbd2bf0d8fddd4352b8416a0dd2e59af750518398a9e0b84cc1c
                                            • Instruction ID: c2f7d48ef024bf2d03ffbeac5c0388e2ee4d21746420b875c1ec15338801dd8c
                                            • Opcode Fuzzy Hash: a3c081b7d41abbd2bf0d8fddd4352b8416a0dd2e59af750518398a9e0b84cc1c
                                            • Instruction Fuzzy Hash: D121B374A00148BFDF01ABE4CC85EFEBBF5EF48300F11411AB951972A2DB755855DB21
                                            Function 00A99163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetParent.USER32 ref: 00A9916F
                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 00A99184
                                            • _wcscmp.LIBCMT ref: 00A99196
                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A99211
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ClassMessageNameParentSend_wcscmp
                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                            • API String ID: 1704125052-3381328864
                                            • Opcode ID: df4ff6e84d2fa506c78087aa10b866f87b23f62541f2cd245c732c74bd92f846
                                            • Instruction ID: 61c7b2f45bd840318e34a3fd19448d8e3bc66b96aa3f13123d8c4d255f3c9f72
                                            • Opcode Fuzzy Hash: df4ff6e84d2fa506c78087aa10b866f87b23f62541f2cd245c732c74bd92f846
                                            • Instruction Fuzzy Hash: C211CA3A348307B9FE212768DC46DF73BECAB15720F20052AFA00A54D1FFA258515A94
                                            Function 00AB88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VariantInit.OLEAUT32(?), ref: 00AB88D7
                                            • CoInitialize.OLE32(00000000), ref: 00AB8904
                                            • CoUninitialize.OLE32 ref: 00AB890E
                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 00AB8A0E
                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00AB8B3B
                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00AD2C0C), ref: 00AB8B6F
                                            • CoGetObject.OLE32(?,00000000,00AD2C0C,?), ref: 00AB8B92
                                            • SetErrorMode.KERNEL32(00000000), ref: 00AB8BA5
                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00AB8C25
                                            • VariantClear.OLEAUT32(?), ref: 00AB8C35
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                            • String ID:
                                            • API String ID: 2395222682-0
                                            • Opcode ID: f46992b9eccfbcd10cea9a801640d64b852872f96f74233165eb5e304d2a0048
                                            • Instruction ID: 4ef80209d89a463fb5b3f97090d0f57f4e956923b41f40b43193f128b5248e29
                                            • Opcode Fuzzy Hash: f46992b9eccfbcd10cea9a801640d64b852872f96f74233165eb5e304d2a0048
                                            • Instruction Fuzzy Hash: 5FC102B1608305AFC700DF68C98496BB7EDBF89748F00491DF98A9B252DB75ED06CB52
                                            Function 00AA7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                            Download Yara Rule
                                            APIs
                                            • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00AA7A6C
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ArraySafeVartype
                                            • String ID:
                                            • API String ID: 1725837607-0
                                            • Opcode ID: 32e63395849a0cc4682689759548172fc424e3bc45ce3a2df3b5551400b26c08
                                            • Instruction ID: b793bf43d298415ef76bfb462fd770ce4f3b7ef954da541dfd18b373d0c93f1a
                                            • Opcode Fuzzy Hash: 32e63395849a0cc4682689759548172fc424e3bc45ce3a2df3b5551400b26c08
                                            • Instruction Fuzzy Hash: 8AB18D75A0421A9FDB00DFA8CD85BBFB7B5FF4A321F24442AE541E7291D734A941CBA0
                                            Function 00AA11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentThreadId.KERNEL32 ref: 00AA11F0
                                            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00AA0268,?,00000001), ref: 00AA1204
                                            • GetWindowThreadProcessId.USER32(00000000), ref: 00AA120B
                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AA0268,?,00000001), ref: 00AA121A
                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00AA122C
                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AA0268,?,00000001), ref: 00AA1245
                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AA0268,?,00000001), ref: 00AA1257
                                            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00AA0268,?,00000001), ref: 00AA129C
                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00AA0268,?,00000001), ref: 00AA12B1
                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00AA0268,?,00000001), ref: 00AA12BC
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                            • String ID:
                                            • API String ID: 2156557900-0
                                            • Opcode ID: 94b0117577b42d38adb4bd0e12e0a293dce29291284bf106ef9788dabfd595a1
                                            • Instruction ID: a90faa182d99c07cb5d09d136456c31ce24ddafb37d6d16bd21333a35cfb587f
                                            • Opcode Fuzzy Hash: 94b0117577b42d38adb4bd0e12e0a293dce29291284bf106ef9788dabfd595a1
                                            • Instruction Fuzzy Hash: 51318D79A04205BFEB20DF94EC88FA977AAEB66351F114129FD04D72E0DBB4DD448B60
                                            Function 00A7BDA2 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSysColor.USER32(00000008), ref: 00A42231
                                            • SetTextColor.GDI32(?,000000FF), ref: 00A4223B
                                            • SetBkMode.GDI32(?,00000001), ref: 00A42250
                                            • GetStockObject.GDI32(00000005), ref: 00A42258
                                            • GetClientRect.USER32(?), ref: 00A7BDBB
                                            • SendMessageW.USER32(?,00001328,00000000,?), ref: 00A7BDD2
                                            • GetWindowDC.USER32(?), ref: 00A7BDDE
                                            • GetPixel.GDI32(00000000,?,?), ref: 00A7BDED
                                            • ReleaseDC.USER32(?,00000000), ref: 00A7BDFF
                                            • GetSysColor.USER32(00000005), ref: 00A7BE1D
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                            • String ID:
                                            • API String ID: 3430376129-0
                                            • Opcode ID: 41a9474a32f7df3490ebf4e9f7d89af2fe4226962d2d1865c93706d7c8f16df5
                                            • Instruction ID: afc9c06ca52ef124d5e8db915e66f4c5e76645df14e27885ef876cac53382f8e
                                            • Opcode Fuzzy Hash: 41a9474a32f7df3490ebf4e9f7d89af2fe4226962d2d1865c93706d7c8f16df5
                                            • Instruction Fuzzy Hash: 7B214C31100245EFDB219FA4EC08FE97B72EB48321F558275FA25951F1CB714952EF11
                                            Function 00A4FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A4FAA6
                                            • OleUninitialize.OLE32(?,00000000), ref: 00A4FB45
                                            • UnregisterHotKey.USER32(?), ref: 00A4FC9C
                                            • DestroyWindow.USER32(?), ref: 00A845D6
                                            • FreeLibrary.KERNEL32(?), ref: 00A8463B
                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A84668
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                            • String ID: close all
                                            • API String ID: 469580280-3243417748
                                            • Opcode ID: 7a64f511b07e44f87a4485949dd91ab587393d9f7fdcef555b8ffe96702689c0
                                            • Instruction ID: 5fefa15a9c1d1df4cf822984e7352dfd93fb43f34abf9f90de96721254f446cf
                                            • Opcode Fuzzy Hash: 7a64f511b07e44f87a4485949dd91ab587393d9f7fdcef555b8ffe96702689c0
                                            • Instruction Fuzzy Hash: 19A17E35701212CFCB29EF14CA94E69F7A5BF49700F1542BDE80AAB262DB30AC16CF50
                                            Function 00A9A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnumChildWindows.USER32(?,00A9A439), ref: 00A9A377
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ChildEnumWindows
                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                            • API String ID: 3555792229-1603158881
                                            • Opcode ID: e6fae7c42a6b90aab7199bd5af62e6a48c294a806c18856858fe35dc1d68ddb2
                                            • Instruction ID: 5ca162844f16e0f0cd5d192c21d6cfff6dfca66d09af4ff14de268061cdbee96
                                            • Opcode Fuzzy Hash: e6fae7c42a6b90aab7199bd5af62e6a48c294a806c18856858fe35dc1d68ddb2
                                            • Instruction Fuzzy Hash: E991B431B00606AACF08DFA0C582BEEFBF5BF24340F54811AE85AA7151DF316999DBD1
                                            Function 00A42E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowLongW.USER32(?,000000EB), ref: 00A42EAE
                                              • Part of subcall function 00A41DB3: GetClientRect.USER32(?,?), ref: 00A41DDC
                                              • Part of subcall function 00A41DB3: GetWindowRect.USER32(?,?), ref: 00A41E1D
                                              • Part of subcall function 00A41DB3: ScreenToClient.USER32(?,?), ref: 00A41E45
                                            • GetDC.USER32 ref: 00A7CD32
                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A7CD45
                                            • SelectObject.GDI32(00000000,00000000), ref: 00A7CD53
                                            • SelectObject.GDI32(00000000,00000000), ref: 00A7CD68
                                            • ReleaseDC.USER32(?,00000000), ref: 00A7CD70
                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00A7CDFB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                            • String ID: U
                                            • API String ID: 4009187628-3372436214
                                            • Opcode ID: 133c802b83df37ceb3f6dbc00e65ba3f591ff6dca147882efd346077aa2a5a9b
                                            • Instruction ID: 0ea7d6dde8529913c2410e89811851d9f9ac71a16e9c46150da8abb4dd2273e2
                                            • Opcode Fuzzy Hash: 133c802b83df37ceb3f6dbc00e65ba3f591ff6dca147882efd346077aa2a5a9b
                                            • Instruction Fuzzy Hash: C2717A35500209DFCF218F64CC85AAA7FB5FF88364F14C26AFD599A2A6D7319881DB60
                                            Function 00AB1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00AB1A50
                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00AB1A7C
                                            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00AB1ABE
                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00AB1AD3
                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AB1AE0
                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00AB1B10
                                            • InternetCloseHandle.WININET(00000000), ref: 00AB1B57
                                              • Part of subcall function 00AB2483: GetLastError.KERNEL32(?,?,00AB1817,00000000,00000000,00000001), ref: 00AB2498
                                              • Part of subcall function 00AB2483: SetEvent.KERNEL32(?,?,00AB1817,00000000,00000000,00000001), ref: 00AB24AD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                            • String ID:
                                            • API String ID: 2603140658-3916222277
                                            • Opcode ID: 0eefaec1b85d70f46915b7ec06f4fef8bb9c8617cac1cfb70b402a372d06f0ab
                                            • Instruction ID: a4208b89f258cd6c300dd63155bed65eaab3c5909a8b92fbc2e37e1260e196f0
                                            • Opcode Fuzzy Hash: 0eefaec1b85d70f46915b7ec06f4fef8bb9c8617cac1cfb70b402a372d06f0ab
                                            • Instruction Fuzzy Hash: D5418FB1501218BFEB119F50CC99FFB7BADFF08354F00412AFA05AA142E770AE459BA0
                                            Function 00AB8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00ACF910), ref: 00AB8D28
                                            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00ACF910), ref: 00AB8D5C
                                            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00AB8ED6
                                            • SysFreeString.OLEAUT32(?), ref: 00AB8F00
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                            • String ID:
                                            • API String ID: 560350794-0
                                            • Opcode ID: 7e307a96b56a1f16e277c6bb719f10ebdec665fcf880da28afc4f431a844f653
                                            • Instruction ID: 2b4a43f9fb4f5c38afd95e05ed964ca7b26d6a4999e6f95384ac9b80f5255bce
                                            • Opcode Fuzzy Hash: 7e307a96b56a1f16e277c6bb719f10ebdec665fcf880da28afc4f431a844f653
                                            • Instruction Fuzzy Hash: 63F1F771A00109AFDF14EF98C884EEEB7B9FF49314F148458F905AB252DB35AE46CB60
                                            Function 00ABF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00ABF6B5
                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00ABF848
                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00ABF86C
                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00ABF8AC
                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00ABF8CE
                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00ABFA4A
                                            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00ABFA7C
                                            • CloseHandle.KERNEL32(?), ref: 00ABFAAB
                                            • CloseHandle.KERNEL32(?), ref: 00ABFB22
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                            • String ID:
                                            • API String ID: 4090791747-0
                                            • Opcode ID: e48677206cd339981c6901339eab44fe2c22c30be195a5c291f4cda066c83e9e
                                            • Instruction ID: 8f46138959570c56146990c096e5cd131adf974b4865ca148241835fc9d99d73
                                            • Opcode Fuzzy Hash: e48677206cd339981c6901339eab44fe2c22c30be195a5c291f4cda066c83e9e
                                            • Instruction Fuzzy Hash: D1E19F35604240AFCB14EF24C981BABBBE5FF85354F18896DF8959B2A2CB31DC45CB52
                                            Function 00AA4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00AA466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AA3697,?), ref: 00AA468B
                                              • Part of subcall function 00AA466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AA3697,?), ref: 00AA46A4
                                              • Part of subcall function 00AA4A31: GetFileAttributesW.KERNEL32(?,00AA370B), ref: 00AA4A32
                                            • lstrcmpiW.KERNEL32(?,?), ref: 00AA4D40
                                            • _wcscmp.LIBCMT ref: 00AA4D5A
                                            • MoveFileW.KERNEL32(?,?), ref: 00AA4D75
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                            • String ID:
                                            • API String ID: 793581249-0
                                            • Opcode ID: a787a937e174490f76969e4256f0ef987ec210de58b52533a56f50bda41bbfa7
                                            • Instruction ID: 7d351ec5b1a738698e6839eaa7d34caf55fc45a1f8b0183de622aa082452cd25
                                            • Opcode Fuzzy Hash: a787a937e174490f76969e4256f0ef987ec210de58b52533a56f50bda41bbfa7
                                            • Instruction Fuzzy Hash: 915163B24083859BC764DBA0D9819DFB3ECAFC9750F00092EB589D3192EF74A588C756
                                            Function 00AC8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                            Download Yara Rule
                                            APIs
                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00AC86FF
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: InvalidateRect
                                            • String ID:
                                            • API String ID: 634782764-0
                                            • Opcode ID: 530e7e32f6a2ebf536b6cc75d2c604c59ed54f913ebd1e775505de1654ac476c
                                            • Instruction ID: 6289118131007f110de7dafb909e0dadb84560b9fec93e7f9330ec21b5d4b967
                                            • Opcode Fuzzy Hash: 530e7e32f6a2ebf536b6cc75d2c604c59ed54f913ebd1e775505de1654ac476c
                                            • Instruction Fuzzy Hash: BC51D234600244BFEF209B28CC89FAD7BA5FB05760F62411AF951E65E1DF79AD80CB50
                                            Function 00A42B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00A7C2F7
                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A7C319
                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00A7C331
                                            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00A7C34F
                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A7C370
                                            • DestroyIcon.USER32(00000000), ref: 00A7C37F
                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A7C39C
                                            • DestroyIcon.USER32(?), ref: 00A7C3AB
                                              • Part of subcall function 00ACA4AF: DeleteObject.GDI32(00000000), ref: 00ACA4E8
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                            • String ID:
                                            • API String ID: 2819616528-0
                                            • Opcode ID: 925d8a7cacc746f3c42b272c7df6bb64eb8c626364a66228e93c5de57c5743c9
                                            • Instruction ID: 1630358060beae92c669cae9d687d397c2f21604dc9e165544d49a65298928bc
                                            • Opcode Fuzzy Hash: 925d8a7cacc746f3c42b272c7df6bb64eb8c626364a66228e93c5de57c5743c9
                                            • Instruction Fuzzy Hash: 2D516A74600209EFDB24DF64CC45FAA7BB5EB98320F508528F906DB2A0DB70AD91DB50
                                            Function 00A9966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A9A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A9A84C
                                              • Part of subcall function 00A9A82C: GetCurrentThreadId.KERNEL32 ref: 00A9A853
                                              • Part of subcall function 00A9A82C: AttachThreadInput.USER32(00000000,?,00A99683,?,00000001), ref: 00A9A85A
                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00A9968E
                                            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00A996AB
                                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00A996AE
                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00A996B7
                                            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00A996D5
                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00A996D8
                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00A996E1
                                            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00A996F8
                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00A996FB
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                            • String ID:
                                            • API String ID: 2014098862-0
                                            • Opcode ID: 32ff3ae309685a87b9ba052547a3d59afd540077b0df5c3fa3a505c29b9a3743
                                            • Instruction ID: 8ff837240b86891743712ead362f7c6ff1a9af7ad40d477f4df3c69473d4eecb
                                            • Opcode Fuzzy Hash: 32ff3ae309685a87b9ba052547a3d59afd540077b0df5c3fa3a505c29b9a3743
                                            • Instruction Fuzzy Hash: 8611E571A10218FEFA10AFA4DC49F6A3F6EDB4C790F120426F744AB0A0C9F35C11DAA4
                                            Function 00A98921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00A9853C,00000B00,?,?), ref: 00A9892A
                                            • HeapAlloc.KERNEL32(00000000,?,00A9853C,00000B00,?,?), ref: 00A98931
                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A9853C,00000B00,?,?), ref: 00A98946
                                            • GetCurrentProcess.KERNEL32(?,00000000,?,00A9853C,00000B00,?,?), ref: 00A9894E
                                            • DuplicateHandle.KERNEL32(00000000,?,00A9853C,00000B00,?,?), ref: 00A98951
                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00A9853C,00000B00,?,?), ref: 00A98961
                                            • GetCurrentProcess.KERNEL32(00A9853C,00000000,?,00A9853C,00000B00,?,?), ref: 00A98969
                                            • DuplicateHandle.KERNEL32(00000000,?,00A9853C,00000B00,?,?), ref: 00A9896C
                                            • CreateThread.KERNEL32(00000000,00000000,00A98992,00000000,00000000,00000000), ref: 00A98986
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                            • String ID:
                                            • API String ID: 1957940570-0
                                            • Opcode ID: 4429f7ef1ee0b90ae66cb364ee5b7630c2c3fe18454319271c045b62ffccf273
                                            • Instruction ID: 40374b19ccd822118e25ea209df9215917db711f3cf6d339d6881c05685c4c3f
                                            • Opcode Fuzzy Hash: 4429f7ef1ee0b90ae66cb364ee5b7630c2c3fe18454319271c045b62ffccf273
                                            • Instruction Fuzzy Hash: 9701A8B5240308FFE610EBA5DC49F6B7BADEB89711F458521FB05DB1A1CA7598018A20
                                            Function 00AB9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: NULL Pointer assignment$Not an Object type
                                            • API String ID: 0-572801152
                                            • Opcode ID: e0b578e4ec2b9e264c9dbefce523e733c3c5164ee83de2e51f34713e1b666713
                                            • Instruction ID: b4e0ac0707e519aa3f555e603326f6e8dfcff81e2180947edc448fd2fbb626e1
                                            • Opcode Fuzzy Hash: e0b578e4ec2b9e264c9dbefce523e733c3c5164ee83de2e51f34713e1b666713
                                            • Instruction Fuzzy Hash: 70C17171A002199FDF10DF99D984AEFBBF9BF48314F158469EA05AB282E770DD41CB50
                                            Function 00AB9113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Variant$ClearInit$_memset
                                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                            • API String ID: 2862541840-625585964
                                            • Opcode ID: d0558726df5c93af64cdf4884908e296e80e009ce8551a1ce49c945227977eee
                                            • Instruction ID: 602d5f6ab4b33f299fb2a80ce4d544a6c137f7e4dbf175957c2c666a90d5a100
                                            • Opcode Fuzzy Hash: d0558726df5c93af64cdf4884908e296e80e009ce8551a1ce49c945227977eee
                                            • Instruction Fuzzy Hash: 37916B71A00219ABDF24DFA5C888FEFBBB8EF45710F10855DF615AB282D7709945CBA0
                                            Function 00AB975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A9710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A97044,80070057,?,?,?,00A97455), ref: 00A97127
                                              • Part of subcall function 00A9710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A97044,80070057,?,?), ref: 00A97142
                                              • Part of subcall function 00A9710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A97044,80070057,?,?), ref: 00A97150
                                              • Part of subcall function 00A9710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A97044,80070057,?), ref: 00A97160
                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00AB9806
                                            • _memset.LIBCMT ref: 00AB9813
                                            • _memset.LIBCMT ref: 00AB9956
                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00AB9982
                                            • CoTaskMemFree.OLE32(?), ref: 00AB998D
                                            Strings
                                            • NULL Pointer assignment, xrefs: 00AB99DB
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                            • String ID: NULL Pointer assignment
                                            • API String ID: 1300414916-2785691316
                                            • Opcode ID: 726316f4d220e5b28171a54465d407e029636318026351394e5849c11587fab2
                                            • Instruction ID: d90c4ef495412be8b3747b9e9b033eb63330e29c61f7cab2b4c0fda8e7ec1ff8
                                            • Opcode Fuzzy Hash: 726316f4d220e5b28171a54465d407e029636318026351394e5849c11587fab2
                                            • Instruction Fuzzy Hash: 1E914671D00228EBDB10DFA4DD81EDEBBB9AF48750F20415AF519A7292DB319A44CFA0
                                            Function 00AC6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00AC6E24
                                            • SendMessageW.USER32(?,00001036,00000000,?), ref: 00AC6E38
                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00AC6E52
                                            • _wcscat.LIBCMT ref: 00AC6EAD
                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00AC6EC4
                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00AC6EF2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window_wcscat
                                            • String ID: SysListView32
                                            • API String ID: 307300125-78025650
                                            • Opcode ID: 2bc265ef8a571da79d1c84aab24671700123b171ef408828bf13338428bc2254
                                            • Instruction ID: c884ec70f8bc81f8b5f1deaa871b02fda3c446d140c4b58dd5a28367f748d646
                                            • Opcode Fuzzy Hash: 2bc265ef8a571da79d1c84aab24671700123b171ef408828bf13338428bc2254
                                            • Instruction Fuzzy Hash: C0419D71A00348AFEB21DFA4CC85FEA77E9EF08350F11442EF585A7291D6729D858B60
                                            Function 00ABE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00AA3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00AA3C7A
                                              • Part of subcall function 00AA3C55: Process32FirstW.KERNEL32(00000000,?), ref: 00AA3C88
                                              • Part of subcall function 00AA3C55: CloseHandle.KERNEL32(00000000), ref: 00AA3D52
                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00ABE9A4
                                            • GetLastError.KERNEL32 ref: 00ABE9B7
                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00ABE9E6
                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00ABEA63
                                            • GetLastError.KERNEL32(00000000), ref: 00ABEA6E
                                            • CloseHandle.KERNEL32(00000000), ref: 00ABEAA3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                            • String ID: SeDebugPrivilege
                                            • API String ID: 2533919879-2896544425
                                            • Opcode ID: e4ce3aeb0951c068a89e9deb703f6e6e7ce4335ec29c6984500131885d8285b7
                                            • Instruction ID: a5a27f4b6df88fec1af55db568cfec76d86a92bb11d9c3e43b4b4e807797dcc9
                                            • Opcode Fuzzy Hash: e4ce3aeb0951c068a89e9deb703f6e6e7ce4335ec29c6984500131885d8285b7
                                            • Instruction Fuzzy Hash: 4241A9713002019FDB10EF68CD95FAEBBA9AF80355F18841CF9029B2D3CB75A859CB91
                                            Function 00AA2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadIconW.USER32(00000000,00007F03), ref: 00AA3033
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: IconLoad
                                            • String ID: blank$info$question$stop$warning
                                            • API String ID: 2457776203-404129466
                                            • Opcode ID: 6d05ddb6464e767fee1d83fa01c39b2b763a41a92557a2a7a32478fd696f9eaf
                                            • Instruction ID: 745c70917e1f99feaa0146ef7961bd75c7f7a1f1b38e3175d18ac3f8c5717c4d
                                            • Opcode Fuzzy Hash: 6d05ddb6464e767fee1d83fa01c39b2b763a41a92557a2a7a32478fd696f9eaf
                                            • Instruction Fuzzy Hash: C511E73634874ABEEB149B58DC42D6F7BBC9F16760F20406AFA00A71C1DB755F4056A4
                                            Function 00AA42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00AA4312
                                            • LoadStringW.USER32(00000000), ref: 00AA4319
                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00AA432F
                                            • LoadStringW.USER32(00000000), ref: 00AA4336
                                            • _wprintf.LIBCMT ref: 00AA435C
                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AA437A
                                            Strings
                                            • %s (%d) : ==> %s: %s %s, xrefs: 00AA4357
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: HandleLoadModuleString$Message_wprintf
                                            • String ID: %s (%d) : ==> %s: %s %s
                                            • API String ID: 3648134473-3128320259
                                            • Opcode ID: 75499b81bebad6487853fb457e188031e97ab9d798e0ee300ca9e86af9f2e0fc
                                            • Instruction ID: 2bfa2099e7b6a810a5b32445506a67ca96e78033e4fe5b31f02495da0b986edb
                                            • Opcode Fuzzy Hash: 75499b81bebad6487853fb457e188031e97ab9d798e0ee300ca9e86af9f2e0fc
                                            • Instruction Fuzzy Hash: 330162F6900208BFEB11D7E0DD89EF7776CEB08300F0105A5B749E6051EA745E864B74
                                            Function 00ACD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A42612: GetWindowLongW.USER32(?,000000EB), ref: 00A42623
                                            • GetSystemMetrics.USER32(0000000F), ref: 00ACD47C
                                            • GetSystemMetrics.USER32(0000000F), ref: 00ACD49C
                                            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00ACD6D7
                                            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00ACD6F5
                                            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00ACD716
                                            • ShowWindow.USER32(00000003,00000000), ref: 00ACD735
                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00ACD75A
                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 00ACD77D
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                            • String ID:
                                            • API String ID: 1211466189-0
                                            • Opcode ID: f79b01b96341bb92ba387f76094cafb2d6338c4bbd8f33eb00439b2418c4ae5d
                                            • Instruction ID: a851ff22fe081f6121121ac3a36367c87ed93b62a723d84d4a65115fdea99259
                                            • Opcode Fuzzy Hash: f79b01b96341bb92ba387f76094cafb2d6338c4bbd8f33eb00439b2418c4ae5d
                                            • Instruction Fuzzy Hash: 43B17A75600229EFDF14CF68C985BAE7BB1BF44711F0A8079ED48AF295DB34A950CB90
                                            Function 00A42A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                            Download Yara Rule
                                            APIs
                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00A7C1C7,00000004,00000000,00000000,00000000), ref: 00A42ACF
                                            • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00A7C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00A42B17
                                            • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00A7C1C7,00000004,00000000,00000000,00000000), ref: 00A7C21A
                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00A7C1C7,00000004,00000000,00000000,00000000), ref: 00A7C286
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ShowWindow
                                            • String ID:
                                            • API String ID: 1268545403-0
                                            • Opcode ID: ed3971ae43a7731826c213b9f1aee19b0a199fa95959641bdbdc09b724df79bb
                                            • Instruction ID: 2ab3acb804b0fbe3a7423120d0ba8229b561d8b00f2962a78a43dcb7043beb6d
                                            • Opcode Fuzzy Hash: ed3971ae43a7731826c213b9f1aee19b0a199fa95959641bdbdc09b724df79bb
                                            • Instruction Fuzzy Hash: 47414D382047C0AEDB759B28CC8CB7B7BA2EBD5350F95C83DF84B82561C6719886D751
                                            Function 00AA70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 00AA70DD
                                              • Part of subcall function 00A60DB6: std::exception::exception.LIBCMT ref: 00A60DEC
                                              • Part of subcall function 00A60DB6: __CxxThrowException@8.LIBCMT ref: 00A60E01
                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00AA7114
                                            • EnterCriticalSection.KERNEL32(?), ref: 00AA7130
                                            • _memmove.LIBCMT ref: 00AA717E
                                            • _memmove.LIBCMT ref: 00AA719B
                                            • LeaveCriticalSection.KERNEL32(?), ref: 00AA71AA
                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00AA71BF
                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00AA71DE
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                            • String ID:
                                            • API String ID: 256516436-0
                                            • Opcode ID: dee944464d080b5f875f1ac6a2c559bebbf7a8d194bba1f8c8c0dc847d872e0f
                                            • Instruction ID: 475d4c3d996c1e540bb2b02433850a62f7c7d7467d2f3d4b0053ee661f7d2312
                                            • Opcode Fuzzy Hash: dee944464d080b5f875f1ac6a2c559bebbf7a8d194bba1f8c8c0dc847d872e0f
                                            • Instruction Fuzzy Hash: 83317C71A00205EFDB00DFA4DD85EAFBBB9EF45310F1541B5E904AB296DB309E51CBA0
                                            Function 00AC61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DeleteObject.GDI32(00000000), ref: 00AC61EB
                                            • GetDC.USER32(00000000), ref: 00AC61F3
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AC61FE
                                            • ReleaseDC.USER32(00000000,00000000), ref: 00AC620A
                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00AC6246
                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AC6257
                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00AC902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00AC6291
                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00AC62B1
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                            • String ID:
                                            • API String ID: 3864802216-0
                                            • Opcode ID: d4911391e26b8d2d4007619a2fb8ad1938a07f3bfc4c9682da643c890093b071
                                            • Instruction ID: de78a2e8185cfb4c5d5dcd015f2e04f75da7b0930218e5f6ddca9e8366707e97
                                            • Opcode Fuzzy Hash: d4911391e26b8d2d4007619a2fb8ad1938a07f3bfc4c9682da643c890093b071
                                            • Instruction Fuzzy Hash: 9E314C72201214BFEF118F50CC8AFEA3BAAEF49765F054065FE489A291D7759C42CB74
                                            Function 00A9BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _memcmp
                                            • String ID:
                                            • API String ID: 2931989736-0
                                            • Opcode ID: 1be09ef04e8b6cc194d12aaeb32f906397ad1b976e12361b8228fc07ef0e64cc
                                            • Instruction ID: 3954422207f878bb3e808ad3f79f3afbce0820215a0ea08f8521b9c57fc8da2e
                                            • Opcode Fuzzy Hash: 1be09ef04e8b6cc194d12aaeb32f906397ad1b976e12361b8228fc07ef0e64cc
                                            • Instruction Fuzzy Hash: A1218EB17212157BAB046711AF42FBB77EDAE64388B084421FD059A687EF64DE11C2B1
                                            Function 00AAEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A49837: __itow.LIBCMT ref: 00A49862
                                              • Part of subcall function 00A49837: __swprintf.LIBCMT ref: 00A498AC
                                              • Part of subcall function 00A5FC86: _wcscpy.LIBCMT ref: 00A5FCA9
                                            • _wcstok.LIBCMT ref: 00AAEC94
                                            • _wcscpy.LIBCMT ref: 00AAED23
                                            • _memset.LIBCMT ref: 00AAED56
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                            • String ID: X
                                            • API String ID: 774024439-3081909835
                                            • Opcode ID: 0cc929154785409bc192787683af8d9b13f4c5a2791dc28823cc82f9399bb182
                                            • Instruction ID: 72380fc582089a687f4b97006ee0bf025d1dc33c3e7c29f254be420d371f4983
                                            • Opcode Fuzzy Hash: 0cc929154785409bc192787683af8d9b13f4c5a2791dc28823cc82f9399bb182
                                            • Instruction Fuzzy Hash: 82C14B756087409FC764EF64CA85A6FB7E4EF85310F00492DF8999B2A2DB70EC55CB82
                                            Function 00AB6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00AB6C00
                                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00AB6C21
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00AB6C34
                                            • htons.WSOCK32(?,?,?,00000000,?), ref: 00AB6CEA
                                            • inet_ntoa.WSOCK32(?), ref: 00AB6CA7
                                              • Part of subcall function 00A9A7E9: _strlen.LIBCMT ref: 00A9A7F3
                                              • Part of subcall function 00A9A7E9: _memmove.LIBCMT ref: 00A9A815
                                            • _strlen.LIBCMT ref: 00AB6D44
                                            • _memmove.LIBCMT ref: 00AB6DAD
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                            • String ID:
                                            • API String ID: 3619996494-0
                                            • Opcode ID: d2b4462a5df3075922d697f09321e0c00d3d7ba7e0ba31af51552d184e480433
                                            • Instruction ID: 3b90dac670391d5c27d09da608ab61daac83a931c68ff58a502b62cd675d0562
                                            • Opcode Fuzzy Hash: d2b4462a5df3075922d697f09321e0c00d3d7ba7e0ba31af51552d184e480433
                                            • Instruction Fuzzy Hash: BF81CC75604200ABC710EB64CD82EAFB7BDEFC4714F144A28F9559B293DB74AD01CB92
                                            Function 00A41424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c5e3cd59b7993c37ad3c46dfbd2e983e109d2c1fc0471e1251905286d439d68c
                                            • Instruction ID: 7583ded35b87d18e1f00d99d8136eb252f0ca2deb2cf47ac8075b5773a79620d
                                            • Opcode Fuzzy Hash: c5e3cd59b7993c37ad3c46dfbd2e983e109d2c1fc0471e1251905286d439d68c
                                            • Instruction Fuzzy Hash: 25713774900109EFCB14CF98CC89AAEBB79FFC5314F248159F915AA251D774AA92CBA0
                                            Function 00ACB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindow.USER32(00CD4E00), ref: 00ACB3EB
                                            • IsWindowEnabled.USER32(00CD4E00), ref: 00ACB3F7
                                            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00ACB4DB
                                            • SendMessageW.USER32(00CD4E00,000000B0,?,?), ref: 00ACB512
                                            • IsDlgButtonChecked.USER32(?,?), ref: 00ACB54F
                                            • GetWindowLongW.USER32(00CD4E00,000000EC), ref: 00ACB571
                                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00ACB589
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                            • String ID:
                                            • API String ID: 4072528602-0
                                            • Opcode ID: f7777885e348ec6ee8eb490289234f4b94ca70eb8a63fe822f74a065ba76d966
                                            • Instruction ID: d3821a92cda2249a4f55e64fd0b5b8b255c64b48e410f94c316f03cb77b1bc14
                                            • Opcode Fuzzy Hash: f7777885e348ec6ee8eb490289234f4b94ca70eb8a63fe822f74a065ba76d966
                                            • Instruction Fuzzy Hash: 1971A034618644EFDB24DF64C996FBA7BB5EF09300F16405DE946973A2C732AC41DB60
                                            Function 00ABF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00ABF448
                                            • _memset.LIBCMT ref: 00ABF511
                                            • ShellExecuteExW.SHELL32(?), ref: 00ABF556
                                              • Part of subcall function 00A49837: __itow.LIBCMT ref: 00A49862
                                              • Part of subcall function 00A49837: __swprintf.LIBCMT ref: 00A498AC
                                              • Part of subcall function 00A5FC86: _wcscpy.LIBCMT ref: 00A5FCA9
                                            • GetProcessId.KERNEL32(00000000), ref: 00ABF5CD
                                            • CloseHandle.KERNEL32(00000000), ref: 00ABF5FC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                            • String ID: @
                                            • API String ID: 3522835683-2766056989
                                            • Opcode ID: 88be3ef6a143520d75ea6eaf122df042af2bc46d2c2eb49e2af98f0d8530ee43
                                            • Instruction ID: 80b1ce68aad240616403f8679594fa14a66efec695332803b364e5c01457b923
                                            • Opcode Fuzzy Hash: 88be3ef6a143520d75ea6eaf122df042af2bc46d2c2eb49e2af98f0d8530ee43
                                            • Instruction Fuzzy Hash: F8618F75A00619DFCB14DFA8C9819AFBBF9FF88310F148169E855AB352CB31AD51CB90
                                            Function 00AA0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetParent.USER32(?), ref: 00AA0F8C
                                            • GetKeyboardState.USER32(?), ref: 00AA0FA1
                                            • SetKeyboardState.USER32(?), ref: 00AA1002
                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 00AA1030
                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 00AA104F
                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 00AA1095
                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00AA10B8
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessagePost$KeyboardState$Parent
                                            • String ID:
                                            • API String ID: 87235514-0
                                            • Opcode ID: b744e5e8804343d07706befef2f406f8e9c21e38298a70ad761a29a5dc9b6fe3
                                            • Instruction ID: db82b06ece9a9079d611dfd8b7982d4b2a27734aed7d2c26f253ee5b5536589d
                                            • Opcode Fuzzy Hash: b744e5e8804343d07706befef2f406f8e9c21e38298a70ad761a29a5dc9b6fe3
                                            • Instruction Fuzzy Hash: 6351EFA06087D53DFB3683348C55BBABEE96B07304F088589E1D5978C2C3A9ECD9D761
                                            Function 00AA0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetParent.USER32(00000000), ref: 00AA0DA5
                                            • GetKeyboardState.USER32(?), ref: 00AA0DBA
                                            • SetKeyboardState.USER32(?), ref: 00AA0E1B
                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00AA0E47
                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00AA0E64
                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00AA0EA8
                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00AA0EC9
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessagePost$KeyboardState$Parent
                                            • String ID:
                                            • API String ID: 87235514-0
                                            • Opcode ID: e97dfe98b4e834e027fb6224ccfd21e83024b4d7528030f1856c123b78fdaa5b
                                            • Instruction ID: c33d5419524b2edbc2aefcc24e43dbf9f617c5f3d9e44144308773f0828976fa
                                            • Opcode Fuzzy Hash: e97dfe98b4e834e027fb6224ccfd21e83024b4d7528030f1856c123b78fdaa5b
                                            • Instruction Fuzzy Hash: 2351E3A15487D53DFB3687748C45FBABFA96B07300F088889E1D4978C2D395EC99E760
                                            Function 00AA55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _wcsncpy$LocalTime
                                            • String ID:
                                            • API String ID: 2945705084-0
                                            • Opcode ID: 5b4b3cf06cca49afb0408372f62bdfffecd6f6241224bff8d1d1e21dbc7cd2fb
                                            • Instruction ID: 8deef0e84b6da94076e1d3de82d7cbee350546e5a33f64752006bf14cb96ea35
                                            • Opcode Fuzzy Hash: 5b4b3cf06cca49afb0408372f62bdfffecd6f6241224bff8d1d1e21dbc7cd2fb
                                            • Instruction Fuzzy Hash: C5418366C1061476CB11EBB48C86ACFB3B8EF05310F508966E519E32A1FB34E755C7AA
                                            Function 00AA3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00AA466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AA3697,?), ref: 00AA468B
                                              • Part of subcall function 00AA466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AA3697,?), ref: 00AA46A4
                                            • lstrcmpiW.KERNEL32(?,?), ref: 00AA36B7
                                            • _wcscmp.LIBCMT ref: 00AA36D3
                                            • MoveFileW.KERNEL32(?,?), ref: 00AA36EB
                                            • _wcscat.LIBCMT ref: 00AA3733
                                            • SHFileOperationW.SHELL32(?), ref: 00AA379F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                            • String ID: \*.*
                                            • API String ID: 1377345388-1173974218
                                            • Opcode ID: 0fd2147123b233977accad8de7fbda80cce9e911fa74ba9a883813b0e2f2381c
                                            • Instruction ID: f19235ecb0b2dc49c4f819e57bf3e3e6bfa28c7a515bc9e9222c97c64f823abd
                                            • Opcode Fuzzy Hash: 0fd2147123b233977accad8de7fbda80cce9e911fa74ba9a883813b0e2f2381c
                                            • Instruction Fuzzy Hash: 73416172508344AECB55EF64C5419DFB7E8AF8A380F44092EB49AC3291EB34D689C752
                                            Function 00AC7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00AC72AA
                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AC7351
                                            • IsMenu.USER32(?), ref: 00AC7369
                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00AC73B1
                                            • DrawMenuBar.USER32 ref: 00AC73C4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Menu$Item$DrawInfoInsert_memset
                                            • String ID: 0
                                            • API String ID: 3866635326-4108050209
                                            • Opcode ID: 8b9871ed865b8b444ff0dfaa503dd7251bb9c1aec84047abcc3dc4a86ca983f6
                                            • Instruction ID: 988992e43a79260a46b00ab9a359496880089320af202cccc82ad778542406ab
                                            • Opcode Fuzzy Hash: 8b9871ed865b8b444ff0dfaa503dd7251bb9c1aec84047abcc3dc4a86ca983f6
                                            • Instruction Fuzzy Hash: C0410375A04248AFDB20DF90D884E9EBBB9FB08350F258529FD55AB390D730AD50EF50
                                            Function 00AC0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00AC0FD4
                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AC0FFE
                                            • FreeLibrary.KERNEL32(00000000), ref: 00AC10B5
                                              • Part of subcall function 00AC0FA5: RegCloseKey.ADVAPI32(?), ref: 00AC101B
                                              • Part of subcall function 00AC0FA5: FreeLibrary.KERNEL32(?), ref: 00AC106D
                                              • Part of subcall function 00AC0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00AC1090
                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00AC1058
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: EnumFreeLibrary$CloseDeleteOpen
                                            • String ID:
                                            • API String ID: 395352322-0
                                            • Opcode ID: a7164b9760841e1491d9bd523c8d17d7a61c94fc5ddaca6ccb529df139c7a55a
                                            • Instruction ID: 56a654088edf8d7180ec4520253aecc38504fba007002e09f52eae5e6eb2191b
                                            • Opcode Fuzzy Hash: a7164b9760841e1491d9bd523c8d17d7a61c94fc5ddaca6ccb529df139c7a55a
                                            • Instruction Fuzzy Hash: 6731ED71A01109FFDB15DF94DC89EFFB7BCEF09310F014169E511A2151EA749E869AA0
                                            Function 00AC62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00AC62EC
                                            • GetWindowLongW.USER32(00CD4E00,000000F0), ref: 00AC631F
                                            • GetWindowLongW.USER32(00CD4E00,000000F0), ref: 00AC6354
                                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00AC6386
                                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00AC63B0
                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00AC63C1
                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00AC63DB
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: LongWindow$MessageSend
                                            • String ID:
                                            • API String ID: 2178440468-0
                                            • Opcode ID: 24fb6bb2d0f40d378e39acaa2aefa2c0bf2bd9b3d1d5f3882ec31270afbd3d9b
                                            • Instruction ID: 9cd479a960cc6ca212e1763fa6863d07d538abdc189ac4c1f3da5f528003f3d4
                                            • Opcode Fuzzy Hash: 24fb6bb2d0f40d378e39acaa2aefa2c0bf2bd9b3d1d5f3882ec31270afbd3d9b
                                            • Instruction Fuzzy Hash: 2931FF34644294AFDB20CF58DC84F593BE2FB5A714F1A41A8F9119F3B2CB71A8419B51
                                            Function 00A9DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A9DB2E
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A9DB54
                                            • SysAllocString.OLEAUT32(00000000), ref: 00A9DB57
                                            • SysAllocString.OLEAUT32(?), ref: 00A9DB75
                                            • SysFreeString.OLEAUT32(?), ref: 00A9DB7E
                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 00A9DBA3
                                            • SysAllocString.OLEAUT32(?), ref: 00A9DBB1
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                            • String ID:
                                            • API String ID: 3761583154-0
                                            • Opcode ID: c1c1212e3dcd4446c31db16eeab84d7921338b350e8703d45f91d4affdc8ce81
                                            • Instruction ID: f5337adbb52f53719991090168e8b53e5fa248575f18427747e3ad7d0f529ea2
                                            • Opcode Fuzzy Hash: c1c1212e3dcd4446c31db16eeab84d7921338b350e8703d45f91d4affdc8ce81
                                            • Instruction Fuzzy Hash: DC219276700219AFDF10DFA8DC88CBB73EDEB09360B068525F914DB250D674DC818760
                                            Function 00AB6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00AB7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00AB7DB6
                                            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00AB61C6
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00AB61D5
                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00AB620E
                                            • connect.WSOCK32(00000000,?,00000010), ref: 00AB6217
                                            • WSAGetLastError.WSOCK32 ref: 00AB6221
                                            • closesocket.WSOCK32(00000000), ref: 00AB624A
                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00AB6263
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                            • String ID:
                                            • API String ID: 910771015-0
                                            • Opcode ID: 8ba0692fb5c97c2d313bad6d868912f9cb5919ff638cb6f8af43c744632fb65f
                                            • Instruction ID: 7b0de42e5bba327343ef3deed32443305d0bd4cce0f2e09ab54a6053fab707f1
                                            • Opcode Fuzzy Hash: 8ba0692fb5c97c2d313bad6d868912f9cb5919ff638cb6f8af43c744632fb65f
                                            • Instruction Fuzzy Hash: D8318D31600108AFEF10AF64DC85FFE7BADEB85760F054029F905A7292CB74AC059BA1
                                            Function 00A9F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: __wcsnicmp
                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                            • API String ID: 1038674560-2734436370
                                            • Opcode ID: 82144ad99b7c0a46e9093001828b7bc63110a7dbc7481c302d85ba67a9b222e7
                                            • Instruction ID: 0fc581bfe07c86b4e1faa626f7a49f7d394b2f80d1ec080f589f4464682922ac
                                            • Opcode Fuzzy Hash: 82144ad99b7c0a46e9093001828b7bc63110a7dbc7481c302d85ba67a9b222e7
                                            • Instruction Fuzzy Hash: 272168723046517EDA20EB34AD02FB773E8EF55350F14443AF986CB191EB61AD82C395
                                            Function 00A9DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A9DC09
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A9DC2F
                                            • SysAllocString.OLEAUT32(00000000), ref: 00A9DC32
                                            • SysAllocString.OLEAUT32 ref: 00A9DC53
                                            • SysFreeString.OLEAUT32 ref: 00A9DC5C
                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 00A9DC76
                                            • SysAllocString.OLEAUT32(?), ref: 00A9DC84
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                            • String ID:
                                            • API String ID: 3761583154-0
                                            • Opcode ID: 7fe51e029c46ead3e0c68dbc58143ed90bb818954b481b140c226897989e80f4
                                            • Instruction ID: 28de9204c5bdba46d7d1312d1b75dd18616fe8134aa464ab15fd79d9c273cd38
                                            • Opcode Fuzzy Hash: 7fe51e029c46ead3e0c68dbc58143ed90bb818954b481b140c226897989e80f4
                                            • Instruction Fuzzy Hash: 65213C75704204AF9F14EBF8DD88DAB77EDEB09360B118126F915DB2A1DAB0DC81CB64
                                            Function 00AC75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A41D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A41D73
                                              • Part of subcall function 00A41D35: GetStockObject.GDI32(00000011), ref: 00A41D87
                                              • Part of subcall function 00A41D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A41D91
                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00AC7632
                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00AC763F
                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00AC764A
                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00AC7659
                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00AC7665
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend$CreateObjectStockWindow
                                            • String ID: Msctls_Progress32
                                            • API String ID: 1025951953-3636473452
                                            • Opcode ID: 72090f7c6414f44ec3750a72a88de76b7a07b084f43405f0c8ca459f5880603a
                                            • Instruction ID: 3f9ab38da95764004297b6ef2842f1f62eda2445d3d6f4dd552f8d3b317fce74
                                            • Opcode Fuzzy Hash: 72090f7c6414f44ec3750a72a88de76b7a07b084f43405f0c8ca459f5880603a
                                            • Instruction Fuzzy Hash: 101160B215021DBFEF159F64CC85EEB7F6EEF08798F114115BA44A60A0CA729C21DBA4
                                            Function 00A69AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __init_pointers.LIBCMT ref: 00A69AE6
                                              • Part of subcall function 00A63187: EncodePointer.KERNEL32(00000000), ref: 00A6318A
                                              • Part of subcall function 00A63187: __initp_misc_winsig.LIBCMT ref: 00A631A5
                                              • Part of subcall function 00A63187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00A69EA0
                                              • Part of subcall function 00A63187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00A69EB4
                                              • Part of subcall function 00A63187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00A69EC7
                                              • Part of subcall function 00A63187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00A69EDA
                                              • Part of subcall function 00A63187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00A69EED
                                              • Part of subcall function 00A63187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00A69F00
                                              • Part of subcall function 00A63187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00A69F13
                                              • Part of subcall function 00A63187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00A69F26
                                              • Part of subcall function 00A63187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00A69F39
                                              • Part of subcall function 00A63187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00A69F4C
                                              • Part of subcall function 00A63187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00A69F5F
                                              • Part of subcall function 00A63187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00A69F72
                                              • Part of subcall function 00A63187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00A69F85
                                              • Part of subcall function 00A63187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00A69F98
                                              • Part of subcall function 00A63187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00A69FAB
                                              • Part of subcall function 00A63187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00A69FBE
                                            • __mtinitlocks.LIBCMT ref: 00A69AEB
                                            • __mtterm.LIBCMT ref: 00A69AF4
                                              • Part of subcall function 00A69B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00A69AF9,00A67CD0,00AFA0B8,00000014), ref: 00A69C56
                                              • Part of subcall function 00A69B5C: _free.LIBCMT ref: 00A69C5D
                                              • Part of subcall function 00A69B5C: DeleteCriticalSection.KERNEL32(00AFEC00,?,?,00A69AF9,00A67CD0,00AFA0B8,00000014), ref: 00A69C7F
                                            • __calloc_crt.LIBCMT ref: 00A69B19
                                            • __initptd.LIBCMT ref: 00A69B3B
                                            • GetCurrentThreadId.KERNEL32 ref: 00A69B42
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                            • String ID:
                                            • API String ID: 3567560977-0
                                            • Opcode ID: 5978306f1a7619007479139a17cb8bb11ac6413ba983d1540c2f7933d77eb0ed
                                            • Instruction ID: e09d6e51089044e1533b96275252607506624c5e15fd822e76009c176e99d262
                                            • Opcode Fuzzy Hash: 5978306f1a7619007479139a17cb8bb11ac6413ba983d1540c2f7933d77eb0ed
                                            • Instruction Fuzzy Hash: C6F0963250971159EA34BBB47E0365B76FDDF02770F200A29F550C60D2EF7084424160
                                            Function 00A6406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00A63F85), ref: 00A64085
                                            • GetProcAddress.KERNEL32(00000000), ref: 00A6408C
                                            • EncodePointer.KERNEL32(00000000), ref: 00A64097
                                            • DecodePointer.KERNEL32(00A63F85), ref: 00A640B2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                            • String ID: RoUninitialize$combase.dll
                                            • API String ID: 3489934621-2819208100
                                            • Opcode ID: 9d5e72c6ea8677c87e67ac07def71963fd1aade4f09eb29650c8bfd3191f5dcd
                                            • Instruction ID: e3b9543103ad608b4837085e62b24927bce00c425b92c99fae58e41efc90721e
                                            • Opcode Fuzzy Hash: 9d5e72c6ea8677c87e67ac07def71963fd1aade4f09eb29650c8bfd3191f5dcd
                                            • Instruction Fuzzy Hash: C5E092B4581300EFEB10AFA1EC0DB453AEAB728B42F124426F552E62A0CFB64605CB14
                                            Function 00A41DB3 Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClientRect.USER32(?,?), ref: 00A41DDC
                                            • GetWindowRect.USER32(?,?), ref: 00A41E1D
                                            • ScreenToClient.USER32(?,?), ref: 00A41E45
                                            • GetClientRect.USER32(?,?), ref: 00A41F74
                                            • GetWindowRect.USER32(?,?), ref: 00A41F8D
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Rect$Client$Window$Screen
                                            • String ID:
                                            • API String ID: 1296646539-0
                                            • Opcode ID: db94c91ed1ea32e75b6dfa2c1fe7b6eeb2a264993839748c05971fc84ca5bfc1
                                            • Instruction ID: b089297a388c6868b1be4c82f6bf48a09a061e8110a0574ee2bc16bb9948e1fc
                                            • Opcode Fuzzy Hash: db94c91ed1ea32e75b6dfa2c1fe7b6eeb2a264993839748c05971fc84ca5bfc1
                                            • Instruction Fuzzy Hash: 8CB14B7990024ADBDF10CFA8C9817EEB7B1FF48310F14C52AEC599B254DB30AA95CB64
                                            Function 00AA64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _memmove$__itow__swprintf
                                            • String ID:
                                            • API String ID: 3253778849-0
                                            • Opcode ID: 3f03857a6e89d49d2b23adb80710b0c1c05ec5fd0e72f6afcc0fdb021d4ac1ae
                                            • Instruction ID: c616d69d3b64afb6da92d3ae1c18b787d5b9d24a726aeb10080fdc9bce3fa594
                                            • Opcode Fuzzy Hash: 3f03857a6e89d49d2b23adb80710b0c1c05ec5fd0e72f6afcc0fdb021d4ac1ae
                                            • Instruction Fuzzy Hash: 16619B3490025A9BCF15EF64CE82EFF37A9AF86308F084928F8555B1D2DB35E856CB50
                                            Function 00AC01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A47DE1: _memmove.LIBCMT ref: 00A47E22
                                              • Part of subcall function 00AC0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ABFDAD,?,?), ref: 00AC0E31
                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AC02BD
                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AC02FD
                                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00AC0320
                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00AC0349
                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00AC038C
                                            • RegCloseKey.ADVAPI32(00000000), ref: 00AC0399
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                            • String ID:
                                            • API String ID: 4046560759-0
                                            • Opcode ID: 033bc4ea9817f1eea16a699b25e8206f2755534af34f7d351c5bc4a331ab0ff9
                                            • Instruction ID: 935c7588718e57c7c0dbbfd43901162095d3368aa54d38dc0f41d2c6d95e8260
                                            • Opcode Fuzzy Hash: 033bc4ea9817f1eea16a699b25e8206f2755534af34f7d351c5bc4a331ab0ff9
                                            • Instruction Fuzzy Hash: A4513631208240AFCB10EF64C985EAFBBE9FF84714F05491DF5958B2A2DB31E905CB52
                                            Function 00AC5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetMenu.USER32(?), ref: 00AC57FB
                                            • GetMenuItemCount.USER32(00000000), ref: 00AC5832
                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00AC585A
                                            • GetMenuItemID.USER32(?,?), ref: 00AC58C9
                                            • GetSubMenu.USER32(?,?), ref: 00AC58D7
                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 00AC5928
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Menu$Item$CountMessagePostString
                                            • String ID:
                                            • API String ID: 650687236-0
                                            • Opcode ID: 4d335ed880f2017fc6dd5205e833fe434b4a6759e3b9424b72398482e3197487
                                            • Instruction ID: 1b42b713c7c2db549510c24bb69cebf15692f0bd3a71304e7031dd5a8bb84942
                                            • Opcode Fuzzy Hash: 4d335ed880f2017fc6dd5205e833fe434b4a6759e3b9424b72398482e3197487
                                            • Instruction Fuzzy Hash: 69516A35E00615EFCF11EFA4C945EAEB7B5EF48320F1140A9F802AB351CB74AE819B90
                                            Function 00A9EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                            Download Yara Rule
                                            APIs
                                            • VariantInit.OLEAUT32(?), ref: 00A9EF06
                                            • VariantClear.OLEAUT32(00000013), ref: 00A9EF78
                                            • VariantClear.OLEAUT32(00000000), ref: 00A9EFD3
                                            • _memmove.LIBCMT ref: 00A9EFFD
                                            • VariantClear.OLEAUT32(?), ref: 00A9F04A
                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A9F078
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Variant$Clear$ChangeInitType_memmove
                                            • String ID:
                                            • API String ID: 1101466143-0
                                            • Opcode ID: 733d239dddc4f8c12ab0a3c31e39702d8749f12eb76aa8e49ea225c6727f9ac6
                                            • Instruction ID: 03dc07494b1e0270907e60c8723d4fd919b838b5a313940fc998c8ff2324cc42
                                            • Opcode Fuzzy Hash: 733d239dddc4f8c12ab0a3c31e39702d8749f12eb76aa8e49ea225c6727f9ac6
                                            • Instruction Fuzzy Hash: 025147B5A00209EFDB14CF58C884AAAB7F9FF4C314B15856AE959DB301E735E911CBA0
                                            Function 00AA220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00AA2258
                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AA22A3
                                            • IsMenu.USER32(00000000), ref: 00AA22C3
                                            • CreatePopupMenu.USER32 ref: 00AA22F7
                                            • GetMenuItemCount.USER32(000000FF), ref: 00AA2355
                                            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00AA2386
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                            • String ID:
                                            • API String ID: 3311875123-0
                                            • Opcode ID: 937da1a84fda7d634e9734a5c7d9faef6230fc26736101c0e09926f3b12ce698
                                            • Instruction ID: 06a90678f12290b8f8bd94d2aa9caf7e59efbe5ea081bf33cf0614ff29c24f46
                                            • Opcode Fuzzy Hash: 937da1a84fda7d634e9734a5c7d9faef6230fc26736101c0e09926f3b12ce698
                                            • Instruction Fuzzy Hash: DA51CB7060020AEFDF25CF6CC988BAEBBF5AF47314F104229E811AB2D0D3758924CB61
                                            Function 00A41765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A42612: GetWindowLongW.USER32(?,000000EB), ref: 00A42623
                                            • BeginPaint.USER32(?,?,?,?,?,?), ref: 00A4179A
                                            • GetWindowRect.USER32(?,?), ref: 00A417FE
                                            • ScreenToClient.USER32(?,?), ref: 00A4181B
                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A4182C
                                            • EndPaint.USER32(?,?), ref: 00A41876
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                            • String ID:
                                            • API String ID: 1827037458-0
                                            • Opcode ID: 25f36e784103b92201dd057c37d5c72f32160e9e028422fc23b5bed2bd0d6c53
                                            • Instruction ID: b03cdc5404c7b3246bed6f639e5a110af724f83a482d5c40fbb26987598b80d4
                                            • Opcode Fuzzy Hash: 25f36e784103b92201dd057c37d5c72f32160e9e028422fc23b5bed2bd0d6c53
                                            • Instruction Fuzzy Hash: DA419F75104700AFD720DF24CC84FBB7BF9EB95724F148669F9A4871A1CB309885DB62
                                            Function 00ACB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ShowWindow.USER32(00B057B0,00000000,00CD4E00,?,?,00B057B0,?,00ACB5A8,?,?), ref: 00ACB712
                                            • EnableWindow.USER32(00000000,00000000), ref: 00ACB736
                                            • ShowWindow.USER32(00B057B0,00000000,00CD4E00,?,?,00B057B0,?,00ACB5A8,?,?), ref: 00ACB796
                                            • ShowWindow.USER32(00000000,00000004,?,00ACB5A8,?,?), ref: 00ACB7A8
                                            • EnableWindow.USER32(00000000,00000001), ref: 00ACB7CC
                                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00ACB7EF
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Window$Show$Enable$MessageSend
                                            • String ID:
                                            • API String ID: 642888154-0
                                            • Opcode ID: 0357a20c9f3aefd533667d351859aaf002d40d17ccfc5eaf8d5f011cf83bcab3
                                            • Instruction ID: b81e1de8d7e5a1b2f2b6fed45175d8fd7650ce948916626e48dad5e98ec0b66b
                                            • Opcode Fuzzy Hash: 0357a20c9f3aefd533667d351859aaf002d40d17ccfc5eaf8d5f011cf83bcab3
                                            • Instruction Fuzzy Hash: A4416434602140AFDB25CF28C49AF947BE1FF45310F1941BDED489F6A2C732A856CB61
                                            Function 00AB709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetForegroundWindow.USER32(?,?,?,?,?,?,00AB4E41,?,?,00000000,00000001), ref: 00AB70AC
                                              • Part of subcall function 00AB39A0: GetWindowRect.USER32(?,?), ref: 00AB39B3
                                            • GetDesktopWindow.USER32 ref: 00AB70D6
                                            • GetWindowRect.USER32(00000000), ref: 00AB70DD
                                            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00AB710F
                                              • Part of subcall function 00AA5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AA52BC
                                            • GetCursorPos.USER32(?), ref: 00AB713B
                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00AB7199
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                            • String ID:
                                            • API String ID: 4137160315-0
                                            • Opcode ID: b6cf4dddcd50181a75d4d57e8ede23dd0f538b6391df0412e029290232e979b6
                                            • Instruction ID: 7bf99a2975cdd782f41814954f48d6f99b13e43bf0a34167a775406609d07eb9
                                            • Opcode Fuzzy Hash: b6cf4dddcd50181a75d4d57e8ede23dd0f538b6391df0412e029290232e979b6
                                            • Instruction Fuzzy Hash: FA31A272505305AFD720DF54D849F9BB7AAFB89314F000519F58597192CB70EA098B92
                                            Function 00A98879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A980A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A980C0
                                              • Part of subcall function 00A980A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A980CA
                                              • Part of subcall function 00A980A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A980D9
                                              • Part of subcall function 00A980A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A980E0
                                              • Part of subcall function 00A980A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A980F6
                                            • GetLengthSid.ADVAPI32(?,00000000,00A9842F), ref: 00A988CA
                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A988D6
                                            • HeapAlloc.KERNEL32(00000000), ref: 00A988DD
                                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 00A988F6
                                            • GetProcessHeap.KERNEL32(00000000,00000000,00A9842F), ref: 00A9890A
                                            • HeapFree.KERNEL32(00000000), ref: 00A98911
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                            • String ID:
                                            • API String ID: 3008561057-0
                                            • Opcode ID: 905359838b8f9616a1f81a4b9d9707702204e100829824e854c4453471039da3
                                            • Instruction ID: df62dcd7f5b7753799fce9f08622de17b0171bdd23957e3b98b8ae1855a85e9b
                                            • Opcode Fuzzy Hash: 905359838b8f9616a1f81a4b9d9707702204e100829824e854c4453471039da3
                                            • Instruction Fuzzy Hash: 1511AC72601209FFDF10DFE4DC0AFBE7BA9EB46311F148129E88597210DB3A9901DB60
                                            Function 00A985B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A985E2
                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00A985E9
                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A985F8
                                            • CloseHandle.KERNEL32(00000004), ref: 00A98603
                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A98632
                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00A98646
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                            • String ID:
                                            • API String ID: 1413079979-0
                                            • Opcode ID: 6ae6fa4a39cf181aa328f3d0a7969b7b781764a818d6d525dc2e842f339eae6c
                                            • Instruction ID: 4c0062256d5ef891075baddd329770b93021cdc94aad2b90eb46363815c4f84d
                                            • Opcode Fuzzy Hash: 6ae6fa4a39cf181aa328f3d0a7969b7b781764a818d6d525dc2e842f339eae6c
                                            • Instruction Fuzzy Hash: 081167B2200249AFDF01CFA8DC48FEA7BE9EB09304F054025FE00A2160C6768E65EB60
                                            Function 00A9B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDC.USER32(00000000), ref: 00A9B7B5
                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00A9B7C6
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A9B7CD
                                            • ReleaseDC.USER32(00000000,00000000), ref: 00A9B7D5
                                            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00A9B7EC
                                            • MulDiv.KERNEL32(000009EC,?,?), ref: 00A9B7FE
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CapsDevice$Release
                                            • String ID:
                                            • API String ID: 1035833867-0
                                            • Opcode ID: 839475d223022081a990220a549d057f7ae0ad3e9fe6a407b93411d3e0935804
                                            • Instruction ID: c84a43aa6aeb7bc51250571908118b3362f4ec7d37a1e2279e7de845cd989d67
                                            • Opcode Fuzzy Hash: 839475d223022081a990220a549d057f7ae0ad3e9fe6a407b93411d3e0935804
                                            • Instruction Fuzzy Hash: 3A017175A00209BFEF109BE69D45E5EBFA9EB48711F004065FA04A7291D6309C01CFA0
                                            Function 00A60162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A60193
                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00A6019B
                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A601A6
                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A601B1
                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00A601B9
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A601C1
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Virtual
                                            • String ID:
                                            • API String ID: 4278518827-0
                                            • Opcode ID: 03dbff51c1be348145e3c1f8cb721217d213fdbbee5a82cca56bb2963564b68e
                                            • Instruction ID: 56af3ea0737e4e6754854b9caf2b69addf8b11548b2430505cc4c168657cc1cc
                                            • Opcode Fuzzy Hash: 03dbff51c1be348145e3c1f8cb721217d213fdbbee5a82cca56bb2963564b68e
                                            • Instruction Fuzzy Hash: 87016CB09017597DE3008F5A8C85B52FFE8FF19354F00411BA15C47941C7F5A864CBE5
                                            Function 00AA53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00AA53F9
                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00AA540F
                                            • GetWindowThreadProcessId.USER32(?,?), ref: 00AA541E
                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AA542D
                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AA5437
                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AA543E
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                            • String ID:
                                            • API String ID: 839392675-0
                                            • Opcode ID: 19c41daee8ceb62538de8bbbb4f062e016f1233a885a13df1ab5b69ba872ee10
                                            • Instruction ID: b189515700c79d3b35bb1253c82599e12fdf6493126f370e4f0e26d7015c17b2
                                            • Opcode Fuzzy Hash: 19c41daee8ceb62538de8bbbb4f062e016f1233a885a13df1ab5b69ba872ee10
                                            • Instruction Fuzzy Hash: 3DF09032240598BFE7209BE2DC0DEEF7B7DEFCAB11F010169FA05D1090D7A11A0286B5
                                            Function 00AA7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • InterlockedExchange.KERNEL32(?,?), ref: 00AA7243
                                            • EnterCriticalSection.KERNEL32(?,?,00A50EE4,?,?), ref: 00AA7254
                                            • TerminateThread.KERNEL32(00000000,000001F6,?,00A50EE4,?,?), ref: 00AA7261
                                            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00A50EE4,?,?), ref: 00AA726E
                                              • Part of subcall function 00AA6C35: CloseHandle.KERNEL32(00000000,?,00AA727B,?,00A50EE4,?,?), ref: 00AA6C3F
                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00AA7281
                                            • LeaveCriticalSection.KERNEL32(?,?,00A50EE4,?,?), ref: 00AA7288
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                            • String ID:
                                            • API String ID: 3495660284-0
                                            • Opcode ID: 63935a77fd89e6c9254e1ec3fd9af9493c12ef4769d9e36f253ed3546ae6245b
                                            • Instruction ID: 877a4b383523055e1d64ceb1366556b0ff76985df0204fea854e7bf5ba119d3a
                                            • Opcode Fuzzy Hash: 63935a77fd89e6c9254e1ec3fd9af9493c12ef4769d9e36f253ed3546ae6245b
                                            • Instruction Fuzzy Hash: D1F05E7A540612EFE7115BA4ED4CEEB773AEF45712B160632F603910A0CB765802CB50
                                            Function 00A98992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A9899D
                                            • UnloadUserProfile.USERENV(?,?), ref: 00A989A9
                                            • CloseHandle.KERNEL32(?), ref: 00A989B2
                                            • CloseHandle.KERNEL32(?), ref: 00A989BA
                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00A989C3
                                            • HeapFree.KERNEL32(00000000), ref: 00A989CA
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                            • String ID:
                                            • API String ID: 146765662-0
                                            • Opcode ID: 5f0720ee423c824d14744904acba8f434890dba3de533a07ecc146d3f21cd2ac
                                            • Instruction ID: 2583cdc89f3f9e9d46e41263176b1abc436c4438e12cd6d4ea80ce8068961111
                                            • Opcode Fuzzy Hash: 5f0720ee423c824d14744904acba8f434890dba3de533a07ecc146d3f21cd2ac
                                            • Instruction Fuzzy Hash: 05E0C236004401FFDA019FE2EC0CD0ABB6AFB89322B168232F32985170CB329422DB50
                                            Function 00AB85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                            Download Yara Rule
                                            APIs
                                            • VariantInit.OLEAUT32(?), ref: 00AB8613
                                            • CharUpperBuffW.USER32(?,?), ref: 00AB8722
                                            • VariantClear.OLEAUT32(?), ref: 00AB889A
                                              • Part of subcall function 00AA7562: VariantInit.OLEAUT32(00000000), ref: 00AA75A2
                                              • Part of subcall function 00AA7562: VariantCopy.OLEAUT32(00000000,?), ref: 00AA75AB
                                              • Part of subcall function 00AA7562: VariantClear.OLEAUT32(00000000), ref: 00AA75B7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Variant$ClearInit$BuffCharCopyUpper
                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                            • API String ID: 4237274167-1221869570
                                            • Opcode ID: cebab4f25e9524a0a54eead8853da047e8e4d98bde9063a796c0be0723b276bd
                                            • Instruction ID: 4b8ce9957c51b9d5cb015e3e9aa47f82a50626efa511ad62efa843b49d97d127
                                            • Opcode Fuzzy Hash: cebab4f25e9524a0a54eead8853da047e8e4d98bde9063a796c0be0723b276bd
                                            • Instruction Fuzzy Hash: A9916C746043019FC710DF68C58499BBBF8EF89754F14496EF88A8B362DB31E945CB51
                                            Function 00AA2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A5FC86: _wcscpy.LIBCMT ref: 00A5FCA9
                                            • _memset.LIBCMT ref: 00AA2B87
                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AA2BB6
                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AA2C69
                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00AA2C97
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ItemMenu$Info$Default_memset_wcscpy
                                            • String ID: 0
                                            • API String ID: 4152858687-4108050209
                                            • Opcode ID: 1510883df17bc4e8ebd8339274b3ba3c4c4628a38c2c4ce3b85c41b8b9af7867
                                            • Instruction ID: 19870fccde495e5aecc3c55cb4402b9239f527b62fd074912b68363fe7dad734
                                            • Opcode Fuzzy Hash: 1510883df17bc4e8ebd8339274b3ba3c4c4628a38c2c4ce3b85c41b8b9af7867
                                            • Instruction Fuzzy Hash: 05519A716083009FD7259F2CD945B6FBBE8EB9A360F040A2DF895971D1DB60CD648B62
                                            Function 00A9D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A9D5D4
                                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00A9D60A
                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00A9D61B
                                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A9D69D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                            • String ID: DllGetClassObject
                                            • API String ID: 753597075-1075368562
                                            • Opcode ID: 2fc73c83152583a0826089bd35ac1f16cd214d8e870c534a993d991d7db56498
                                            • Instruction ID: 7d65eceb65a392e1b3617b64277b48854acc71487e11277b48b296ebfbd02f0a
                                            • Opcode Fuzzy Hash: 2fc73c83152583a0826089bd35ac1f16cd214d8e870c534a993d991d7db56498
                                            • Instruction Fuzzy Hash: 9D417CB1610204EFDF05CF64C884AAABBF9EF54314F1581AAEE099F205D7B1DD84DBA0
                                            Function 00AA2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00AA27C0
                                            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00AA27DC
                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 00AA2822
                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B05890,00000000), ref: 00AA286B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Menu$Delete$InfoItem_memset
                                            • String ID: 0
                                            • API String ID: 1173514356-4108050209
                                            • Opcode ID: 242edce209fc415cea7320e8fc998e8e8553c0827cc8df8bb683f55ddd3e08f4
                                            • Instruction ID: aa97a32619ed6eba6272dba82fbbad594db00cc6ede6b63e66561a2842c98d02
                                            • Opcode Fuzzy Hash: 242edce209fc415cea7320e8fc998e8e8553c0827cc8df8bb683f55ddd3e08f4
                                            • Instruction Fuzzy Hash: 0B41B0702043419FDB20DF28C844F1ABBE8EF8A314F14492DF9A5972D1DB34E915CB62
                                            Function 00ABD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00ABD7C5
                                              • Part of subcall function 00A4784B: _memmove.LIBCMT ref: 00A47899
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: BuffCharLower_memmove
                                            • String ID: cdecl$none$stdcall$winapi
                                            • API String ID: 3425801089-567219261
                                            • Opcode ID: d55e3375adb1df8f391c0473616bf932b27f4bec8e8117daa8fa7945170a5a89
                                            • Instruction ID: cad9d3dbe2476a81f7e6979661bdbff96935dcec416a98879fa05f4d3ffbf87e
                                            • Opcode Fuzzy Hash: d55e3375adb1df8f391c0473616bf932b27f4bec8e8117daa8fa7945170a5a89
                                            • Instruction Fuzzy Hash: 5D319E71904619ABCF00EFA4C9519FEB3B9FF54320B10862AE865976D2EB31A905CB80
                                            Function 00A98E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A47DE1: _memmove.LIBCMT ref: 00A47E22
                                              • Part of subcall function 00A9AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A9AABC
                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A98F14
                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A98F27
                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 00A98F57
                                              • Part of subcall function 00A47BCC: _memmove.LIBCMT ref: 00A47C06
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend$_memmove$ClassName
                                            • String ID: ComboBox$ListBox
                                            • API String ID: 365058703-1403004172
                                            • Opcode ID: 8e502619884a323f746d7312d921427adb86661e72bf5d50d459df0c16d6ef65
                                            • Instruction ID: a0c307da3898f7194463a7ac08f072ec87411eb9936402ff7940381bb75e91da
                                            • Opcode Fuzzy Hash: 8e502619884a323f746d7312d921427adb86661e72bf5d50d459df0c16d6ef65
                                            • Instruction Fuzzy Hash: F621E175A04108BFDF14ABB0CC85DFFB7B9DF46360B148529F426972E1DF39484A9650
                                            Function 00AB182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AB184C
                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AB1872
                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00AB18A2
                                            • InternetCloseHandle.WININET(00000000), ref: 00AB18E9
                                              • Part of subcall function 00AB2483: GetLastError.KERNEL32(?,?,00AB1817,00000000,00000000,00000001), ref: 00AB2498
                                              • Part of subcall function 00AB2483: SetEvent.KERNEL32(?,?,00AB1817,00000000,00000000,00000001), ref: 00AB24AD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                            • String ID:
                                            • API String ID: 3113390036-3916222277
                                            • Opcode ID: fbb13e08f96ee9833bd34febdb0f1cd6e886abbe2f7a532d679f9b2f3a911880
                                            • Instruction ID: 93eacac051d86f26891f60d1dd881873b414e64e19d017d7575c0d290fdc2ab0
                                            • Opcode Fuzzy Hash: fbb13e08f96ee9833bd34febdb0f1cd6e886abbe2f7a532d679f9b2f3a911880
                                            • Instruction Fuzzy Hash: 6B218BB2500208BFEB119FA4DC95EFB77FEFB48744F50412AF805E6241EA219E0697A1
                                            Function 00AC63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A41D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A41D73
                                              • Part of subcall function 00A41D35: GetStockObject.GDI32(00000011), ref: 00A41D87
                                              • Part of subcall function 00A41D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A41D91
                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00AC6461
                                            • LoadLibraryW.KERNEL32(?), ref: 00AC6468
                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00AC647D
                                            • DestroyWindow.USER32(?), ref: 00AC6485
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                            • String ID: SysAnimate32
                                            • API String ID: 4146253029-1011021900
                                            • Opcode ID: af62ea1eb35d4e3567815906f8feab6cee3e3de854a4847f0e04ca1373226aab
                                            • Instruction ID: b430120369b9e222762d675c15f2bd5a1e9d69b4e09def601d9f4fafa4468e2c
                                            • Opcode Fuzzy Hash: af62ea1eb35d4e3567815906f8feab6cee3e3de854a4847f0e04ca1373226aab
                                            • Instruction Fuzzy Hash: CF217771200205BFEF14CFA4DE80FBB37ADEF58328F128629FA2096190D7319C81A760
                                            Function 00AA6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetStdHandle.KERNEL32(0000000C), ref: 00AA6DBC
                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AA6DEF
                                            • GetStdHandle.KERNEL32(0000000C), ref: 00AA6E01
                                            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00AA6E3B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CreateHandle$FilePipe
                                            • String ID: nul
                                            • API String ID: 4209266947-2873401336
                                            • Opcode ID: 8732a25baca121ea7554b4b3aeff2a207b8b30cd6cdbc1ddbecfd853aa97fc9b
                                            • Instruction ID: c415f7fba9729b64f3f865b88059e1eb4548d117af7e1c9c0ecd9e0ccc4d9fa5
                                            • Opcode Fuzzy Hash: 8732a25baca121ea7554b4b3aeff2a207b8b30cd6cdbc1ddbecfd853aa97fc9b
                                            • Instruction Fuzzy Hash: 3C219074600209AFDB209F79DC04A9ABBF4EF56760F284A29FDA0D72D0DB7099518F50
                                            Function 00AA6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetStdHandle.KERNEL32(000000F6), ref: 00AA6E89
                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AA6EBB
                                            • GetStdHandle.KERNEL32(000000F6), ref: 00AA6ECC
                                            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00AA6F06
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CreateHandle$FilePipe
                                            • String ID: nul
                                            • API String ID: 4209266947-2873401336
                                            • Opcode ID: bddf12b1da420e786eb8ab5e508b4be59a53456bdce2d76f26cc50b7aa8167fd
                                            • Instruction ID: 2713a6e6f87f53458bbdfe6aea334ae900e983ca7939fbd08820050ac6cd05f6
                                            • Opcode Fuzzy Hash: bddf12b1da420e786eb8ab5e508b4be59a53456bdce2d76f26cc50b7aa8167fd
                                            • Instruction Fuzzy Hash: D62171B9600305AFDB309F69DC04AAAB7A8EF56730F280A19FDA1D72D0D771A851CF50
                                            Function 00AAAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNEL32(00000001), ref: 00AAAC54
                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00AAACA8
                                            • __swprintf.LIBCMT ref: 00AAACC1
                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000,00ACF910), ref: 00AAACFF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ErrorMode$InformationVolume__swprintf
                                            • String ID: %lu
                                            • API String ID: 3164766367-685833217
                                            • Opcode ID: 22c8c7acda2b6fed201669a640271fbd29dc058b86ed43868318b0cd86c2b8fc
                                            • Instruction ID: 9274e273b4bda929ebafac2e9dc9a0d11512364c6ec691b75696ed5aefb2240e
                                            • Opcode Fuzzy Hash: 22c8c7acda2b6fed201669a640271fbd29dc058b86ed43868318b0cd86c2b8fc
                                            • Instruction Fuzzy Hash: D9214135A00109AFCB10DFA5CA45DAF7BF8FF89714B004469F909AB252DB31EA51CB61
                                            Function 00AA1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharUpperBuffW.USER32(?,?), ref: 00AA1B19
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: BuffCharUpper
                                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                                            • API String ID: 3964851224-769500911
                                            • Opcode ID: 8a1b72fd0f12cf01f7005a2a49248db97936ff052c1f0bfd6c55b52291e95ab5
                                            • Instruction ID: c8c06eee9b5a33d254ce6999af7f8fc284c34ea3b542c606cecb193b97b280a7
                                            • Opcode Fuzzy Hash: 8a1b72fd0f12cf01f7005a2a49248db97936ff052c1f0bfd6c55b52291e95ab5
                                            • Instruction Fuzzy Hash: 1D115E759001489FCF00EFA4D9518FEB7B5FF26744F504465E864672A2EB325D06DB50
                                            Function 00ABEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00ABEC07
                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00ABEC37
                                            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00ABED6A
                                            • CloseHandle.KERNEL32(?), ref: 00ABEDEB
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                            • String ID:
                                            • API String ID: 2364364464-0
                                            • Opcode ID: 720c1d3af9345e7559e8afa2aec7ada461816908869c08d0286aecec964148a6
                                            • Instruction ID: c1bca18f5bb57ed592c4d2b72feeea0615150f2551a99c31aa2cd65c773ba1ec
                                            • Opcode Fuzzy Hash: 720c1d3af9345e7559e8afa2aec7ada461816908869c08d0286aecec964148a6
                                            • Instruction Fuzzy Hash: 7C8161756003009FD760EF28D986F6BB7E9AF84B10F14881DF999DB292D7B4AC41CB91
                                            Function 00AC0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A47DE1: _memmove.LIBCMT ref: 00A47E22
                                              • Part of subcall function 00AC0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ABFDAD,?,?), ref: 00AC0E31
                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AC00FD
                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AC013C
                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00AC0183
                                            • RegCloseKey.ADVAPI32(?,?), ref: 00AC01AF
                                            • RegCloseKey.ADVAPI32(00000000), ref: 00AC01BC
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                            • String ID:
                                            • API String ID: 3440857362-0
                                            • Opcode ID: d24e6ba25c2233acb920aebd763f600372999ebd44a72c74e00f121dd38572c4
                                            • Instruction ID: 61d0a3b17b3302b4676f9e91b3fab7884d33633a591cac255b3426d9b6150e42
                                            • Opcode Fuzzy Hash: d24e6ba25c2233acb920aebd763f600372999ebd44a72c74e00f121dd38572c4
                                            • Instruction Fuzzy Hash: DE515671208204AFCB14EF68C981F6AB7E9FF88714F45892DF595872A2DB31E905CB52
                                            Function 00ABD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A49837: __itow.LIBCMT ref: 00A49862
                                              • Part of subcall function 00A49837: __swprintf.LIBCMT ref: 00A498AC
                                            • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00ABD927
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00ABD9AA
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00ABD9C6
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00ABDA07
                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00ABDA21
                                              • Part of subcall function 00A45A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AA7896,?,?,00000000), ref: 00A45A2C
                                              • Part of subcall function 00A45A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AA7896,?,?,00000000,?,?), ref: 00A45A50
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                            • String ID:
                                            • API String ID: 327935632-0
                                            • Opcode ID: 89aee606604fab148ab12e200d91490553c9eba498135282ad238d89e93d8b27
                                            • Instruction ID: e5b43f06bb8fbe4395785ba049855bd81a38770fe92382005612f47feb92ec3e
                                            • Opcode Fuzzy Hash: 89aee606604fab148ab12e200d91490553c9eba498135282ad238d89e93d8b27
                                            • Instruction Fuzzy Hash: 69511939A00205DFCB00EFA8C5849AEB7F9FF49320B158169E955AB312D731ED56CF91
                                            Function 00AAE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00AAE61F
                                            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00AAE648
                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00AAE687
                                              • Part of subcall function 00A49837: __itow.LIBCMT ref: 00A49862
                                              • Part of subcall function 00A49837: __swprintf.LIBCMT ref: 00A498AC
                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00AAE6AC
                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00AAE6B4
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                            • String ID:
                                            • API String ID: 1389676194-0
                                            • Opcode ID: 8be4d11901fd7a9baf545553bb27c3a1682f743ebadf12ef7dc263fa5905826c
                                            • Instruction ID: c7cd903ca4bed1b04f3e0fccc4eb44472e9e96148ba789240a7012392303d31e
                                            • Opcode Fuzzy Hash: 8be4d11901fd7a9baf545553bb27c3a1682f743ebadf12ef7dc263fa5905826c
                                            • Instruction Fuzzy Hash: B4510A39A00105DFCB11EF64C981AAEBBF5EF49314B1484A9E809AB362CB31ED51DB50
                                            Function 00ACA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 00bee4ecf3e709caf8a7a443fcbc16aec6c320968e45762672db2b2dd40f74ea
                                            • Instruction ID: ed46b8d316272e4aeee938b37458e04ee3046867f7a8e509301686eeac29979c
                                            • Opcode Fuzzy Hash: 00bee4ecf3e709caf8a7a443fcbc16aec6c320968e45762672db2b2dd40f74ea
                                            • Instruction Fuzzy Hash: 9C41173590410CAFDB20DF78DC48FB9BBB5EB29354F1A4269F916A72E0CB309D41DA51
                                            Function 00A42344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCursorPos.USER32(?), ref: 00A42357
                                            • ScreenToClient.USER32(00B057B0,?), ref: 00A42374
                                            • GetAsyncKeyState.USER32(00000001), ref: 00A42399
                                            • GetAsyncKeyState.USER32(00000002), ref: 00A423A7
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: AsyncState$ClientCursorScreen
                                            • String ID:
                                            • API String ID: 4210589936-0
                                            • Opcode ID: c6670d9ca7b9b3ddfde06d1fd6bce9f2601f7b84f7b907c10295611f744850be
                                            • Instruction ID: 190b519627bab6db6c07567b9b47382988d23c08b1a7209c581f2e83b0cf25e3
                                            • Opcode Fuzzy Hash: c6670d9ca7b9b3ddfde06d1fd6bce9f2601f7b84f7b907c10295611f744850be
                                            • Instruction Fuzzy Hash: 20418E79604109FFDF158F68CC44BE9BB75FB45360F20835AF829962A0C734A990DBA0
                                            Function 00A963AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A963E7
                                            • TranslateAcceleratorW.USER32(?,?,?), ref: 00A96433
                                            • TranslateMessage.USER32(?), ref: 00A9645C
                                            • DispatchMessageW.USER32(?), ref: 00A96466
                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A96475
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Message$PeekTranslate$AcceleratorDispatch
                                            • String ID:
                                            • API String ID: 2108273632-0
                                            • Opcode ID: 3e1088e29a5fa3454aed1ee9171d6a34f05e36acd13337fb347dea692d67a96c
                                            • Instruction ID: a86d9279eb35bbecc07e6a8dbeb50d852c1b46f5917cbaac60dbe5227f0aee02
                                            • Opcode Fuzzy Hash: 3e1088e29a5fa3454aed1ee9171d6a34f05e36acd13337fb347dea692d67a96c
                                            • Instruction Fuzzy Hash: 3431BC71A00646AFDF24CFF48E48FB7BBF8AF51300F144169E821C75A0EB259889DB61
                                            Function 00A98A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowRect.USER32(?,?), ref: 00A98A30
                                            • PostMessageW.USER32(?,00000201,00000001), ref: 00A98ADA
                                            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00A98AE2
                                            • PostMessageW.USER32(?,00000202,00000000), ref: 00A98AF0
                                            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00A98AF8
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessagePostSleep$RectWindow
                                            • String ID:
                                            • API String ID: 3382505437-0
                                            • Opcode ID: df1f3b774d91575e149ff3ec9e651dfd2b6ebac9fd507d9c67c657591d1eab08
                                            • Instruction ID: 4b7ad61df311d17bca4188e718a0d3a3a9ec754d0db9d7a1ef6f0b9991c792ed
                                            • Opcode Fuzzy Hash: df1f3b774d91575e149ff3ec9e651dfd2b6ebac9fd507d9c67c657591d1eab08
                                            • Instruction Fuzzy Hash: A331BF71600219EFDF14CFA8D94CA9E3BB5EB05315F11822AF925E62D0C7B49914DB90
                                            Function 00A9B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindowVisible.USER32(?), ref: 00A9B204
                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A9B221
                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A9B259
                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A9B27F
                                            • _wcsstr.LIBCMT ref: 00A9B289
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                            • String ID:
                                            • API String ID: 3902887630-0
                                            • Opcode ID: 6e8e7fe0d2ecbff259d0fd60c107df092de6cfa52a827e32fd845a1dda6e82a3
                                            • Instruction ID: f7b7eedf0baa59fbfea4e532234f8b82de12aae55574e5d4cf90d38822a070e9
                                            • Opcode Fuzzy Hash: 6e8e7fe0d2ecbff259d0fd60c107df092de6cfa52a827e32fd845a1dda6e82a3
                                            • Instruction Fuzzy Hash: 4421D372314240AAEF159B75AD49EBF7BE9DB49710F004129F805DA1A1EB61DC419660
                                            Function 00ACB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A42612: GetWindowLongW.USER32(?,000000EB), ref: 00A42623
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00ACB192
                                            • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00ACB1B7
                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00ACB1CF
                                            • GetSystemMetrics.USER32(00000004), ref: 00ACB1F8
                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00AB0E90,00000000), ref: 00ACB216
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Window$Long$MetricsSystem
                                            • String ID:
                                            • API String ID: 2294984445-0
                                            • Opcode ID: 8e5979289cfcb1afcb91c6d8b1609cf3241a94fcc91101f728b15c4eb114e0dc
                                            • Instruction ID: bb48918ad4594df49da2320ac16df3caf284e729fb46cbb697dd4ef136c3434e
                                            • Opcode Fuzzy Hash: 8e5979289cfcb1afcb91c6d8b1609cf3241a94fcc91101f728b15c4eb114e0dc
                                            • Instruction Fuzzy Hash: 98218D71A20265AFCB209F78DC09F6A3BA5EB05321F164729BD22D71E0E73198119BA0
                                            Function 00A99307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A99320
                                              • Part of subcall function 00A47BCC: _memmove.LIBCMT ref: 00A47C06
                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A99352
                                            • __itow.LIBCMT ref: 00A9936A
                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A99392
                                            • __itow.LIBCMT ref: 00A993A3
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend$__itow$_memmove
                                            • String ID:
                                            • API String ID: 2983881199-0
                                            • Opcode ID: 6f3f38b84f397632d45aa15291534ecd73912c360582516ca7804521ad31c877
                                            • Instruction ID: 5a94047a575222ed35db4fc36dcf1959df6a93d17480deb9c97365f250f28ac3
                                            • Opcode Fuzzy Hash: 6f3f38b84f397632d45aa15291534ecd73912c360582516ca7804521ad31c877
                                            • Instruction Fuzzy Hash: DB21B335700208BBDF109FA98D89EAF7BE9EB88710F04402DF9059B2D1D6B0C9459791
                                            Function 00AB5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindow.USER32(00000000), ref: 00AB5A6E
                                            • GetForegroundWindow.USER32 ref: 00AB5A85
                                            • GetDC.USER32(00000000), ref: 00AB5AC1
                                            • GetPixel.GDI32(00000000,?,00000003), ref: 00AB5ACD
                                            • ReleaseDC.USER32(00000000,00000003), ref: 00AB5B08
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Window$ForegroundPixelRelease
                                            • String ID:
                                            • API String ID: 4156661090-0
                                            • Opcode ID: 599dc733bc31a13dbc6c06e32a826f450c9a46bd88978f5200cc382913a7bfac
                                            • Instruction ID: 96082a5d156138e12127a8334bb1b054d7bc38581f8846b68ba494d4771ae8ea
                                            • Opcode Fuzzy Hash: 599dc733bc31a13dbc6c06e32a826f450c9a46bd88978f5200cc382913a7bfac
                                            • Instruction Fuzzy Hash: EC218175A00104AFDB14EFA9DD88E9ABBE9EF48350F158479F84997362DB30AD01CB90
                                            Function 00A412F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A4134D
                                            • SelectObject.GDI32(?,00000000), ref: 00A4135C
                                            • BeginPath.GDI32(?), ref: 00A41373
                                            • SelectObject.GDI32(?,00000000), ref: 00A4139C
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ObjectSelect$BeginCreatePath
                                            • String ID:
                                            • API String ID: 3225163088-0
                                            • Opcode ID: 748abe3e4dcfd3d7d7d190a3cbcd7311231a0707ec050b37e352cf10833185dd
                                            • Instruction ID: 4896d3ec4d2b7cf5e29f08e1614598d2455ae4451ecd0634ae1fe2db5ef81388
                                            • Opcode Fuzzy Hash: 748abe3e4dcfd3d7d7d190a3cbcd7311231a0707ec050b37e352cf10833185dd
                                            • Instruction Fuzzy Hash: 29214C34800708EFDB20CF65ED08B6A7BA9EB50761F14C216F8149B9A0DB70A991DF90
                                            Function 00A9BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _memcmp
                                            • String ID:
                                            • API String ID: 2931989736-0
                                            • Opcode ID: f9bbfa014a0283b9cd5b53b694edc92592a86e2a1e76f4b5bd329ab2f0752625
                                            • Instruction ID: 484c20d1271ac185994286bd18d474141403443590a47f5490f21082074322b9
                                            • Opcode Fuzzy Hash: f9bbfa014a0283b9cd5b53b694edc92592a86e2a1e76f4b5bd329ab2f0752625
                                            • Instruction Fuzzy Hash: E50140B17101197AEB046B116F42FBBB7ACEE65398B084426FD1597342EF51EE11C2B1
                                            Function 00AA4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentThreadId.KERNEL32 ref: 00AA4ABA
                                            • __beginthreadex.LIBCMT ref: 00AA4AD8
                                            • MessageBoxW.USER32(?,?,?,?), ref: 00AA4AED
                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00AA4B03
                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00AA4B0A
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                            • String ID:
                                            • API String ID: 3824534824-0
                                            • Opcode ID: 8f88f19a57abbab7b75ad568b79f8ea26b6b971764628103b1ceb08e932d3488
                                            • Instruction ID: f9a77331582a317631b0885defdbf6e4d73cc2a46305c551f6e17b3400589afd
                                            • Opcode Fuzzy Hash: 8f88f19a57abbab7b75ad568b79f8ea26b6b971764628103b1ceb08e932d3488
                                            • Instruction Fuzzy Hash: 66110876904654BFD7108FA89C08E9B7FADEB89320F154269F914D3290D7B1C9008BB0
                                            Function 00A98202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A9821E
                                            • GetLastError.KERNEL32(?,00A97CE2,?,?,?), ref: 00A98228
                                            • GetProcessHeap.KERNEL32(00000008,?,?,00A97CE2,?,?,?), ref: 00A98237
                                            • HeapAlloc.KERNEL32(00000000,?,00A97CE2,?,?,?), ref: 00A9823E
                                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A98255
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                            • String ID:
                                            • API String ID: 842720411-0
                                            • Opcode ID: 7f5069e71bd99575e8be52300ac7a95fd6883f9c23e8a259b688bf0a01d9d3f0
                                            • Instruction ID: ca522f5f11e038ea195bc5d162d16d0c6699e839fbdf0a4bf5c0d816b338125e
                                            • Opcode Fuzzy Hash: 7f5069e71bd99575e8be52300ac7a95fd6883f9c23e8a259b688bf0a01d9d3f0
                                            • Instruction Fuzzy Hash: DA016971300644FFDF208FA6DC48DAB7FAEEF8A754B50052AF919C3220DA318C01DA60
                                            Function 00A9710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A97044,80070057,?,?,?,00A97455), ref: 00A97127
                                            • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A97044,80070057,?,?), ref: 00A97142
                                            • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A97044,80070057,?,?), ref: 00A97150
                                            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A97044,80070057,?), ref: 00A97160
                                            • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A97044,80070057,?,?), ref: 00A9716C
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                            • String ID:
                                            • API String ID: 3897988419-0
                                            • Opcode ID: e7389572e6b23435f44259a9ffc7e4b6a83df1f55d5a3112aa58f6b8a055d3f3
                                            • Instruction ID: 7bf826a81400d04f667157868349959b24107ce63c2630e709d5f65af2143c1c
                                            • Opcode Fuzzy Hash: e7389572e6b23435f44259a9ffc7e4b6a83df1f55d5a3112aa58f6b8a055d3f3
                                            • Instruction Fuzzy Hash: D5017C76621204BFDF118FA8DC44EAE7BEEEB44791F250264FD04D2220D731DD429BA0
                                            Function 00AA5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AA5260
                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00AA526E
                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AA5276
                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00AA5280
                                            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AA52BC
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                            • String ID:
                                            • API String ID: 2833360925-0
                                            • Opcode ID: 41341237882a985fe3ab2d3cbbd2d170ad4eb9865e212a9500c539f29e1b43c8
                                            • Instruction ID: 888240939359455b1b3b1f62c44db839aae2271248ea25a1e165f6a7d90793d3
                                            • Opcode Fuzzy Hash: 41341237882a985fe3ab2d3cbbd2d170ad4eb9865e212a9500c539f29e1b43c8
                                            • Instruction Fuzzy Hash: 2D015771D01A19DBCF00EFF4E848AEDBB78BB0A311F460156EA45B3180CB30555987A9
                                            Function 00A9810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A98121
                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A9812B
                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A9813A
                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A98141
                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A98157
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                            • String ID:
                                            • API String ID: 44706859-0
                                            • Opcode ID: 4a9a6a8a1fbae0f2fecfcccabb272a7c70d8490ee42e811d3c2722ed50af5de7
                                            • Instruction ID: e72a1999ca48df8ab5c529a8e3072433bee159a27ea750127095dbf3b9859632
                                            • Opcode Fuzzy Hash: 4a9a6a8a1fbae0f2fecfcccabb272a7c70d8490ee42e811d3c2722ed50af5de7
                                            • Instruction Fuzzy Hash: 69F06275300304BFEF114FA5EC88E6B3BADFF4AB54B150135FA45C6150DB659D42DA60
                                            Function 00A9C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,000003E9), ref: 00A9C1F7
                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00A9C20E
                                            • MessageBeep.USER32(00000000), ref: 00A9C226
                                            • KillTimer.USER32(?,0000040A), ref: 00A9C242
                                            • EndDialog.USER32(?,00000001), ref: 00A9C25C
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                            • String ID:
                                            • API String ID: 3741023627-0
                                            • Opcode ID: 64c99cccb7f9bdcca5a804fd9ae0a71cec69553b96cc5b9c9ee21e4701f0dc33
                                            • Instruction ID: 3518ecdc91848b647e7e7b9cc935e4501f6bf6bb23aed5e794ac03db3331498f
                                            • Opcode Fuzzy Hash: 64c99cccb7f9bdcca5a804fd9ae0a71cec69553b96cc5b9c9ee21e4701f0dc33
                                            • Instruction Fuzzy Hash: 7B01D630504704AFEF24ABA4ED4EFD677B9FF00B06F004269F582A14E1DBF069459B90
                                            Function 00A413B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                            Download Yara Rule
                                            APIs
                                            • EndPath.GDI32(?), ref: 00A413BF
                                            • StrokeAndFillPath.GDI32(?,?,00A7B888,00000000,?), ref: 00A413DB
                                            • SelectObject.GDI32(?,00000000), ref: 00A413EE
                                            • DeleteObject.GDI32 ref: 00A41401
                                            • StrokePath.GDI32(?), ref: 00A4141C
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                            • String ID:
                                            • API String ID: 2625713937-0
                                            • Opcode ID: f14a1e23cd43a25721c95506eeee302cf4961e421674a8620df2d73925685c5d
                                            • Instruction ID: 659c8a5610bf49b74f862bf5c4a58120446d565d0f1b7eea0d17085943373416
                                            • Opcode Fuzzy Hash: f14a1e23cd43a25721c95506eeee302cf4961e421674a8620df2d73925685c5d
                                            • Instruction Fuzzy Hash: 32F0FF34004B08EFDB219FA6EC4CB593FA5B751726F08C224F8694A8F1DB318996DF51
                                            Function 00AAC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CoInitialize.OLE32(00000000), ref: 00AAC432
                                            • CoCreateInstance.OLE32(00AD2D6C,00000000,00000001,00AD2BDC,?), ref: 00AAC44A
                                              • Part of subcall function 00A47DE1: _memmove.LIBCMT ref: 00A47E22
                                            • CoUninitialize.OLE32 ref: 00AAC6B7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CreateInitializeInstanceUninitialize_memmove
                                            • String ID: .lnk
                                            • API String ID: 2683427295-24824748
                                            • Opcode ID: 9e59c900f92b73d2ec0ad1fa450e941f4568f93493a02afa959484775d69cd07
                                            • Instruction ID: 687306884c21048222fa6cde02bebc8d6ab4fdfad2127384f0030fd15f3005ed
                                            • Opcode Fuzzy Hash: 9e59c900f92b73d2ec0ad1fa450e941f4568f93493a02afa959484775d69cd07
                                            • Instruction Fuzzy Hash: FAA13975104205AFD700EF64C981EAFB7E8EFD9354F00492DF1568B1A2EB71EA09CB62
                                            Function 00A52CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A60DB6: std::exception::exception.LIBCMT ref: 00A60DEC
                                              • Part of subcall function 00A60DB6: __CxxThrowException@8.LIBCMT ref: 00A60E01
                                              • Part of subcall function 00A47DE1: _memmove.LIBCMT ref: 00A47E22
                                              • Part of subcall function 00A47A51: _memmove.LIBCMT ref: 00A47AAB
                                            • __swprintf.LIBCMT ref: 00A52ECD
                                            Strings
                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00A52D66
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                            • API String ID: 1943609520-557222456
                                            • Opcode ID: 7c662613d7f69c8dec5d1424e69a91b72587fbdafc2415638d16a7aef809dff6
                                            • Instruction ID: 29119fa86f880e5b3dcc74a045653371a733c32ac1be0dcec7a4327e5f557f05
                                            • Opcode Fuzzy Hash: 7c662613d7f69c8dec5d1424e69a91b72587fbdafc2415638d16a7aef809dff6
                                            • Instruction Fuzzy Hash: B79148755082019FD714EF24CA8AD6FB7B8EF95710F00491DF8869B2A2EB30ED49CB52
                                            Function 00AAB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A44750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A44743,?,?,00A437AE,?), ref: 00A44770
                                            • CoInitialize.OLE32(00000000), ref: 00AAB9BB
                                            • CoCreateInstance.OLE32(00AD2D6C,00000000,00000001,00AD2BDC,?), ref: 00AAB9D4
                                            • CoUninitialize.OLE32 ref: 00AAB9F1
                                              • Part of subcall function 00A49837: __itow.LIBCMT ref: 00A49862
                                              • Part of subcall function 00A49837: __swprintf.LIBCMT ref: 00A498AC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                            • String ID: .lnk
                                            • API String ID: 2126378814-24824748
                                            • Opcode ID: 30bd9efe5a904f55b78bb63f1dafe93d21a3317c78d71a8b3f9b097dcc13190b
                                            • Instruction ID: 6efd74f887075857009441ef728d78a0b05076b69968efecebbd194742933beb
                                            • Opcode Fuzzy Hash: 30bd9efe5a904f55b78bb63f1dafe93d21a3317c78d71a8b3f9b097dcc13190b
                                            • Instruction Fuzzy Hash: DDA14A756043059FCB10DF14C984D6AB7E5FF8A314F148958F89A9B3A2CB31ED45CBA1
                                            Function 00A6501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                            Download Yara Rule
                                            APIs
                                            • __startOneArgErrorHandling.LIBCMT ref: 00A650AD
                                              • Part of subcall function 00A700F0: __87except.LIBCMT ref: 00A7012B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ErrorHandling__87except__start
                                            • String ID: pow
                                            • API String ID: 2905807303-2276729525
                                            • Opcode ID: e5a28ae02648332fa5f7e62b714ac11e9d7d487dbc40d6a0ff5ecfbc033c5ba6
                                            • Instruction ID: 6dbbe007ba879d29fce95772bf9bfe24230b7f9cba04d24d0739ef88a2468ddc
                                            • Opcode Fuzzy Hash: e5a28ae02648332fa5f7e62b714ac11e9d7d487dbc40d6a0ff5ecfbc033c5ba6
                                            • Instruction Fuzzy Hash: 2B517B71E1C502DADB11B734CD11BBE3BB49B41701F20CA59E4DA862AAEF34CDC59AC2
                                            Function 00A56192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _memset$_memmove
                                            • String ID: ERCP
                                            • API String ID: 2532777613-1384759551
                                            • Opcode ID: c3d28d487b26cc25facd3ce98d4caab38766bec959c9ddecd8f923db21261562
                                            • Instruction ID: 4aa85c4126a3d5e01c634dbfaad34dfd5ebcf506d40aaf7ac4162d9801675f2e
                                            • Opcode Fuzzy Hash: c3d28d487b26cc25facd3ce98d4caab38766bec959c9ddecd8f923db21261562
                                            • Instruction Fuzzy Hash: 40516E71A00709DFDB24CFA5C941BABB7F4BF44355F60456EE94ACB251E770AA88CB40
                                            Function 00A997F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00AA14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A99296,?,?,00000034,00000800,?,00000034), ref: 00AA14E6
                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00A9983F
                                              • Part of subcall function 00AA1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A992C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00AA14B1
                                              • Part of subcall function 00AA13DE: GetWindowThreadProcessId.USER32(?,?), ref: 00AA1409
                                              • Part of subcall function 00AA13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A9925A,00000034,?,?,00001004,00000000,00000000), ref: 00AA1419
                                              • Part of subcall function 00AA13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A9925A,00000034,?,?,00001004,00000000,00000000), ref: 00AA142F
                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A998AC
                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A998F9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                            • String ID: @
                                            • API String ID: 4150878124-2766056989
                                            • Opcode ID: 8db34ca36e6ae34c6315e11fb8897b0d2d490f8bf82e0e085de38221b8f333c7
                                            • Instruction ID: f58dd606fd6e24071a303f53fd01d98b1aadaa74bcf57e21072885a886f4e06e
                                            • Opcode Fuzzy Hash: 8db34ca36e6ae34c6315e11fb8897b0d2d490f8bf82e0e085de38221b8f333c7
                                            • Instruction Fuzzy Hash: 04413E76A00218BFDF10DFA8CD81ADEBBB8EB09300F004199FA55B7191DB716E45CBA1
                                            Function 00AC7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00ACF910,00000000,?,?,?,?), ref: 00AC79DF
                                            • GetWindowLongW.USER32 ref: 00AC79FC
                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AC7A0C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Window$Long
                                            • String ID: SysTreeView32
                                            • API String ID: 847901565-1698111956
                                            • Opcode ID: 305c9df74436b8cb8e38c4df6d35a3590f4e872df1977ee1928005ed1ea54aea
                                            • Instruction ID: bc64200534ab7687413aaf38d7eaa9dba04b81f2c784bc7bff57417577ed43cf
                                            • Opcode Fuzzy Hash: 305c9df74436b8cb8e38c4df6d35a3590f4e872df1977ee1928005ed1ea54aea
                                            • Instruction Fuzzy Hash: EF319C3120420AAFDB118F78CC45FEA7BA9FB45324F218729F875A32E0D731E9519B60
                                            Function 00AC73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00AC7461
                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00AC7475
                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00AC7499
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window
                                            • String ID: SysMonthCal32
                                            • API String ID: 2326795674-1439706946
                                            • Opcode ID: 9d29a31f659959d3bf26386525099752673fe44ad3aff7f3e0b0cdc77b02da03
                                            • Instruction ID: 709243551aa80a3bb878e9a058b60a685d4303888e8d5a3695e28104f0875043
                                            • Opcode Fuzzy Hash: 9d29a31f659959d3bf26386525099752673fe44ad3aff7f3e0b0cdc77b02da03
                                            • Instruction Fuzzy Hash: 3A219F32500219AFDF15CFA4CD46FEE3B6AEB48724F120218FE556B1D0DA75AC91DBA0
                                            Function 00AC7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00AC7C4A
                                            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00AC7C58
                                            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00AC7C5F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend$DestroyWindow
                                            • String ID: msctls_updown32
                                            • API String ID: 4014797782-2298589950
                                            • Opcode ID: a8812b4041d378978c086894bdfe0ccc33fb7c3782cd18b3addc6959fcfce782
                                            • Instruction ID: 4bd4551487b7915c442de2fee36e289862c69369125f374472c793562fadbafe
                                            • Opcode Fuzzy Hash: a8812b4041d378978c086894bdfe0ccc33fb7c3782cd18b3addc6959fcfce782
                                            • Instruction Fuzzy Hash: E0219CB5204209AFDB10DF28CCC1EAB37ECEB59364B110058FA019B3A1CB31EC018B60
                                            Function 00AC6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00AC6D3B
                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00AC6D4B
                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00AC6D70
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend$MoveWindow
                                            • String ID: Listbox
                                            • API String ID: 3315199576-2633736733
                                            • Opcode ID: c19cc3b467967fe9ca74a83664bc6cfd70b0dcee9fbf45a956336193bd8942b3
                                            • Instruction ID: 509128128ac4579bb1579e0f2c7b4d19605340ce1691d452d0a38ea611c8151e
                                            • Opcode Fuzzy Hash: c19cc3b467967fe9ca74a83664bc6cfd70b0dcee9fbf45a956336193bd8942b3
                                            • Instruction Fuzzy Hash: 6C21A432614118BFDF12CF54CC45FBB3BBAEF89750F028128F9459B1A0CA719C529BA0
                                            Function 00AC770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00AC7772
                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00AC7787
                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00AC7794
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: msctls_trackbar32
                                            • API String ID: 3850602802-1010561917
                                            • Opcode ID: aa7f932d7f050dbb55a0fced9cfde587247e67338f5781b21ed4983c1cfbd07d
                                            • Instruction ID: fb26ed58beea055bed39538d6fd23b82127c2f3aaff7d4dfc0db69a9528807dc
                                            • Opcode Fuzzy Hash: aa7f932d7f050dbb55a0fced9cfde587247e67338f5781b21ed4983c1cfbd07d
                                            • Instruction Fuzzy Hash: 3C11C472644208BEEB245F65CC05FAB7BA9EF88B64F12451CF645A6090D672A851DB20
                                            Function 00A44C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00A44B83,?), ref: 00A44C44
                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A44C56
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                            • API String ID: 2574300362-1355242751
                                            • Opcode ID: a23e2541eace2c1ddd5a4751d86279ea6010801c456c7de12992bc3326fd1ba0
                                            • Instruction ID: 3f0172284eb023e25d5165ed023f11630fed9481f66115f4b80a476ccf961a17
                                            • Opcode Fuzzy Hash: a23e2541eace2c1ddd5a4751d86279ea6010801c456c7de12992bc3326fd1ba0
                                            • Instruction Fuzzy Hash: 0AD05E34910723DFDB209FB1D948B1AB7E6BF09352B1ACC3EE696D6160E770D880CA50
                                            Function 00A44C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00A44BD0,?,00A44DEF,?,00B052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A44C11
                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A44C23
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                            • API String ID: 2574300362-3689287502
                                            • Opcode ID: 1c7e0ef02960d4c1100b68c967af38219b8d11822d47ff744a4e24c6801f028e
                                            • Instruction ID: ff0874d7503bd07bb0d3bcdd5bc2582908831e245bff60ff9ce5b63f5b13a0d4
                                            • Opcode Fuzzy Hash: 1c7e0ef02960d4c1100b68c967af38219b8d11822d47ff744a4e24c6801f028e
                                            • Instruction Fuzzy Hash: BBD01234911713DFD7209FB1D948B06BAD6FF09351B1ACC3E9586D6150E7B0D881C650
                                            Function 00AC0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(advapi32.dll,?,00AC1039), ref: 00AC0DF5
                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00AC0E07
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                            • API String ID: 2574300362-4033151799
                                            • Opcode ID: 05a1a3bd0272f6eb6aef7cdaba6db07f58ec9b3fc572b61cbcabfac9cd9bcf9a
                                            • Instruction ID: bd83f482a068ad6807ff4696aa7fbcd246935cc663a35bee8946dea828186449
                                            • Opcode Fuzzy Hash: 05a1a3bd0272f6eb6aef7cdaba6db07f58ec9b3fc572b61cbcabfac9cd9bcf9a
                                            • Instruction Fuzzy Hash: 9DD0C730440326DFC3208FB0C808F8372E6AF10342F068C3EA682D6150E6B4D890CA00
                                            Function 00AB90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00AB8CF4,?,00ACF910), ref: 00AB90EE
                                            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00AB9100
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: GetModuleHandleExW$kernel32.dll
                                            • API String ID: 2574300362-199464113
                                            • Opcode ID: 4489d933e6d97302a19a69080d8d93593bd614356753ec10613322949b9e7fd8
                                            • Instruction ID: 1374c32ce91d9fc9f7703d25acd8458e5ab597a1194a157ea11966c7129f180e
                                            • Opcode Fuzzy Hash: 4489d933e6d97302a19a69080d8d93593bd614356753ec10613322949b9e7fd8
                                            • Instruction Fuzzy Hash: 41D0C230550313DFCB20CF74D808A4372D9AF00341B06CD3E9682D2150E770C880C750
                                            Function 00A81714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: LocalTime__swprintf
                                            • String ID: %.3d$WIN_XPe
                                            • API String ID: 2070861257-2409531811
                                            • Opcode ID: 764f417e63fc7bca5763da58c13f6775a358ee6e9b33eb38d11b24b2803984e3
                                            • Instruction ID: cb06d2950ff51921bf937e0458ea596b047adcf05a8e50d671653a65f2b11447
                                            • Opcode Fuzzy Hash: 764f417e63fc7bca5763da58c13f6775a358ee6e9b33eb38d11b24b2803984e3
                                            • Instruction Fuzzy Hash: 93D01776845109FBCB40AB909888CFA73BCBB08311F100966B506A2090E2258BA6EF25
                                            Function 00A9717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be16a7b239d82a8d7596bba0f2596d870c70dbe3ff69d042ca6553a9deaed764
                                            • Instruction ID: 50e001809f54194af03cffa0b790e1d758cc3182066039b1d4b1f0f7d3cc519a
                                            • Opcode Fuzzy Hash: be16a7b239d82a8d7596bba0f2596d870c70dbe3ff69d042ca6553a9deaed764
                                            • Instruction Fuzzy Hash: 87C12B75A14216EFCF14CFA8C884AAEBBF5FF88714B158598E805DB251D730ED81DBA0
                                            Function 00ABE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CharLowerBuffW.USER32(?,?), ref: 00ABE0BE
                                            • CharLowerBuffW.USER32(?,?), ref: 00ABE101
                                              • Part of subcall function 00ABD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00ABD7C5
                                            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00ABE301
                                            • _memmove.LIBCMT ref: 00ABE314
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: BuffCharLower$AllocVirtual_memmove
                                            • String ID:
                                            • API String ID: 3659485706-0
                                            • Opcode ID: 182699683b94eb81e13f53faa8d084837fc4bdfee3e0a444e727e79e6e9626be
                                            • Instruction ID: d7d71219653c3bdd612d8a5e36ff22d0a0f7b1b6be35677664d71a717a5f0c52
                                            • Opcode Fuzzy Hash: 182699683b94eb81e13f53faa8d084837fc4bdfee3e0a444e727e79e6e9626be
                                            • Instruction Fuzzy Hash: BCC15975608301DFC714DF28C580AAABBE8FF89714F14896DF8999B352D731E946CB82
                                            Function 00AB8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                            Download Yara Rule
                                            APIs
                                            • CoInitialize.OLE32(00000000), ref: 00AB80C3
                                            • CoUninitialize.OLE32 ref: 00AB80CE
                                              • Part of subcall function 00A9D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A9D5D4
                                            • VariantInit.OLEAUT32(?), ref: 00AB80D9
                                            • VariantClear.OLEAUT32(?), ref: 00AB83AA
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                            • String ID:
                                            • API String ID: 780911581-0
                                            • Opcode ID: d27fd7cc5ee57080366089a2e147bba2bfbda4356830f6431c84ffc75021e66f
                                            • Instruction ID: e546e49774e374befbca62b24006ab8e4d7767ebb5aec2eb9e09228cbdde6f48
                                            • Opcode Fuzzy Hash: d27fd7cc5ee57080366089a2e147bba2bfbda4356830f6431c84ffc75021e66f
                                            • Instruction Fuzzy Hash: B1A168796047019FDB10DF68C981BAAB7E8FF89354F044458F9969B3A2CB34EC45CB82
                                            Function 00A97530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                            Download Yara Rule
                                            APIs
                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00AD2C7C,?), ref: 00A976EA
                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00AD2C7C,?), ref: 00A97702
                                            • CLSIDFromProgID.OLE32(?,?,00000000,00ACFB80,000000FF,?,00000000,00000800,00000000,?,00AD2C7C,?), ref: 00A97727
                                            • _memcmp.LIBCMT ref: 00A97748
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: FromProg$FreeTask_memcmp
                                            • String ID:
                                            • API String ID: 314563124-0
                                            • Opcode ID: 621e17d9ba22dd702f288b014462acea81072a6b288ad94458ba41b8f3fe44f8
                                            • Instruction ID: a8d1804693c2c26e56bc32b40fd2974f065c9061d04c2a450dcf8ad383d0e655
                                            • Opcode Fuzzy Hash: 621e17d9ba22dd702f288b014462acea81072a6b288ad94458ba41b8f3fe44f8
                                            • Instruction Fuzzy Hash: 1D81C775A10109EFCF04DFA8C984EEEB7B9FF89315B204559E506AB250DB71AE06CB60
                                            Function 00A9687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Variant$AllocClearCopyInitString
                                            • String ID:
                                            • API String ID: 2808897238-0
                                            • Opcode ID: 28ddc936c3b26e5ccfe123d3dca8f9096fcadc72e8f231f1252b3b4714ae6589
                                            • Instruction ID: e1aad64edda905aa7d99d9f85bc00ad7da2381cda364c58c16d5be256bf92fdf
                                            • Opcode Fuzzy Hash: 28ddc936c3b26e5ccfe123d3dca8f9096fcadc72e8f231f1252b3b4714ae6589
                                            • Instruction Fuzzy Hash: 07519C787003029EDF24AF65D991A6EB3FAAF45350F20D81FE596EB691DB74DC808701
                                            Function 00AA955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A44EE5: _fseek.LIBCMT ref: 00A44EFD
                                              • Part of subcall function 00AA9734: _wcscmp.LIBCMT ref: 00AA9824
                                              • Part of subcall function 00AA9734: _wcscmp.LIBCMT ref: 00AA9837
                                            • _free.LIBCMT ref: 00AA96A2
                                            • _free.LIBCMT ref: 00AA96A9
                                            • _free.LIBCMT ref: 00AA9714
                                              • Part of subcall function 00A62D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00A69A24), ref: 00A62D69
                                              • Part of subcall function 00A62D55: GetLastError.KERNEL32(00000000,?,00A69A24), ref: 00A62D7B
                                            • _free.LIBCMT ref: 00AA971C
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                            • String ID:
                                            • API String ID: 1552873950-0
                                            • Opcode ID: 464ebd311e0b84417835fdca97f39b05a871d491f27d7685db559b23c3b03983
                                            • Instruction ID: 03ed8c81b034c0d52727cb04ecc2369201b7b0ac88a5061bb7df39e305cddc97
                                            • Opcode Fuzzy Hash: 464ebd311e0b84417835fdca97f39b05a871d491f27d7685db559b23c3b03983
                                            • Instruction Fuzzy Hash: 9B514CB5D14218ABDF259F64CC81B9EBBB9EF49300F1044AEF209A3281DB715A84CF58
                                            Function 00AC97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowRect.USER32(00CDE448,?), ref: 00AC9863
                                            • ScreenToClient.USER32(00000002,00000002), ref: 00AC9896
                                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00AC9903
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Window$ClientMoveRectScreen
                                            • String ID:
                                            • API String ID: 3880355969-0
                                            • Opcode ID: 28aff2463cc2230f0358c5679561247f485ae41f4782eb9bebfcb74ee2dc841b
                                            • Instruction ID: d3882bca00a08bed864d572ed09b5c384f6e4db958d227ee48c24b029d5b4dc2
                                            • Opcode Fuzzy Hash: 28aff2463cc2230f0358c5679561247f485ae41f4782eb9bebfcb74ee2dc841b
                                            • Instruction Fuzzy Hash: 1C511B34A00209EFDF20CF64C988EAE7BB6FB55360F15815DF8659B2A0D731AD41CB90
                                            Function 00A99A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00A99AD2
                                            • __itow.LIBCMT ref: 00A99B03
                                              • Part of subcall function 00A99D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00A99DBE
                                            • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00A99B6C
                                            • __itow.LIBCMT ref: 00A99BC3
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend$__itow
                                            • String ID:
                                            • API String ID: 3379773720-0
                                            • Opcode ID: 28ba773660b686744fd21c990ec8c636ea96e6ded310bc43c2db712c12f9be21
                                            • Instruction ID: bac383627a4add286884383520fdcb50b09083e39840d998d10d5fdc69a7ff73
                                            • Opcode Fuzzy Hash: 28ba773660b686744fd21c990ec8c636ea96e6ded310bc43c2db712c12f9be21
                                            • Instruction Fuzzy Hash: 0E414274A00248ABDF11DF64D985BFE7BF9EF84750F000059F905A7291DB749D45CBA1
                                            Function 00AB69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 00AB69D1
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00AB69E1
                                              • Part of subcall function 00A49837: __itow.LIBCMT ref: 00A49862
                                              • Part of subcall function 00A49837: __swprintf.LIBCMT ref: 00A498AC
                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00AB6A45
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00AB6A51
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ErrorLast$__itow__swprintfsocket
                                            • String ID:
                                            • API String ID: 2214342067-0
                                            • Opcode ID: c6bd605a1eea2e3819c845e23badb9764e03e4dbb1a0bb1a1d5fd3bb4453335f
                                            • Instruction ID: 1156cc6ba3a50edd67d397083e0f197c2e405c2bee839f65ea8225105e3c2169
                                            • Opcode Fuzzy Hash: c6bd605a1eea2e3819c845e23badb9764e03e4dbb1a0bb1a1d5fd3bb4453335f
                                            • Instruction Fuzzy Hash: 9E419279740200AFEB60AF64DD86F6A77A89F44B54F148018FA199B2C3DA749D118751
                                            Function 00AB641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                            Download Yara Rule
                                            APIs
                                            • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00ACF910), ref: 00AB64A7
                                            • _strlen.LIBCMT ref: 00AB64D9
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _strlen
                                            • String ID:
                                            • API String ID: 4218353326-0
                                            • Opcode ID: 0f1ff82582ebc577f7e391583d9f17f44141d07aef4e9f8590e3722b15b2eddc
                                            • Instruction ID: 9a820e88e6537aaf61c6166e93b31f310712b231e52319012ff179daf00e8e7f
                                            • Opcode Fuzzy Hash: 0f1ff82582ebc577f7e391583d9f17f44141d07aef4e9f8590e3722b15b2eddc
                                            • Instruction Fuzzy Hash: 74419075A00104AFCB24EBA8DD85FEEB7BDAF44310F148265F81A97293DB34AD15CB50
                                            Function 00AAB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00AAB89E
                                            • GetLastError.KERNEL32(?,00000000), ref: 00AAB8C4
                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00AAB8E9
                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00AAB915
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                            • String ID:
                                            • API String ID: 3321077145-0
                                            • Opcode ID: 0a6f3e919dcbe388b3194e8e413a506bdec1fc34eb2e6418f027e496f737cb16
                                            • Instruction ID: 993874a3b61be3aae50f1342a9a90a5657e83555637a0446fcfcbcde1e6f1c04
                                            • Opcode Fuzzy Hash: 0a6f3e919dcbe388b3194e8e413a506bdec1fc34eb2e6418f027e496f737cb16
                                            • Instruction Fuzzy Hash: 15411E39600510DFCB21DF19C545A5EBBE5EF8A310F158098ED4A9B3A2CB35FD11CB91
                                            Function 00AC8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                            Download Yara Rule
                                            APIs
                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00AC88DE
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: InvalidateRect
                                            • String ID:
                                            • API String ID: 634782764-0
                                            • Opcode ID: e4b2db064216337e95754041327a9d21a488e22c6218c9112abd7cf3b5184b7b
                                            • Instruction ID: 8bffd64aeacaddbfa602e336196b87688d665dca39cac7b29a85a58e8ae31a11
                                            • Opcode Fuzzy Hash: e4b2db064216337e95754041327a9d21a488e22c6218c9112abd7cf3b5184b7b
                                            • Instruction Fuzzy Hash: F931C434600108EFEF209B68CC45FB97BB5FB09350FA6411AFA51E76A1CF78D9809B52
                                            Function 00ACAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ClientToScreen.USER32(?,?), ref: 00ACAB60
                                            • GetWindowRect.USER32(?,?), ref: 00ACABD6
                                            • PtInRect.USER32(?,?,00ACC014), ref: 00ACABE6
                                            • MessageBeep.USER32(00000000), ref: 00ACAC57
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Rect$BeepClientMessageScreenWindow
                                            • String ID:
                                            • API String ID: 1352109105-0
                                            • Opcode ID: 4e4a019c3f35c6136cdae38d899c87bb9dff8680ce6cd193e03c6916367aab20
                                            • Instruction ID: 60c94bb07efb5ec4ebe5419cb970e8106616389a420695f07b8c3b38bddc7faa
                                            • Opcode Fuzzy Hash: 4e4a019c3f35c6136cdae38d899c87bb9dff8680ce6cd193e03c6916367aab20
                                            • Instruction Fuzzy Hash: 4A417B3460461DDFCB21DF98C884F697BF6FB69304F1A81A9E8159B260D730A841CF92
                                            Function 00AA0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00AA0B27
                                            • SetKeyboardState.USER32(00000080,?,00000001), ref: 00AA0B43
                                            • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00AA0BA9
                                            • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00AA0BFB
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: KeyboardState$InputMessagePostSend
                                            • String ID:
                                            • API String ID: 432972143-0
                                            • Opcode ID: 4532e96679f3bdfcfcd183128b35bff0cbaac74c8733398c76fd6117ae6fc40a
                                            • Instruction ID: 2d573a3b5a9e99293c4e7d992b0b661841d976621e76e1674ec278644ba44e4f
                                            • Opcode Fuzzy Hash: 4532e96679f3bdfcfcd183128b35bff0cbaac74c8733398c76fd6117ae6fc40a
                                            • Instruction Fuzzy Hash: 7A313830E40218AEFF318F658D05FFABBBAAB47328F08425AE591931E1C3758D459771
                                            Function 00AA0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00AA0C66
                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 00AA0C82
                                            • PostMessageW.USER32(00000000,00000101,00000000), ref: 00AA0CE1
                                            • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00AA0D33
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: KeyboardState$InputMessagePostSend
                                            • String ID:
                                            • API String ID: 432972143-0
                                            • Opcode ID: c7150d1a105bd98322dd111540b4fb16f8ce28a2ad57669a51b0fd8af115cb4e
                                            • Instruction ID: 1f75376680c8a3648484b4a55645d87ab079ac73b2b3037f244ee3648d64d6fd
                                            • Opcode Fuzzy Hash: c7150d1a105bd98322dd111540b4fb16f8ce28a2ad57669a51b0fd8af115cb4e
                                            • Instruction Fuzzy Hash: ED31E331A40218AEFF308F658815FFEBBB6AB46320F04432AE485931D1C379995597A2
                                            Function 00A761C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A761FB
                                            • __isleadbyte_l.LIBCMT ref: 00A76229
                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00A76257
                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00A7628D
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                            • String ID:
                                            • API String ID: 3058430110-0
                                            • Opcode ID: 625a3dde163d6623103ddcd7c416a4798959410d1571c1450f721c6537b2ee31
                                            • Instruction ID: d9b496852a27c31280d0a12677b85da798061e0fc4ab3e6156a043dfdcf41f04
                                            • Opcode Fuzzy Hash: 625a3dde163d6623103ddcd7c416a4798959410d1571c1450f721c6537b2ee31
                                            • Instruction Fuzzy Hash: 9131EF31A00A46AFDF219F65CC48BBB7BB9FF41310F15C128E828971A2E731E950DB90
                                            Function 00AC4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetForegroundWindow.USER32 ref: 00AC4F02
                                              • Part of subcall function 00AA3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00AA365B
                                              • Part of subcall function 00AA3641: GetCurrentThreadId.KERNEL32 ref: 00AA3662
                                              • Part of subcall function 00AA3641: AttachThreadInput.USER32(00000000,?,00AA5005), ref: 00AA3669
                                            • GetCaretPos.USER32(?), ref: 00AC4F13
                                            • ClientToScreen.USER32(00000000,?), ref: 00AC4F4E
                                            • GetForegroundWindow.USER32 ref: 00AC4F54
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                            • String ID:
                                            • API String ID: 2759813231-0
                                            • Opcode ID: 92e006221fa620a3a0e220648b52dd3509bc2e2907ae2d26b64e84e0bb9d2212
                                            • Instruction ID: ed82a14bb751aa12944bcb4563fc64c77f9b8130c80b54091a59a00792088753
                                            • Opcode Fuzzy Hash: 92e006221fa620a3a0e220648b52dd3509bc2e2907ae2d26b64e84e0bb9d2212
                                            • Instruction Fuzzy Hash: 7F310B76E00108AFDB00EFA9C985DEFB7F9EF99300F11406AE415E7241EA759E158BA0
                                            Function 00AA3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00AA3C7A
                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00AA3C88
                                            • Process32NextW.KERNEL32(00000000,?), ref: 00AA3CA8
                                            • CloseHandle.KERNEL32(00000000), ref: 00AA3D52
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                            • String ID:
                                            • API String ID: 420147892-0
                                            • Opcode ID: 993df8dd61350a1d8bfe2d6467775a2524da223b3e9be3404f004f28e65b0aeb
                                            • Instruction ID: 6726013a4dcc36885a855db7a8df0bd224c2981c123886bbc76c71ee02bfba2b
                                            • Opcode Fuzzy Hash: 993df8dd61350a1d8bfe2d6467775a2524da223b3e9be3404f004f28e65b0aeb
                                            • Instruction Fuzzy Hash: DC318F32108345DFD700EF60C985EAEBBE8AFD5354F50092DF582871A2EB719A49CB52
                                            Function 00ACC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A42612: GetWindowLongW.USER32(?,000000EB), ref: 00A42623
                                            • GetCursorPos.USER32(?), ref: 00ACC4D2
                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00A7B9AB,?,?,?,?,?), ref: 00ACC4E7
                                            • GetCursorPos.USER32(?), ref: 00ACC534
                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A7B9AB,?,?,?), ref: 00ACC56E
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                            • String ID:
                                            • API String ID: 2864067406-0
                                            • Opcode ID: 2e596880921a806a4e04325c5cef2684f444b59b36bb447d4915b721cf6ed975
                                            • Instruction ID: 95f693b09ead3ca64c84844cd0d46c58dacec0bb751b37be09ef1e5469aa7c6d
                                            • Opcode Fuzzy Hash: 2e596880921a806a4e04325c5cef2684f444b59b36bb447d4915b721cf6ed975
                                            • Instruction Fuzzy Hash: 5F31713560045CAFCF25CF98C858FAA7BB6EB49320F454169F9098B2A1CB31AD51DFA4
                                            Function 00A98656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A9810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A98121
                                              • Part of subcall function 00A9810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A9812B
                                              • Part of subcall function 00A9810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A9813A
                                              • Part of subcall function 00A9810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A98141
                                              • Part of subcall function 00A9810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A98157
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00A986A3
                                            • _memcmp.LIBCMT ref: 00A986C6
                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A986FC
                                            • HeapFree.KERNEL32(00000000), ref: 00A98703
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                            • String ID:
                                            • API String ID: 1592001646-0
                                            • Opcode ID: cf75d8409515f01c6341fb45f24f76152716625e3dd3570d25e5f6f61026f13a
                                            • Instruction ID: e1ffb8d7259acf9e29a681d3118f06ef6c4c73837e0e697f63d21c016edf219d
                                            • Opcode Fuzzy Hash: cf75d8409515f01c6341fb45f24f76152716625e3dd3570d25e5f6f61026f13a
                                            • Instruction Fuzzy Hash: 48215A71E40108EFDF10DFA8C949BAEB7F9EF45304F154059E544AB240DB35AE05CB50
                                            Function 00A6098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                            Download Yara Rule
                                            APIs
                                            • __setmode.LIBCMT ref: 00A609AE
                                              • Part of subcall function 00A45A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AA7896,?,?,00000000), ref: 00A45A2C
                                              • Part of subcall function 00A45A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AA7896,?,?,00000000,?,?), ref: 00A45A50
                                            • _fprintf.LIBCMT ref: 00A609E5
                                            • OutputDebugStringW.KERNEL32(?), ref: 00A95DBB
                                              • Part of subcall function 00A64AAA: _flsall.LIBCMT ref: 00A64AC3
                                            • __setmode.LIBCMT ref: 00A60A1A
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                            • String ID:
                                            • API String ID: 521402451-0
                                            • Opcode ID: 184fcfda884005aeb8588515c71dfd840931efd216a468e36d8b6bcb9323ac05
                                            • Instruction ID: 856c3a7f85b9a928c382107e937cb038cc47fafd00ddcb881b557f33f5a4950e
                                            • Opcode Fuzzy Hash: 184fcfda884005aeb8588515c71dfd840931efd216a468e36d8b6bcb9323ac05
                                            • Instruction Fuzzy Hash: 29110236A042047FDB04B7B49C469BE77B99F9A360F240059F20557183EF204C9287A1
                                            Function 00AB1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00AB17A3
                                              • Part of subcall function 00AB182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AB184C
                                              • Part of subcall function 00AB182D: InternetCloseHandle.WININET(00000000), ref: 00AB18E9
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Internet$CloseConnectHandleOpen
                                            • String ID:
                                            • API String ID: 1463438336-0
                                            • Opcode ID: 0af4d6499457befd4f2c1ed1234ee153a36f0bb61c42228ce4d37a0a74dae96f
                                            • Instruction ID: 67048b5eb4bc5efecbef57ed2bbaeb3af0715831c0decefbca22d9e64fc3c2e8
                                            • Opcode Fuzzy Hash: 0af4d6499457befd4f2c1ed1234ee153a36f0bb61c42228ce4d37a0a74dae96f
                                            • Instruction Fuzzy Hash: 6721A431200605BFEB129FA0DC11FFABBAEFF48710F50402AFA1596552DB71D821ABE0
                                            Function 00AA3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNEL32(?,00ACFAC0), ref: 00AA3A64
                                            • GetLastError.KERNEL32 ref: 00AA3A73
                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00AA3A82
                                            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00ACFAC0), ref: 00AA3ADF
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CreateDirectory$AttributesErrorFileLast
                                            • String ID:
                                            • API String ID: 2267087916-0
                                            • Opcode ID: 31ee2397b894949d2312a722b729aa1305af569e2208375fba5dc318514a07f2
                                            • Instruction ID: 92a2783687a1d9cdb748c97acb3affad15da68258251a7d125c8b643ecf7e1bb
                                            • Opcode Fuzzy Hash: 31ee2397b894949d2312a722b729aa1305af569e2208375fba5dc318514a07f2
                                            • Instruction Fuzzy Hash: CC2183755093119F8710DF28C9818AEBBE4BE563A4F104A2DF499C72E2DB32DE46CB52
                                            Function 00A9DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A9F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00A9DCD3,?,?,?,00A9EAC6,00000000,000000EF,00000119,?,?), ref: 00A9F0CB
                                              • Part of subcall function 00A9F0BC: lstrcpyW.KERNEL32(00000000,?,?,00A9DCD3,?,?,?,00A9EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00A9F0F1
                                              • Part of subcall function 00A9F0BC: lstrcmpiW.KERNEL32(00000000,?,00A9DCD3,?,?,?,00A9EAC6,00000000,000000EF,00000119,?,?), ref: 00A9F122
                                            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00A9EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00A9DCEC
                                            • lstrcpyW.KERNEL32(00000000,?,?,00A9EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00A9DD12
                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,00A9EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00A9DD46
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: lstrcmpilstrcpylstrlen
                                            • String ID: cdecl
                                            • API String ID: 4031866154-3896280584
                                            • Opcode ID: 8b48aaabb093aad7cb3cddba7e4ba79569c175aa6689744060593eb0ea1d097f
                                            • Instruction ID: b7622974df0ef813b6371ae203004079b8984d40eb0750da44d53fefb1814d85
                                            • Opcode Fuzzy Hash: 8b48aaabb093aad7cb3cddba7e4ba79569c175aa6689744060593eb0ea1d097f
                                            • Instruction Fuzzy Hash: A911B87A200305EFDF25AF74C845D7A77E9FF45350B40852AF906CB2A0EB72A881C7A0
                                            Function 00A750E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _free.LIBCMT ref: 00A75101
                                              • Part of subcall function 00A6571C: __FF_MSGBANNER.LIBCMT ref: 00A65733
                                              • Part of subcall function 00A6571C: __NMSG_WRITE.LIBCMT ref: 00A6573A
                                              • Part of subcall function 00A6571C: RtlAllocateHeap.NTDLL(00CC0000,00000000,00000001,00000000,?,?,?,00A60DD3,?), ref: 00A6575F
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: AllocateHeap_free
                                            • String ID:
                                            • API String ID: 614378929-0
                                            • Opcode ID: 655121e040478d90c8429b04aeaea91a3069145b9e629dfbfd5d8598ee23c9ea
                                            • Instruction ID: f71c73fdc6b3f2cbafbf4b0311ae7489fcc3d690138cb02d5f6681300890964c
                                            • Opcode Fuzzy Hash: 655121e040478d90c8429b04aeaea91a3069145b9e629dfbfd5d8598ee23c9ea
                                            • Instruction Fuzzy Hash: 0311A072D00A15AFCB317FB4AD45B6E3BAC9B143A2F50CB39F90D9A251DEB489418790
                                            Function 00AB6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A45A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AA7896,?,?,00000000), ref: 00A45A2C
                                              • Part of subcall function 00A45A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AA7896,?,?,00000000,?,?), ref: 00A45A50
                                            • gethostbyname.WSOCK32(?,?,?), ref: 00AB6399
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00AB63A4
                                            • _memmove.LIBCMT ref: 00AB63D1
                                            • inet_ntoa.WSOCK32(?), ref: 00AB63DC
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                            • String ID:
                                            • API String ID: 1504782959-0
                                            • Opcode ID: 9050953ed0995d300e2707358fec97f33b525c82dc30cbc2374bb1a2bee848d5
                                            • Instruction ID: f3fc91640a59d5eab3e9f7de42f4d1de067dc55b5ffb3560f86292961d9450c9
                                            • Opcode Fuzzy Hash: 9050953ed0995d300e2707358fec97f33b525c82dc30cbc2374bb1a2bee848d5
                                            • Instruction Fuzzy Hash: AA115B36900109AFCF00FBA4DE86CEEB7B9AF48310B544075F506A7262DB31AE14DBA1
                                            Function 00A98B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00A98B61
                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A98B73
                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A98B89
                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A98BA4
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID:
                                            • API String ID: 3850602802-0
                                            • Opcode ID: 7297716099d22e394f633e5c38fba2d577d9a3213904c58bf3d4bbb3d72fe0a9
                                            • Instruction ID: c38be8c0bb6c89d1f099a2c1b3e2e8825ac4b670e2e54bf1b48a0d6e0b1aff6f
                                            • Opcode Fuzzy Hash: 7297716099d22e394f633e5c38fba2d577d9a3213904c58bf3d4bbb3d72fe0a9
                                            • Instruction Fuzzy Hash: AA113A79A00218BFDF10DB95C884E9DBBB4EB48310F204095E900B7250DA716E11DB94
                                            Function 00A41290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A42612: GetWindowLongW.USER32(?,000000EB), ref: 00A42623
                                            • DefDlgProcW.USER32(?,00000020,?), ref: 00A412D8
                                            • GetClientRect.USER32(?,?), ref: 00A7B5FB
                                            • GetCursorPos.USER32(?), ref: 00A7B605
                                            • ScreenToClient.USER32(?,?), ref: 00A7B610
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Client$CursorLongProcRectScreenWindow
                                            • String ID:
                                            • API String ID: 4127811313-0
                                            • Opcode ID: ab07bf8f69d6041344cc732b370c7d917199a33158da5982ccf40d73da94b9cc
                                            • Instruction ID: 9d5ba03d9f44d613de04b280ace0e8cac30d12956436b1c64aa160e35d8598c4
                                            • Opcode Fuzzy Hash: ab07bf8f69d6041344cc732b370c7d917199a33158da5982ccf40d73da94b9cc
                                            • Instruction Fuzzy Hash: 4E113639A0011DEFCB10EFA8D989DFE77B9EB45300F504466FA41E7250D770BA928BA5
                                            Function 00AA1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00A9FCED,?,00AA0D40,?,00008000), ref: 00AA115F
                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00A9FCED,?,00AA0D40,?,00008000), ref: 00AA1184
                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00A9FCED,?,00AA0D40,?,00008000), ref: 00AA118E
                                            • Sleep.KERNEL32(?,?,?,?,?,?,?,00A9FCED,?,00AA0D40,?,00008000), ref: 00AA11C1
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CounterPerformanceQuerySleep
                                            • String ID:
                                            • API String ID: 2875609808-0
                                            • Opcode ID: 507fe5da60f4f57e5804eefe7b446a007c963d1258c99304f280f6f95f59c9cb
                                            • Instruction ID: 8dea94437137096a1d98b78804d8c925d94b0c8e3b52fc76910f7815054675ce
                                            • Opcode Fuzzy Hash: 507fe5da60f4f57e5804eefe7b446a007c963d1258c99304f280f6f95f59c9cb
                                            • Instruction Fuzzy Hash: 13111835D00619EBCF00DFE5D948AEEBBB8FB0A711F05425AEA85B3280CB709591CB95
                                            Function 00A9D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00A9D84D
                                            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00A9D864
                                            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00A9D879
                                            • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00A9D897
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Type$Register$FileLoadModuleNameUser
                                            • String ID:
                                            • API String ID: 1352324309-0
                                            • Opcode ID: 0cabab76fca3d4c84969743a7a525ceaccf68c13ded959b3a76c64b424c726db
                                            • Instruction ID: 233dc910342ed50cd5ab09b5c292ae582c0127f8504c3add31794f440dd60bf1
                                            • Opcode Fuzzy Hash: 0cabab76fca3d4c84969743a7a525ceaccf68c13ded959b3a76c64b424c726db
                                            • Instruction Fuzzy Hash: 2B116175705304EFEB20CFA4DD09F93BBFCEB00B00F108569AA16D6051D7B0E5899BA1
                                            Function 00A76FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                            • String ID:
                                            • API String ID: 3016257755-0
                                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                            • Instruction ID: 4aa43c800704d66d22d636fe218d116ed3314081438e87941f115947e34eb154
                                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                            • Instruction Fuzzy Hash: DF014C7244814ABBCF165F88CC01CEE3F66BB18350F58C425FE1C59031D636DAB2AB81
                                            Function 00ACB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowRect.USER32(?,?), ref: 00ACB2E4
                                            • ScreenToClient.USER32(?,?), ref: 00ACB2FC
                                            • ScreenToClient.USER32(?,?), ref: 00ACB320
                                            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00ACB33B
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ClientRectScreen$InvalidateWindow
                                            • String ID:
                                            • API String ID: 357397906-0
                                            • Opcode ID: d4a73e0d6d3f6238e94192ebbdfa2e25119188bbb605a8f8804cf71355678342
                                            • Instruction ID: 63e753947376d27a179512a0a9ca6ce9113fb7b7e78f327273510ce748dc1d0d
                                            • Opcode Fuzzy Hash: d4a73e0d6d3f6238e94192ebbdfa2e25119188bbb605a8f8804cf71355678342
                                            • Instruction Fuzzy Hash: 871144B9D00249EFDB41CFA9C884AEEBBF9FF08310F108166E914E3620D735AA559F50
                                            Function 00ACB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00ACB644
                                            • _memset.LIBCMT ref: 00ACB653
                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00B06F20,00B06F64), ref: 00ACB682
                                            • CloseHandle.KERNEL32 ref: 00ACB694
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _memset$CloseCreateHandleProcess
                                            • String ID:
                                            • API String ID: 3277943733-0
                                            • Opcode ID: 367c9e64d52fa7568b0a21c5fa75f251959193249cf8ece34f4feccd7db8eeb4
                                            • Instruction ID: 67b54337e8bd475b5e1c31e068227b9de345b92abe91f6b445d18cae4aa951bc
                                            • Opcode Fuzzy Hash: 367c9e64d52fa7568b0a21c5fa75f251959193249cf8ece34f4feccd7db8eeb4
                                            • Instruction Fuzzy Hash: F2F0FEB2540306BEF6106765BC46FBB7B9CEB19795F004021BA08EA192DF765C2087A8
                                            Function 00AA6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?), ref: 00AA6BE6
                                              • Part of subcall function 00AA76C4: _memset.LIBCMT ref: 00AA76F9
                                            • _memmove.LIBCMT ref: 00AA6C09
                                            • _memset.LIBCMT ref: 00AA6C16
                                            • LeaveCriticalSection.KERNEL32(?), ref: 00AA6C26
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CriticalSection_memset$EnterLeave_memmove
                                            • String ID:
                                            • API String ID: 48991266-0
                                            • Opcode ID: c648bb02df3b0d80b29f00bd1191c4a446daf64777af47145163cb1024ae9add
                                            • Instruction ID: 47700d2a37f3d056a38ee8e082d72473ff07203a82dfeccd23faec0091e83cf4
                                            • Opcode Fuzzy Hash: c648bb02df3b0d80b29f00bd1191c4a446daf64777af47145163cb1024ae9add
                                            • Instruction Fuzzy Hash: 7FF05E3A200100AFCF01AF95DC85E8ABB2AEF56360F048061FE085F267DB31E811CBB4
                                            Function 00A42218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSysColor.USER32(00000008), ref: 00A42231
                                            • SetTextColor.GDI32(?,000000FF), ref: 00A4223B
                                            • SetBkMode.GDI32(?,00000001), ref: 00A42250
                                            • GetStockObject.GDI32(00000005), ref: 00A42258
                                            • GetWindowDC.USER32(?,00000000), ref: 00A7BE83
                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00A7BE90
                                            • GetPixel.GDI32(00000000,?,00000000), ref: 00A7BEA9
                                            • GetPixel.GDI32(00000000,00000000,?), ref: 00A7BEC2
                                            • GetPixel.GDI32(00000000,?,?), ref: 00A7BEE2
                                            • ReleaseDC.USER32(?,00000000), ref: 00A7BEED
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                            • String ID:
                                            • API String ID: 1946975507-0
                                            • Opcode ID: bf62bc0d91870f067fcbbc9ef068ab8e23f975c3f2ba83285587edffda1b48b9
                                            • Instruction ID: b2d092807e5fbefe93d28a6ed4e958cc239149b3a14b4ebcb4bd72544c3e08d9
                                            • Opcode Fuzzy Hash: bf62bc0d91870f067fcbbc9ef068ab8e23f975c3f2ba83285587edffda1b48b9
                                            • Instruction Fuzzy Hash: 9AE03932104244AEDF219FA8EC0DBD83B12EB05332F15C366FB69480E1C7B18981DB22
                                            Function 00A98712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentThread.KERNEL32 ref: 00A9871B
                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,00A982E6), ref: 00A98722
                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A982E6), ref: 00A9872F
                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,00A982E6), ref: 00A98736
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CurrentOpenProcessThreadToken
                                            • String ID:
                                            • API String ID: 3974789173-0
                                            • Opcode ID: 0876ad7bcaa9e80fffac097708744f1c3cce31926188810b5f37ea3f770ca8e0
                                            • Instruction ID: 438d1183d12f8d3c14ee38595fe2083862c5ef17af0cbd486f7962383e5d7a11
                                            • Opcode Fuzzy Hash: 0876ad7bcaa9e80fffac097708744f1c3cce31926188810b5f37ea3f770ca8e0
                                            • Instruction Fuzzy Hash: 40E08676711211AFDB209FF45D0CF967BAEEF51B91F164828B645CA040EA388446C750
                                            Function 00A65DAC Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __getptd_noexit.LIBCMT ref: 00A65DAD
                                              • Part of subcall function 00A699C4: GetLastError.KERNEL32(00000000,00A60DD3,00A68B2D,00A657A3,?,?,00A60DD3,?), ref: 00A699C6
                                              • Part of subcall function 00A699C4: __calloc_crt.LIBCMT ref: 00A699E7
                                              • Part of subcall function 00A699C4: __initptd.LIBCMT ref: 00A69A09
                                              • Part of subcall function 00A699C4: GetCurrentThreadId.KERNEL32 ref: 00A69A10
                                              • Part of subcall function 00A699C4: SetLastError.KERNEL32(00000000,00A60DD3,?), ref: 00A69A28
                                            • CloseHandle.KERNEL32(?,?,00A65D8C), ref: 00A65DC1
                                            • __freeptd.LIBCMT ref: 00A65DC8
                                            • ExitThread.KERNEL32 ref: 00A65DD0
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit__initptd
                                            • String ID:
                                            • API String ID: 4169687693-0
                                            • Opcode ID: a490f811ca14b1a73e319642a0a2d2a9f6759355564685873f7a1862a9313ce7
                                            • Instruction ID: 7e767aa4c6c9d75e245f082516c4b80d72a464a43ecf13161cc9ed8a018103a1
                                            • Opcode Fuzzy Hash: a490f811ca14b1a73e319642a0a2d2a9f6759355564685873f7a1862a9313ce7
                                            • Instruction Fuzzy Hash: D4D0C732401F51EBC632A7749D0EA2A76799F01761F054619F475595F0DB345803CA51
                                            Function 00A9B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleSetContainedObject.OLE32(?,00000001), ref: 00A9B4BE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ContainedObject
                                            • String ID: AutoIt3GUI$Container
                                            • API String ID: 3565006973-3941886329
                                            • Opcode ID: 644d5fee10a8084f9532765da9c518dc2c5ed4b07be777e3614dccde348c2b47
                                            • Instruction ID: 6604765d455e824e9843ca763f7d44a355fc61bd9c475c021bd54c83fc7dfe4a
                                            • Opcode Fuzzy Hash: 644d5fee10a8084f9532765da9c518dc2c5ed4b07be777e3614dccde348c2b47
                                            • Instruction Fuzzy Hash: F9913870210601EFDB14DF68D984A6ABBF5FF49710F20856EF94ACB6A1DB70E841CB60
                                            Function 00AAAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A5FC86: _wcscpy.LIBCMT ref: 00A5FCA9
                                              • Part of subcall function 00A49837: __itow.LIBCMT ref: 00A49862
                                              • Part of subcall function 00A49837: __swprintf.LIBCMT ref: 00A498AC
                                            • __wcsnicmp.LIBCMT ref: 00AAB02D
                                            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00AAB0F6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                            • String ID: LPT
                                            • API String ID: 3222508074-1350329615
                                            • Opcode ID: ece1072904176c79e5b6d97d5b812898bc0a61d14d52730a82860a24fe67ae56
                                            • Instruction ID: b1f0ea7a370f2737fb980dcd5fc5232a917e5dffc7f934f1a9a1a7e7b5089667
                                            • Opcode Fuzzy Hash: ece1072904176c79e5b6d97d5b812898bc0a61d14d52730a82860a24fe67ae56
                                            • Instruction Fuzzy Hash: 88618175A10219AFCB14DF98C991EAFB7B4EF49310F104169F916AB292D770AE84CB60
                                            Function 00A52957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNEL32(00000000), ref: 00A52968
                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 00A52981
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: GlobalMemorySleepStatus
                                            • String ID: @
                                            • API String ID: 2783356886-2766056989
                                            • Opcode ID: 48608afb2ba4094b4f3738da730e17f53c5ae807e3da199ca87a0d1111d97e99
                                            • Instruction ID: 7ff5faed318ae9651704c7c01a23bf4cb68a495ac8d717e35b8ba3a7209c0805
                                            • Opcode Fuzzy Hash: 48608afb2ba4094b4f3738da730e17f53c5ae807e3da199ca87a0d1111d97e99
                                            • Instruction Fuzzy Hash: 365146724087449BD320EF64D886BAFBBE8FFC9344F42885DF2D8411A1DB308529CB66
                                            Function 00AA9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A44F0B: __fread_nolock.LIBCMT ref: 00A44F29
                                            • _wcscmp.LIBCMT ref: 00AA9824
                                            • _wcscmp.LIBCMT ref: 00AA9837
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: _wcscmp$__fread_nolock
                                            • String ID: FILE
                                            • API String ID: 4029003684-3121273764
                                            • Opcode ID: fd4632cff414b74c35577953da9c7cc51c1e815d4c379420d77d12879889aa77
                                            • Instruction ID: 8b4de4d9bbf9ccb4f88336cf809b6e35f09f9e6184e1222e406235253fba186f
                                            • Opcode Fuzzy Hash: fd4632cff414b74c35577953da9c7cc51c1e815d4c379420d77d12879889aa77
                                            • Instruction Fuzzy Hash: 4841B575A40209BADF209BA0CC46FEFBBBDEF8A710F004469F904A71C1DB759E058B61
                                            Function 00AB258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00AB259E
                                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00AB25D4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CrackInternet_memset
                                            • String ID: |
                                            • API String ID: 1413715105-2343686810
                                            • Opcode ID: 26901ed4a3571bf730fc6229fe0d98f8cbb15c60042bea40b62136ccc8727543
                                            • Instruction ID: 724c5f9fa6714fdc2b733d5b1af1d224212b30699b424d95491f7dd321a2f6fb
                                            • Opcode Fuzzy Hash: 26901ed4a3571bf730fc6229fe0d98f8cbb15c60042bea40b62136ccc8727543
                                            • Instruction Fuzzy Hash: 92311771800159EBCF11EFA0CD85EEEBFB9FF08350F10406AF915AA162EB355956DB60
                                            Function 00AC7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00AC7B61
                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00AC7B76
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: '
                                            • API String ID: 3850602802-1997036262
                                            • Opcode ID: ab24b2883f9e90e0fbacd056fdb3f263ada6a8b0179ae99697843c70575d552e
                                            • Instruction ID: 070ae4b72f57cab2b82af6bf18321af7d37d710866bfbadaca118267f46fae4b
                                            • Opcode Fuzzy Hash: ab24b2883f9e90e0fbacd056fdb3f263ada6a8b0179ae99697843c70575d552e
                                            • Instruction Fuzzy Hash: 10410674A0530A9FDB14CF68C981FEEBBB9FB08340F11416AE905AB391DB70A951CF90
                                            Function 00AC6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                            Download Yara Rule
                                            APIs
                                            • DestroyWindow.USER32(?,?,?,?), ref: 00AC6B17
                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00AC6B53
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Window$DestroyMove
                                            • String ID: static
                                            • API String ID: 2139405536-2160076837
                                            • Opcode ID: f0b4064d583f39b8e42e4672f854e35dd93eb652d7338ee3b6da825081909628
                                            • Instruction ID: 792f96181b3a09135596877780765e484bbf6b46541a9d2d669c0589ab7b7635
                                            • Opcode Fuzzy Hash: f0b4064d583f39b8e42e4672f854e35dd93eb652d7338ee3b6da825081909628
                                            • Instruction Fuzzy Hash: 0C313A71210604AEDB10DF68C881FBB77A9FF48764F11861DF9A597190DA31AC91DB60
                                            Function 00AA28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00AA2911
                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AA294C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: InfoItemMenu_memset
                                            • String ID: 0
                                            • API String ID: 2223754486-4108050209
                                            • Opcode ID: 36db3a097a71818a4acb4ed87c303a570e36da5a376bbb23e08003a1e92e6715
                                            • Instruction ID: 5e1b3baed7db08d0fb56d7309d91f43720c92225d501fd52a2f7de7bfbe7f9d1
                                            • Opcode Fuzzy Hash: 36db3a097a71818a4acb4ed87c303a570e36da5a376bbb23e08003a1e92e6715
                                            • Instruction Fuzzy Hash: 7E31C1316003059FEB24CF5CC985BAFBBB8EF46750F140029ED85A71E0DB709951CB51
                                            Function 00AB39E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                            Download Yara Rule
                                            APIs
                                            • __snwprintf.LIBCMT ref: 00AB3A66
                                              • Part of subcall function 00A47DE1: _memmove.LIBCMT ref: 00A47E22
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: __snwprintf_memmove
                                            • String ID: , $$AUTOITCALLVARIABLE%d
                                            • API String ID: 3506404897-2584243854
                                            • Opcode ID: 1b95ad25ebdafae10d4c5873051c51c601557934981b6c7312f03be756c03849
                                            • Instruction ID: 84417564584c1678c54ef0e007a5d6d1afde3b1734017eaabf11369100bbf518
                                            • Opcode Fuzzy Hash: 1b95ad25ebdafae10d4c5873051c51c601557934981b6c7312f03be756c03849
                                            • Instruction Fuzzy Hash: 04219E35A00219AFCF10EFA4CD82EEE77B9BF84740F600458F545AB182DB35EA51CB65
                                            Function 00AC66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00AC6761
                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AC676C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: Combobox
                                            • API String ID: 3850602802-2096851135
                                            • Opcode ID: 125b41617a50c7685d37d7c3370e7c2f6df9b9ce6491bf9287d0454387fbf89e
                                            • Instruction ID: ac30b9fc15b44751ff755266e2a838e433d28d04e47979cbd20a91fd7f42849b
                                            • Opcode Fuzzy Hash: 125b41617a50c7685d37d7c3370e7c2f6df9b9ce6491bf9287d0454387fbf89e
                                            • Instruction Fuzzy Hash: 17118F75600208AFEF25DF54CC81FBB37AAEB883A8F124529F91897290D671DC519BA0
                                            Function 00AC6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A41D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A41D73
                                              • Part of subcall function 00A41D35: GetStockObject.GDI32(00000011), ref: 00A41D87
                                              • Part of subcall function 00A41D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A41D91
                                            • GetWindowRect.USER32(00000000,?), ref: 00AC6C71
                                            • GetSysColor.USER32(00000012), ref: 00AC6C8B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                            • String ID: static
                                            • API String ID: 1983116058-2160076837
                                            • Opcode ID: 7d714c6908f8259f7d7468cfedd85e206a30eb6166485497eebce42e31699d1b
                                            • Instruction ID: 558f5b520a066a4a4eea7a2c096ba62886693c737458565da2b13df3cbd879f1
                                            • Opcode Fuzzy Hash: 7d714c6908f8259f7d7468cfedd85e206a30eb6166485497eebce42e31699d1b
                                            • Instruction Fuzzy Hash: CD212676614209AFDF04DFA8CC45EEA7BB9FB08314F014629F995E3250D635E861DB60
                                            Function 00AC6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowTextLengthW.USER32(00000000), ref: 00AC69A2
                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00AC69B1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: LengthMessageSendTextWindow
                                            • String ID: edit
                                            • API String ID: 2978978980-2167791130
                                            • Opcode ID: dc1af36a53dbab692ea9f1bb531d7472612843a3dbc53555fcdce69ecf25d6c2
                                            • Instruction ID: 9015ae7660385c6750dce2d1b7880f86ef502b5685d01940835c984300bb9577
                                            • Opcode Fuzzy Hash: dc1af36a53dbab692ea9f1bb531d7472612843a3dbc53555fcdce69ecf25d6c2
                                            • Instruction Fuzzy Hash: F4113D71510108AFEB108F649C45FEB37AAEB05374F524728F9A5971E0CB71DC519760
                                            Function 00AA29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00AA2A22
                                            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00AA2A41
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: InfoItemMenu_memset
                                            • String ID: 0
                                            • API String ID: 2223754486-4108050209
                                            • Opcode ID: dda36efa5782a11c652909da070d61af13fa2094e7b992a9e721e686474a065b
                                            • Instruction ID: 6083e4fc805357105315a92cca19202e2c80bf651179cf0e202cd34937c764a5
                                            • Opcode Fuzzy Hash: dda36efa5782a11c652909da070d61af13fa2094e7b992a9e721e686474a065b
                                            • Instruction Fuzzy Hash: 9A11E272A05214ABDF30DB9CDC44BEB77B8AB87380F044025E855E72D0DB30AD1ACB91
                                            Function 00AB21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00AB222C
                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00AB2255
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Internet$OpenOption
                                            • String ID: <local>
                                            • API String ID: 942729171-4266983199
                                            • Opcode ID: 0b8945ee602dde2c2a9c6a6474ab385b91caac462621fac61f4217b17dfaded5
                                            • Instruction ID: b1fdbd9567147eda9d876ba59b9018eff19b9fac907f3c3b7e9815757c7d2091
                                            • Opcode Fuzzy Hash: 0b8945ee602dde2c2a9c6a6474ab385b91caac462621fac61f4217b17dfaded5
                                            • Instruction Fuzzy Hash: 2B119A70641225BADB258F518C88FFBBBACFB1A751F10862BFA1596001E2705991D7F0
                                            Function 00AB7D8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00AB7FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00AB7DB3,?,00000000,?,?), ref: 00AB800D
                                            • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00AB7DB6
                                            • htons.WSOCK32(00000000,?,00000000), ref: 00AB7DF3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWidehtonsinet_addr
                                            • String ID: 255.255.255.255
                                            • API String ID: 2496851823-2422070025
                                            • Opcode ID: 4300aa176f13e146736c33fa5004c26e5ac907992eb69a6e8c2754743622d3d4
                                            • Instruction ID: 9ca04f8c16546a696556d5e1fcf53da4a15c26c71c71eba9a9944e1e96433eb4
                                            • Opcode Fuzzy Hash: 4300aa176f13e146736c33fa5004c26e5ac907992eb69a6e8c2754743622d3d4
                                            • Instruction Fuzzy Hash: E7118234604205ABCB20AFA4CC86FFEB369FF84360F10456AF9115B292DB71A9118691
                                            Function 00A98E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A47DE1: _memmove.LIBCMT ref: 00A47E22
                                              • Part of subcall function 00A9AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A9AABC
                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A98E73
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ClassMessageNameSend_memmove
                                            • String ID: ComboBox$ListBox
                                            • API String ID: 372448540-1403004172
                                            • Opcode ID: 0262e2085590a607b8404bfa861aefdf043f84167efc42cfe63900936f90c66c
                                            • Instruction ID: 3ff7f46a544eb0cf567f98ac3502056424ec02dd3bed295f7555f9422d7ff9d8
                                            • Opcode Fuzzy Hash: 0262e2085590a607b8404bfa861aefdf043f84167efc42cfe63900936f90c66c
                                            • Instruction Fuzzy Hash: E001B175B01219AB8F14EBE4CD558FE73A9AF46360B540A1AF821573E2DF359808D690
                                            Function 00A98CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A47DE1: _memmove.LIBCMT ref: 00A47E22
                                              • Part of subcall function 00A9AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A9AABC
                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00A98D6B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ClassMessageNameSend_memmove
                                            • String ID: ComboBox$ListBox
                                            • API String ID: 372448540-1403004172
                                            • Opcode ID: 282cac076e2a863e6014764096e784b35f22079806417b1f0ea3959b9379d2a5
                                            • Instruction ID: 0689046c476a0471732b6403e07809d956caf80404d13e69469af7fee3826508
                                            • Opcode Fuzzy Hash: 282cac076e2a863e6014764096e784b35f22079806417b1f0ea3959b9379d2a5
                                            • Instruction Fuzzy Hash: 0001DFB5B41109BBDF14EBE0CA52EFE73E89F56340F50001AB802632E2DF245E08D6B1
                                            Function 00A98D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A47DE1: _memmove.LIBCMT ref: 00A47E22
                                              • Part of subcall function 00A9AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A9AABC
                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 00A98DEE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ClassMessageNameSend_memmove
                                            • String ID: ComboBox$ListBox
                                            • API String ID: 372448540-1403004172
                                            • Opcode ID: 708c619db593a49582100ebfde2d4311af4e64aad837bfdccb11a17e5d9d55a4
                                            • Instruction ID: 266373fc82c8cc6669a2a32116d14f4cd4173c1fc1212668a9b162b510a42438
                                            • Opcode Fuzzy Hash: 708c619db593a49582100ebfde2d4311af4e64aad837bfdccb11a17e5d9d55a4
                                            • Instruction Fuzzy Hash: 5801A275B41109BBDF11EBE4CA42EFE77E89F16340F504416B80563293DF254E08D6B1
                                            Function 00AA4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: ClassName_wcscmp
                                            • String ID: #32770
                                            • API String ID: 2292705959-463685578
                                            • Opcode ID: 59ea4a0fc8cb206dd626c775f5e99f39a1a0e908cbade9625ddb49fa7a4136e4
                                            • Instruction ID: a263b562e4c6d0ec075b595909afe21eda111f2cde5979347d3cff34f4be8229
                                            • Opcode Fuzzy Hash: 59ea4a0fc8cb206dd626c775f5e99f39a1a0e908cbade9625ddb49fa7a4136e4
                                            • Instruction Fuzzy Hash: DEE09B3350422C2BD71097959C45EA7F7ACEB55B61F010056FD04D7051DA609A5587D0
                                            Function 00A7B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00A7B314: _memset.LIBCMT ref: 00A7B321
                                              • Part of subcall function 00A60940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00A7B2F0,?,?,?,00A4100A), ref: 00A60945
                                            • IsDebuggerPresent.KERNEL32(?,?,?,00A4100A), ref: 00A7B2F4
                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A4100A), ref: 00A7B303
                                            Strings
                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A7B2FE
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                            • API String ID: 3158253471-631824599
                                            • Opcode ID: 49821671f7a774958678e6e8228398a734a03c0e4bc0147f50eaebbeb629ae7b
                                            • Instruction ID: 2a4c278b0f0e571c89898d953fe550e986773e3d07deed1e3a9ac5ba0abf095b
                                            • Opcode Fuzzy Hash: 49821671f7a774958678e6e8228398a734a03c0e4bc0147f50eaebbeb629ae7b
                                            • Instruction Fuzzy Hash: 0EE06DB0210B508FD720DF69E904B427AE8AF00304F01C92CE45ACBA50EBB4D485CBB1
                                            Function 00A97C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00A97C82
                                              • Part of subcall function 00A63358: _doexit.LIBCMT ref: 00A63362
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Message_doexit
                                            • String ID: AutoIt$Error allocating memory.
                                            • API String ID: 1993061046-4017498283
                                            • Opcode ID: d5da1d9d72acccd88147222e58fd878851452d44d7d498e2123d7dc4ea3b98f3
                                            • Instruction ID: fe5c92f8904257ad89467421dfd65977d2bb99b03290676818a5493a554f924a
                                            • Opcode Fuzzy Hash: d5da1d9d72acccd88147222e58fd878851452d44d7d498e2123d7dc4ea3b98f3
                                            • Instruction Fuzzy Hash: 13D05B323D535836D21533E96D07FDE75884F05F52F040816FB04596D349D6859151F9
                                            Function 00A81935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemDirectoryW.KERNEL32(?), ref: 00A81775
                                              • Part of subcall function 00ABBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00A8195E,?), ref: 00ABBFFE
                                              • Part of subcall function 00ABBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00ABC010
                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00A8196D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                            • String ID: WIN_XPe
                                            • API String ID: 582185067-3257408948
                                            • Opcode ID: 26336ed87af3883bd56af66c3c8e36589e7feb1374b3c27cb38e991b6e33908a
                                            • Instruction ID: 031baf6b985d0815ae4eef7a89a5c7eb446ec4df42f3b3466c2c00ee228e8932
                                            • Opcode Fuzzy Hash: 26336ed87af3883bd56af66c3c8e36589e7feb1374b3c27cb38e991b6e33908a
                                            • Instruction Fuzzy Hash: 51F0C970801149DFDB15EBA1C984AECBBFCAB18301F540499E102A61A1D7758F86DF60
                                            Function 00AC5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AC59AE
                                            • PostMessageW.USER32(00000000), ref: 00AC59B5
                                              • Part of subcall function 00AA5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AA52BC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: FindMessagePostSleepWindow
                                            • String ID: Shell_TrayWnd
                                            • API String ID: 529655941-2988720461
                                            • Opcode ID: 2b34773202b251d282c4f1f05137c03ef00799cb258cb26f3b30cfa18193a14f
                                            • Instruction ID: 315eadd632c0efc4f378361958afb959acacfb71953f8d85e509aa3e6395ce18
                                            • Opcode Fuzzy Hash: 2b34773202b251d282c4f1f05137c03ef00799cb258cb26f3b30cfa18193a14f
                                            • Instruction Fuzzy Hash: 6ED0C9317807157BE664ABB09C0BFD66625BB05B50F010825B356AA1D0C9E8A801C658
                                            Function 00AC5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AC596E
                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00AC5981
                                              • Part of subcall function 00AA5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AA52BC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1357365616.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
                                            • Associated: 00000001.00000002.1357347145.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357416044.0000000000AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357449664.0000000000AFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000001.00000002.1357462639.0000000000B07000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_a40000_M6MafKT2pj.jbxd
                                            Similarity
                                            • API ID: FindMessagePostSleepWindow
                                            • String ID: Shell_TrayWnd
                                            • API String ID: 529655941-2988720461
                                            • Opcode ID: e695bfdfd549c526b2fba8078f52a4c30ae5d82bbdbb95f685a26968a3c073ae
                                            • Instruction ID: 92f702cf8ebd38d503319f8d14196c75469c8c7a8d6093d250a9dac142062c73
                                            • Opcode Fuzzy Hash: e695bfdfd549c526b2fba8078f52a4c30ae5d82bbdbb95f685a26968a3c073ae
                                            • Instruction Fuzzy Hash: F9D01231784715BBE664FBB0DC0FFE76A25BF00B50F010835B35AAB1D0C9E89801C654