Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7632e569071acc40bce87af592e4cc2476d9c088906a1.exe

Overview

General Information

Sample name:7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
Analysis ID:1483096
MD5:5223a85ff161e8818f0e514048051e7d
SHA1:9574d384a9f3b449f64cf14a022df3c8c383e279
SHA256:7632e569071acc40bce87af592e4cc2476d9c088906a1e6651614860b4754bf8
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Suspicious Copy From or To System Directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe (PID: 5580 cmdline: "C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe" MD5: 5223A85FF161E8818F0E514048051E7D)
    • cmd.exe (PID: 4456 cmdline: "C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7156 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 380 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 6416 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 5304 cmdline: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 5600 cmdline: cmd /c md 154571 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 5908 cmdline: findstr /V "TRUEANALOGMINDOC" Pepper MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 5704 cmdline: cmd /c copy /b Lt + Blake + Tranny + Category 154571\i MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Eco.pif (PID: 2520 cmdline: 154571\Eco.pif 154571\i MD5: B06E67F9767E5023892D9698703AD098)
        • RegAsm.exe (PID: 4708 cmdline: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)
        • RegAsm.exe (PID: 760 cmdline: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • timeout.exe (PID: 2668 cmdline: timeout 5 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["45.140.147.183:12245"], "Bot Id": "YT2", "Authorization Header": "1a1f648c602cc3ac1cfdc397a97b9b88"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000B.00000003.2601109444.0000000004131000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        0000000B.00000003.2649255360.0000000004C71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          0000000B.00000003.2594664194.0000000005111000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            0000000B.00000003.2590852384.0000000004C71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0000000B.00000003.2590491562.0000000004BE4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 21 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                17.2.RegAsm.exe.1300000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
                  Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, ParentCommandLine: 154571\Eco.pif 154571\i, ParentImage: C:\Users\user\AppData\Local\Temp\154571\Eco.pif, ParentProcessId: 2520, ParentProcessName: Eco.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, ProcessId: 4708, ProcessName: RegAsm.exe
                  Sigma detected: Execution of Suspicious File Type Extension
                  Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: 154571\Eco.pif 154571\i, CommandLine: 154571\Eco.pif 154571\i, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\154571\Eco.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\154571\Eco.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\154571\Eco.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4456, ParentProcessName: cmd.exe, ProcessCommandLine: 154571\Eco.pif 154571\i, ProcessId: 2520, ProcessName: Eco.pif
                  Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, ParentCommandLine: 154571\Eco.pif 154571\i, ParentImage: C:\Users\user\AppData\Local\Temp\154571\Eco.pif, ParentProcessId: 2520, ParentProcessName: Eco.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, ProcessId: 4708, ProcessName: RegAsm.exe
                  Sigma detected: Suspicious Copy From or To System Directory
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exit, CommandLine: "C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe", ParentImage: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe, ParentProcessId: 5580, ParentProcessName: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exit, ProcessId: 4456, ProcessName: cmd.exe

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Sigma detected: Search for Antivirus process
                  Source: Process startedAuthor: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4456, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 5304, ProcessName: findstr.exe

                  Snort Signatures

                  No Snort rule has matched

                  Suricata Signatures

                  Timestamp:2024-07-26T16:43:16.230581+0200
                  SID:2046045
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:42:13.988174+0200
                  SID:2022930
                  Source Port:443
                  Destination Port:49705
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:27.736518+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:16.407742+0200
                  SID:2043234
                  Source Port:12245
                  Destination Port:49714
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:26.561611+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:27.343120+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:21.989854+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:24.352512+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:22.350809+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:23.988408+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:26.978648+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:25.096072+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:24.168146+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:22.656385+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:26.302540+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:24.544199+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:26.081968+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:25.111609+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:26.744227+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:24.778983+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:22.855683+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:27.161304+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:21.793638+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:42:52.561065+0200
                  SID:2022930
                  Source Port:443
                  Destination Port:49712
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:22.172217+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:21.464546+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:21.648004+0200
                  SID:2046056
                  Source Port:12245
                  Destination Port:49714
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T16:43:27.520559+0200
                  SID:2043231
                  Source Port:49714
                  Destination Port:12245
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 17.2.RegAsm.exe.1300000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["45.140.147.183:12245"], "Bot Id": "YT2", "Authorization Header": "1a1f648c602cc3ac1cfdc397a97b9b88"}
                  Multi AV Scanner detection for submitted file
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeReversingLabs: Detection: 39%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: RegAsm.pdb source: Eco.pif, 0000000B.00000003.2589909020.0000000004131000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000000.2591510506.00000000000C2000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe.11.dr
                  Source: Binary string: RegAsm.pdb4 source: Eco.pif, 0000000B.00000003.2589909020.0000000004131000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000000.2591510506.00000000000C2000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe.11.dr
                  Source: Binary string: System.ServiceModel.pdb source: RegAsm.exe, 00000011.00000002.2929662882.0000000001639000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BC47B7 GetFileAttributesW,FindFirstFileW,FindClose,11_2_00BC47B7
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BC3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00BC3B4F
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BC3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00BC3E72
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BCC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00BCC16C
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BCCB81 FindFirstFileW,FindClose,11_2_00BCCB81
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BCCC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_00BCCC0C
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BCF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00BCF445
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BCF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00BCF5A2
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BCF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00BCF8A3

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 45.140.147.183:12245
                  Source: global trafficTCP traffic: 192.168.2.5:49713 -> 45.140.147.183:12245
                  Source: Joe Sandbox ViewASN Name: SYNLINQsynlinqdeDE SYNLINQsynlinqdeDE
                  Source: unknownDNS traffic detected: query: WTYoyXMgGLmyIq.WTYoyXMgGLmyIq replaycode: Name error (3)
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BD279E InternetReadFile,InternetQueryDataAvailable,InternetReadFile,11_2_00BD279E
                  Source: global trafficDNS traffic detected: DNS query: WTYoyXMgGLmyIq.WTYoyXMgGLmyIq
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe, 00000000.00000003.2011824605.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, Miniature.0.dr, Eco.pif.2.drString found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe, 00000000.00000003.2011824605.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, Miniature.0.dr, Eco.pif.2.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe, 00000000.00000003.2011824605.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, Miniature.0.dr, Eco.pif.2.drString found in binary or memory: http://crl.globalsign.net/root.crl0
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeString found in binary or memory: http://ocsp.digicert.com0
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeString found in binary or memory: http://ocsp.digicert.com0A
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeString found in binary or memory: http://ocsp.digicert.com0C
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeString found in binary or memory: http://ocsp.digicert.com0X
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe, 00000000.00000003.2011824605.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, Miniature.0.dr, Eco.pif.2.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe, 00000000.00000003.2011824605.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, Miniature.0.dr, Eco.pif.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe, 00000000.00000003.2011824605.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, Miniature.0.dr, Eco.pif.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000033A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000034A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000033A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000034A7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000034A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000034A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.000000000338F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.000000000342B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000034A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: RegAsm.exe, 00000011.00000002.2929941333.00000000033A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe, 00000000.00000003.2011824605.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, Miniature.0.dr, Eco.pif.2.drString found in binary or memory: http://www.autoitscript.com/autoit3/0
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe, 00000000.00000003.2010010300.00000000028E3000.00000004.00000020.00020000.00000000.sdmp, Eco.pif, 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmp, Glasses.0.dr, Eco.pif.2.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeString found in binary or memory: http://www.digicert.com/CPS0
                  Source: Eco.pif, 0000000B.00000003.2601109444.0000000004131000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2649255360.0000000004C71000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2594664194.0000000005111000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2590491562.0000000004BE4000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2649400665.0000000004A71000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2601087269.00000000041B3000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2590274232.0000000004AB1000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2649155250.0000000004B44000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2590740976.0000000004ABB000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2590411622.0000000005113000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2601050359.0000000004ABB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929013537.0000000001302000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe, 00000000.00000003.2011824605.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, Miniature.0.dr, Eco.pif.2.drString found in binary or memory: https://www.globalsign.com/repository/0
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe, 00000000.00000003.2011824605.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, Miniature.0.dr, Eco.pif.2.drString found in binary or memory: https://www.globalsign.com/repository/03
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeCode function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050CD
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BD4614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,11_2_00BD4614
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BD4416 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,11_2_00BD4416
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BECEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,11_2_00BECEDF
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B80D68 FindCloseChangeNotification,NtResumeThread,11_2_00B80D68
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BC40C1: CreateFileW,DeviceIoControl,CloseHandle,11_2_00BC40C1
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BB8D11 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,11_2_00BB8D11
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeCode function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_00403883
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BC55E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,11_2_00BC55E5
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeCode function: 0_2_0040497C0_2_0040497C
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeCode function: 0_2_00406ED20_2_00406ED2
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeCode function: 0_2_004074BB0_2_004074BB
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B6B02011_2_00B6B020
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B694E011_2_00B694E0
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B69C8011_2_00B69C80
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BE81C811_2_00BE81C8
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B8232511_2_00B82325
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B9643211_2_00B96432
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B9258E11_2_00B9258E
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B6E6F011_2_00B6E6F0
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B8275A11_2_00B8275A
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B988EF11_2_00B988EF
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BE080211_2_00BE0802
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B969A411_2_00B969A4
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BBEB9511_2_00BBEB95
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B70BE011_2_00B70BE0
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BC8CB111_2_00BC8CB1
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B8CC8111_2_00B8CC81
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BE0C7F11_2_00BE0C7F
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B96F1611_2_00B96F16
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B832E911_2_00B832E9
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B8F33911_2_00B8F339
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B7D45711_2_00B7D457
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B815E411_2_00B815E4
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B7F57E11_2_00B7F57E
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B6F6A011_2_00B6F6A0
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B6166311_2_00B61663
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B877F311_2_00B877F3
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B81AD811_2_00B81AD8
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B8DAD511_2_00B8DAD5
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B99C1511_2_00B99C15
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B7DD1411_2_00B7DD14
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B81EF011_2_00B81EF0
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B8BF0611_2_00B8BF06
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeCode function: 17_2_056DDC7417_2_056DDC74
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\154571\Eco.pif 8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: String function: 00B80C42 appears 70 times
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: String function: 00B71A36 appears 34 times
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: String function: 00B88A60 appears 42 times
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeCode function: String function: 004062A3 appears 57 times
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeStatic PE information: invalid certificate
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe, 00000000.00000003.2010010300.00000000028E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe, 00000000.00000002.2015624578.00000000005F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeStatic PE information: Section: .reloc ZLIB complexity 1.002685546875
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@26/38@1/1
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BCA51A GetLastError,FormatMessageW,11_2_00BCA51A
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BB8BCC AdjustTokenPrivileges,CloseHandle,11_2_00BB8BCC
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BB917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_00BB917C
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BC3FB5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,11_2_00BC3FB5
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BC42AA __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,11_2_00BC42AA
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6648:120:WilError_03
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeFile created: C:\Users\user\AppData\Local\Temp\nsc4DC.tmpJump to behavior
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                  Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeReversingLabs: Detection: 39%
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeFile read: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe "C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe"
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 154571
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "TRUEANALOGMINDOC" Pepper
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Lt + Blake + Tranny + Category 154571\i
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\154571\Eco.pif 154571\Eco.pif 154571\i
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifProcess created: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifProcess created: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exitJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 154571Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "TRUEANALOGMINDOC" Pepper Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Lt + Blake + Tranny + Category 154571\iJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\154571\Eco.pif 154571\Eco.pif 154571\iJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifProcess created: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifProcess created: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: napinsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: pnrpnsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: wshbth.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: winrnr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: RegAsm.pdb source: Eco.pif, 0000000B.00000003.2589909020.0000000004131000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000000.2591510506.00000000000C2000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe.11.dr
                  Source: Binary string: RegAsm.pdb4 source: Eco.pif, 0000000B.00000003.2589909020.0000000004131000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000000.2591510506.00000000000C2000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe.11.dr
                  Source: Binary string: System.ServiceModel.pdb source: RegAsm.exe, 00000011.00000002.2929662882.0000000001639000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B88AA5 push ecx; ret 11_2_00B88AB8
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeCode function: 17_2_06ED4B01 pushfd ; retf 17_2_06ED4B02

                  Persistence and Installation Behavior

                  barindex
                  Drops PE files with a suspicious file extension
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\154571\Eco.pifJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifFile created: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\154571\Eco.pifJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BE577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,11_2_00BE577B
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B75EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,11_2_00B75EDA
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B832E9 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_00B832E9
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Found stalling execution ending in API Sleep call
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeStalling execution: Execution stalls by calling Sleepgraph_0-3897
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeMemory allocated: 1810000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeMemory allocated: 3250000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeMemory allocated: 3090000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWindow / User API: threadDelayed 696Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWindow / User API: threadDelayed 6264Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifAPI coverage: 4.9 %
                  Source: C:\Windows\SysWOW64\timeout.exe TID: 6024Thread sleep count: 41 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe TID: 348Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe TID: 5348Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BC47B7 GetFileAttributesW,FindFirstFileW,FindClose,11_2_00BC47B7
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BC3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00BC3B4F
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BC3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00BC3E72
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BCC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00BCC16C
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BCCB81 FindFirstFileW,FindClose,11_2_00BCCB81
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BCCC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_00BCCC0C
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BCF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00BCF445
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BCF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00BCF5A2
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BCF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00BCF8A3
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B75D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,11_2_00B75D13
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                  Source: Eco.pif, 0000000B.00000003.2656328918.0000000001AD7000.00000004.00000020.00020000.00000000.sdmp, Eco.pif, 0000000B.00000002.2657799705.0000000001AD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&$
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                  Source: RegAsm.exe, 00000011.00000002.2940850616.0000000006390000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                  Source: RegAsm.exe, 00000011.00000002.2932439473.0000000004594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                  Source: RegAsm.exe, 00000011.00000002.2932439473.000000000455F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Found API chain indicative of debugger detection
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_11-101930
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BD43B9 BlockInput,11_2_00BD43B9
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B75240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_00B75240
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B95BDC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,11_2_00B95BDC
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BB86B0 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,11_2_00BB86B0
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B8A2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00B8A2B5
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B8A284 SetUnhandledExceptionFilter,11_2_00B8A284
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifMemory written: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe base: 1300000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifMemory written: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe base: 1300000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifMemory written: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe base: 10C7000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BB914C LogonUserW,11_2_00BB914C
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B75240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_00B75240
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BC1932 SendInput,keybd_event,11_2_00BC1932
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BC50A7 mouse_event,11_2_00BC50A7
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exitJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 154571Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "TRUEANALOGMINDOC" Pepper Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Lt + Blake + Tranny + Category 154571\iJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\154571\Eco.pif 154571\Eco.pif 154571\iJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifProcess created: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifProcess created: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BB86B0 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,11_2_00BB86B0
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BC4D89 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,11_2_00BC4D89
                  Source: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe, 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmp, 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe, 00000000.00000002.2016435610.00000000028DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: Eco.pifBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B8878B cpuid 11_2_00B8878B
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BCE0CA GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,11_2_00BCE0CA
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BA0652 GetUserNameW,11_2_00BA0652
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00B9409A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,11_2_00B9409A
                  Source: C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exeCode function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406805
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: RegAsm.exe, 00000011.00000002.2940850616.0000000006390000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 17.2.RegAsm.exe.1300000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000003.2601109444.0000000004131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2649255360.0000000004C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2594664194.0000000005111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2590852384.0000000004C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2590491562.0000000004BE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2594309934.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2601087269.00000000041B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2649400665.0000000004A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2593561909.0000000004A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2594488822.0000000004BE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2593417176.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2649155250.0000000004B44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2590274232.0000000004AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2593236483.0000000004BE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2929013537.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2649346741.0000000004BE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2590740976.0000000004ABB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2590274232.0000000004A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2590411622.0000000005113000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2590333622.0000000004BE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2601050359.0000000004ABB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Eco.pif PID: 2520, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 760, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                  Source: Eco.pifBinary or memory string: WIN_81
                  Source: Eco.pifBinary or memory string: WIN_XP
                  Source: Eco.pifBinary or memory string: WIN_XPe
                  Source: Eco.pif.2.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyteP
                  Source: Eco.pifBinary or memory string: WIN_VISTA
                  Source: Eco.pifBinary or memory string: WIN_7
                  Source: Eco.pifBinary or memory string: WIN_8
                  Source: Yara matchFile source: 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 760, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 17.2.RegAsm.exe.1300000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000003.2601109444.0000000004131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2649255360.0000000004C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2594664194.0000000005111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2590852384.0000000004C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2590491562.0000000004BE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2594309934.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2601087269.00000000041B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2649400665.0000000004A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2593561909.0000000004A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2594488822.0000000004BE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2593417176.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2649155250.0000000004B44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2590274232.0000000004AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2593236483.0000000004BE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.2929013537.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2649346741.0000000004BE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2590740976.0000000004ABB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2590274232.0000000004A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2590411622.0000000005113000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2590333622.0000000004BE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000003.2601050359.0000000004ABB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Eco.pif PID: 2520, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 760, type: MEMORYSTR
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BD6733 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,11_2_00BD6733
                  Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 11_2_00BD6BF7 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,11_2_00BD6BF7

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		221
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Native API                  		2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                  Valid Accounts                  		2
                  Obfuscated Files or Information                  		Security Account Manager2
                  File and Directory Discovery                  		SMB/Windows Admin Shares21
                  Input Capture                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  Software Packing                  		NTDS127
                  System Information Discovery                  		Distributed Component Object Model3
                  Clipboard Data                  		1
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets361
                  Security Software Discovery                  		SSHKeylogging11
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                  Masquerading                  		Cached Domain Credentials341
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Valid Accounts                  		DCSync4
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job341
                  Virtualization/Sandbox Evasion                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                  Process Injection                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483096 Sample: 7632e569071acc40bce87af592e... Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 39 WTYoyXMgGLmyIq.WTYoyXMgGLmyIq 2->39 49 Found malware configuration 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected RedLine Stealer 2->53 55 4 other signatures 2->55 9 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe 68 2->9         started        signatures3 process4 file5 35 C:\Users\user\AppData\Local\Temp35d, PDP-11 9->35 dropped 57 Found stalling execution ending in API Sleep call 9->57 13 cmd.exe 3 9->13         started        signatures6 process7 file8 37 C:\Users\user\AppData\Local\Temp\...co.pif, PE32 13->37 dropped 67 Drops PE files with a suspicious file extension 13->67 17 Eco.pif 1 13->17         started        21 cmd.exe 2 13->21         started        23 conhost.exe 13->23         started        25 7 other processes 13->25 signatures9 process10 file11 33 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 17->33 dropped 43 Found API chain indicative of debugger detection 17->43 45 Writes to foreign memory regions 17->45 47 Injects a PE file into a foreign processes 17->47 27 RegAsm.exe 5 4 17->27         started        31 RegAsm.exe 17->31         started        signatures12 process13 dnsIp14 41 45.140.147.183, 12245, 49713, 49714 SYNLINQsynlinqdeDE United Kingdom 27->41 59 Tries to harvest and steal browser information (history, passwords, etc) 27->59 61 Tries to steal Crypto Currency Wallets 27->61 63 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->63 65 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 31->65 signatures15

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  7632e569071acc40bce87af592e4cc2476d9c088906a1.exe39%ReversingLabsWin32.Trojan.Generic

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\154571\Eco.pif0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%URL Reputationsafe
                  http://tempuri.org/Entity/Id14ResponseD0%URL Reputationsafe
                  http://tempuri.org/Entity/Id23ResponseD0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                  http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                  http://tempuri.org/0%URL Reputationsafe
                  http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%URL Reputationsafe
                  http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                  http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%URL Reputationsafe
                  http://tempuri.org/Entity/Id90%URL Reputationsafe
                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%URL Reputationsafe
                  http://tempuri.org/Entity/Id80%URL Reputationsafe
                  http://tempuri.org/Entity/Id6ResponseD0%URL Reputationsafe
                  http://tempuri.org/Entity/Id50%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%URL Reputationsafe
                  http://tempuri.org/Entity/Id40%URL Reputationsafe
                  http://tempuri.org/Entity/Id70%URL Reputationsafe
                  http://tempuri.org/Entity/Id60%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%URL Reputationsafe
                  http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                  http://tempuri.org/Entity/Id13ResponseD0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%URL Reputationsafe
                  http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%URL Reputationsafe
                  http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%URL Reputationsafe
                  https://api.ip.sb/ip0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/sc0%URL Reputationsafe
                  http://tempuri.org/Entity/Id1ResponseD0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%URL Reputationsafe
                  http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id200%URL Reputationsafe
                  http://tempuri.org/Entity/Id210%URL Reputationsafe
                  http://tempuri.org/Entity/Id220%URL Reputationsafe
                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%URL Reputationsafe
                  http://tempuri.org/Entity/Id230%URL Reputationsafe
                  http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%URL Reputationsafe
                  http://tempuri.org/Entity/Id240%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%URL Reputationsafe
                  http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%URL Reputationsafe
                  http://tempuri.org/Entity/Id21ResponseD0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/trust0%URL Reputationsafe
                  http://tempuri.org/Entity/Id100%URL Reputationsafe
                  http://tempuri.org/Entity/Id110%URL Reputationsafe
                  http://tempuri.org/Entity/Id10ResponseD0%URL Reputationsafe
                  http://tempuri.org/Entity/Id120%URL Reputationsafe
                  http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%URL Reputationsafe
                  http://tempuri.org/Entity/Id130%URL Reputationsafe
                  http://tempuri.org/Entity/Id140%URL Reputationsafe
                  http://tempuri.org/Entity/Id150%URL Reputationsafe
                  http://tempuri.org/Entity/Id160%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%URL Reputationsafe
                  http://tempuri.org/Entity/Id170%URL Reputationsafe
                  http://tempuri.org/Entity/Id180%URL Reputationsafe
                  http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id190%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                  http://tempuri.org/Entity/Id15ResponseD0%URL Reputationsafe
                  http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%URL Reputationsafe
                  http://tempuri.org/Entity/Id11ResponseD0%URL Reputationsafe
                  http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%URL Reputationsafe
                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%URL Reputationsafe
                  http://tempuri.org/Entity/Id17ResponseD0%URL Reputationsafe
                  http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                  http://tempuri.org/Entity/Id8ResponseD0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey0%URL Reputationsafe
                  http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                  45.140.147.183:122450%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  WTYoyXMgGLmyIq.WTYoyXMgGLmyIq
                  		unknown
                  		unknownfalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    45.140.147.183:12245true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id14ResponseDRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000011.00000002.2929941333.00000000034A7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id9RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id8RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id6ResponseDRegAsm.exe, 00000011.00000002.2929941333.000000000338F000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id5RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id4RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id7RegAsm.exe, 00000011.00000002.2929941333.000000000342B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id6RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id13ResponseDRegAsm.exe, 00000011.00000002.2929941333.00000000033A3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id5ResponseDRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.autoitscript.com/autoit3/J7632e569071acc40bce87af592e4cc2476d9c088906a1.exe, 00000000.00000003.2010010300.00000000028E3000.00000004.00000020.00020000.00000000.sdmp, Eco.pif, 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmp, Glasses.0.dr, Eco.pif.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.ip.sb/ipEco.pif, 0000000B.00000003.2601109444.0000000004131000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2649255360.0000000004C71000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2594664194.0000000005111000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2590491562.0000000004BE4000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2649400665.0000000004A71000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2601087269.00000000041B3000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2590274232.0000000004AB1000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2649155250.0000000004B44000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2590740976.0000000004ABB000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2590411622.0000000005113000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000B.00000003.2601050359.0000000004ABB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929013537.0000000001302000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id20RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id21RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id22RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id23RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://nsis.sf.net/NSIS_ErrorError7632e569071acc40bce87af592e4cc2476d9c088906a1.exefalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id24RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id21ResponseDRegAsm.exe, 00000011.00000002.2929941333.00000000033A3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id10RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id11RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id10ResponseDRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id12RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id13RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id14RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id15RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id16RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id17RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id18RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id19RegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id15ResponseDRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id11ResponseDRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000011.00000002.2929941333.00000000032E2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id17ResponseDRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/soap/envelope/RegAsm.exe, 00000011.00000002.2929941333.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id8ResponseDRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyRegAsm.exe, 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    45.140.147.183
                    		unknownUnited Kingdom
                    		44486SYNLINQsynlinqdeDEtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1483096
                    Start date and time:2024-07-26 16:41:07 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 53s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:18
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@26/38@1/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 99%
                    • Number of executed functions: 93
                    • Number of non-executed functions: 298
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    10:41:55API Interceptor1x Sleep call for process: 7632e569071acc40bce87af592e4cc2476d9c088906a1.exe modified
                    10:42:34API Interceptor40x Sleep call for process: Eco.pif modified
                    10:43:22API Interceptor35x Sleep call for process: RegAsm.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    SYNLINQsynlinqdeDE3wdC6zhiOR.exeGet hashmaliciousMicroClipBrowse
                    • 45.140.146.248
                    3wdC6zhiOR.exeGet hashmaliciousMicroClipBrowse
                    • 45.140.146.248
                    HajjReport.docmGet hashmaliciousUnknownBrowse
                    • 45.140.147.81
                    HajjReport.docmGet hashmaliciousUnknownBrowse
                    • 45.140.147.81
                    HajjReport.docmGet hashmaliciousUnknownBrowse
                    • 45.140.147.81
                    HajjReport.docmGet hashmaliciousUnknownBrowse
                    • 45.140.147.81
                    https://coanj.com/Get hashmaliciousUnknownBrowse
                    • 45.140.146.101
                    https://stay.linestoget.com/scripts/get.js?ver=4.2.1Get hashmaliciousUnknownBrowse
                    • 45.140.146.101
                    https://whisenhantlaw.com/cold-war/po-box-790447-st-louis-63179Get hashmaliciousUnknownBrowse
                    • 45.140.146.101
                    https://www.traveltrendstoday.inGet hashmaliciousUnknownBrowse
                    • 45.140.146.101

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Users\user\AppData\Local\Temp\154571\Eco.pifsetup.exeGet hashmaliciousUnknownBrowse
                      setup.exeGet hashmaliciousUnknownBrowse
                        SecuriteInfo.com.Trojan.Siggen29.2381.17841.24795.exeGet hashmaliciousRedLineBrowse
                          Autodesk AutoCAD 2023.exeGet hashmaliciousVidarBrowse
                            oRALyHjeXB.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                              oRALyHjeXB.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                file.exeGet hashmaliciousSmokeLoaderBrowse
                                  file.exeGet hashmaliciousSmokeLoaderBrowse
                                    file.exeGet hashmaliciousSmokeLoaderBrowse
                                      UnDqKnghuz.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                        C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeLisectAVT_2403002B_119.exeGet hashmaliciousRedLineBrowse
                                          LisectAVT_2403002A_117.exeGet hashmaliciousRedLineBrowse
                                            7d69f17f.exeGet hashmaliciousRedLineBrowse
                                              ZUlr0Vm0Zt.pdfGet hashmaliciousHatef WiperBrowse
                                                SecuriteInfo.com.Trojan.PackedNET.2334.3801.19434.exeGet hashmaliciousPureLog Stealer, Raccoon Stealer v2, SmokeLoaderBrowse
                                                  CrowdStrike.exeGet hashmaliciousHatef WiperBrowse
                                                    CrowdStrike.exeGet hashmaliciousHatef WiperBrowse
                                                      SecuriteInfo.com.Trojan.Siggen29.2381.17841.24795.exeGet hashmaliciousRedLineBrowse
                                                        oRALyHjeXB.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                                          oRALyHjeXB.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):3293
                                                            Entropy (8bit):5.3364558769830905
                                                            Encrypted:false
                                                            SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqNqrEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qD
                                                            MD5:0F4CFE7D09B8E7D0C0E6D8EED58B1854
                                                            SHA1:4AE34C93DA9DBFE7103C01CB2E1A272CB0391F93
                                                            SHA-256:A60B7EE4A9322CBA71406D90D9DC5E99FD0B0E0D25B14CDB45431C935314E9A2
                                                            SHA-512:2C2B8CA7BD60417D06A283A53B2CC652860797ED17FBE0267964B8CCEDB2DC8CF5CF1D3588BC9E2FF1AB25AD24673A960CDB8F739F41F6189933B4BE281FD2C6
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            C:\Users\user\AppData\Local\Temp\154571\Eco.pif

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:modified
                                                            Size (bytes):937776
                                                            Entropy (8bit):6.777413141364669
                                                            Encrypted:false
                                                            SSDEEP:12288:FJV3REMvnCG22lhtjVoAYxQl+u13a/sVyaVeK56ORMkkOlPlNKlga4Umff2lRO:F3hEW3hlVodGl+gUKrMkzXa4P6RO
                                                            MD5:B06E67F9767E5023892D9698703AD098
                                                            SHA1:ACC07666F4C1D4461D3E1C263CF6A194A8DD1544
                                                            SHA-256:8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
                                                            SHA-512:7972C78ACEBDD86C57D879C12CB407120155A24A52FDA23DDB7D9E181DD59DAC1EB74F327817ADBC364D37C8DC704F8236F3539B4D3EE5A022814924A1616943
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: setup.exe, Detection: malicious, Browse
                                                            • Filename: setup.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.Trojan.Siggen29.2381.17841.24795.exe, Detection: malicious, Browse
                                                            • Filename: Autodesk AutoCAD 2023.exe, Detection: malicious, Browse
                                                            • Filename: oRALyHjeXB.exe, Detection: malicious, Browse
                                                            • Filename: oRALyHjeXB.exe, Detection: malicious, Browse
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: UnDqKnghuz.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...y..U..........".................*.............@.................................w.....@...@.......@.....................L...|....................8..0....0...q...;..............................@X..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...............................@..@.reloc...q...0...r..................@..B................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\154571\Eco.pif
                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):65440
                                                            Entropy (8bit):6.049806962480652
                                                            Encrypted:false
                                                            SSDEEP:768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
                                                            MD5:0D5DF43AF2916F47D00C1573797C1A13
                                                            SHA1:230AB5559E806574D26B4C20847C368ED55483B0
                                                            SHA-256:C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
                                                            SHA-512:F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: LisectAVT_2403002B_119.exe, Detection: malicious, Browse
                                                            • Filename: LisectAVT_2403002A_117.exe, Detection: malicious, Browse
                                                            • Filename: 7d69f17f.exe, Detection: malicious, Browse
                                                            • Filename: ZUlr0Vm0Zt.pdf, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.Trojan.PackedNET.2334.3801.19434.exe, Detection: malicious, Browse
                                                            • Filename: CrowdStrike.exe, Detection: malicious, Browse
                                                            • Filename: CrowdStrike.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.Trojan.Siggen29.2381.17841.24795.exe, Detection: malicious, Browse
                                                            • Filename: oRALyHjeXB.exe, Detection: malicious, Browse
                                                            • Filename: oRALyHjeXB.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

                                                            C:\Users\user\AppData\Local\Temp\154571\i

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:OpenPGP Secret Key
                                                            Category:dropped
                                                            Size (bytes):410350
                                                            Entropy (8bit):7.999534336762385
                                                            Encrypted:true
                                                            SSDEEP:6144:PHCFfAFqXYJsA48LxAI5YIzjmWCQLW9MnP+YC6WCdibeQEEmOiylZAZv57Q0QHeI:P4foqX4so5YsuXKkwOzgv5Q0Y
                                                            MD5:AFA99B9D405658F98DE0E2F688B11799
                                                            SHA1:7387C5ACA57800C29BCB994BF9910B47AC8E3A3E
                                                            SHA-256:923EAAAEE7BD9310AD06297C07FBBFBD4801A1AC30DA2DE21FB59FF28F958936
                                                            SHA-512:35886B244E6D04FC7B199762944B4906E16CB8D4285E9BD70532A592C8F90E1232E51C34D9D80334BF4DA86264A5EDA429A37FE423A85C14441476F2DC4C0212
                                                            Malicious:false
                                                            Preview:.2.....u....K.wET."v._.3.P.;.4VFv....Q...q.......P.S.AfK.TKkX......j%.E.k..d&.3..)o...5...A....R...H{..o.F.x.[s..Kt.Q+'....}>.....G.. H...RM...B..Egs._......0#...2..,....@.....D.OGP0.T..B...../.pB./2.e.......J.b..=...~....4.`....).}...%6......h.S..]....j.0...!..S+RP...1$.R.aU..6`d.*Y%Yx.....;..(.?. ..a...[.N...C....*e/9.SP-...-k.?v....+...".....&5.9.BR.t......L...9A.:...1a,....6.^M...C..v..G..*.{.....(\!.G.......3.....!........C._n.g...).{Y,6.L!g.k...C.P8...h<..n.;{.. 0.._...M.+..a._<.....%...j...U#mo..;..E..N..p..f..rrc........Z.+....,$#%h...B.PR..S..c..(!.]....:~.L.vs......4..HW.S.'.(*?..N7\a.O.....:w.....9[...._".....{...8...sP.I.1..2..".2.<.js..U.....}..hB.&tT.'.Y/.lu.U.#i>...PE`iS................{,.LaZ...]$L...%...<...N..S.#."...=_.sZ$..?.6.+.!WEv.S....-.l..M/.=p.Jf+...Z.'...;.;.e....%[....\}.....J...kv.....7.1.....o...e.q..1y2.].|-.L,...d7._.h..c.EoC0.f..B\.}ix2_w.?l.!~.*..D.3.c.xx.L62.(b.0...-X."...$.N.i..J.l}h..D.*`....C...

                                                            C:\Users\user\AppData\Local\Temp\Allah

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):38912
                                                            Entropy (8bit):6.504850481956066
                                                            Encrypted:false
                                                            SSDEEP:768:K9Fsqib9futLZzWaIxyKw7nxZL96Yk4iARefFilP4Bwh1QwTMvcB:K9FskzWaIxOv/pAfkF/bI8
                                                            MD5:FA50D208824BED4A28326CB5138B546B
                                                            SHA1:023558C179E428CBA689D5E3B782FDFE2E962386
                                                            SHA-256:BA6B5B6F433B1D99D0023BB25EBC0040CBE328809075E0ED7131FC89FDDFCD8B
                                                            SHA-512:870DB5CD25F559A7BA3FE9414346E5CEA7063F431334E94B719FEEB0B82919A5B55CEC2083BCAA0C072B35366A2FE9088BF48C70B91B84A7C34334F99E59ED79
                                                            Malicious:false
                                                            Preview:.u .u..u.QP.u.WVS.K....e...u$.u .u..u.QP.u.WVS....e...u$.u .u..u.QP.u.WVS.....}e...u$.u .u..u.QP.u.WVS......_e...u$.u .u..u.QP.u.WVS....Ae...u$.u .u..u.QP.u.WVS.....#e...u$.u .u..u.QP.u.WVS.....e......E,..P.a...C....u$.u .u..u..u..u..u.WVS.......d...u$.u .u..u.QPQWVS.d....d...u$.u .u..u.QPQWVS....d...M,...PQ.u .u..u..u..u..u.WVS.9....pd...u..u.WVS.....]d...u$.u .u..u.QPQWVS.....Ad...u.WVS....1d...u..u..u.WVS.O.....d...u.QVS.x.....d...u..u..u..u.WVS.e.....c...u$.u .u..u.QPQWVS.......c...u..u.WVQ.......c...u$.u .u..u.QP.u.WVS....c...u$.u .u..u.QP.u.WVS......c...u$.u .u..u.QP.u.WVS....ic...u$.u .u..u.QP.u.WVS....Kc...u$.u .u..u.QP.u.WVS....-c...u..u.WVQ.......c...u$.u .u..u.QP.u.QVS.....b..W..gL...Y...}..u..E.3.f9...x...3..t...3.9Cpu'.{|Uu!..........u.9.....u...........b..P.......Cl.............s|PVS.7....M(.b...}..t..}.....b...6..(.I...3.PPj1.6.E ....I..=..I.PS..U....E..P.!|..YVS..u.S.6..$.I..E....t'Ht.Ht.Hu&.U.M.... .U.M......M......M.U....M ..

                                                            C:\Users\user\AppData\Local\Temp\April

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):56320
                                                            Entropy (8bit):6.3605894597604715
                                                            Encrypted:false
                                                            SSDEEP:768:oR3Sh7WscONK1dvq6LqgaHbdMNkNDUySdK8M4INduPbOUGM4INduPbOU+aI4kSm+:e3SdFc9vtmgMbFuyO1MBNfMBNB+x
                                                            MD5:3F6F218E3E0971ECB99CAAA2958B354B
                                                            SHA1:A15C014857BF63F17ADA6BA6262F54D211BC048C
                                                            SHA-256:92F9D5FC75BF7F912C816E54F1AD7D90D5525029CEF5963F6C553F3D450C8CDF
                                                            SHA-512:7ED3311383E2FFA611213AEE10E2202BA7887FB7F06A555234BADBC64B2AC3BD010A993247CF49892FD6158B599B695E6ACC3DAEBC9BDB77CE2BBD157C026CE6
                                                            Malicious:false
                                                            Preview:N.G.E.T.P.R.O.C.E.S.S...W.I.N.G.E.T.S.T.A.T.E...W.I.N.G.E.T.T.E.X.T.....W.I.N.G.E.T.T.I.T.L.E...W.I.N.K.I.L.L...W.I.N.L.I.S.T...W.I.N.M.E.N.U.S.E.L.E.C.T.I.T.E.M...W.I.N.M.I.N.I.M.I.Z.E.A.L.L.....W.I.N.M.I.N.I.M.I.Z.E.A.L.L.U.N.D.O.....W.I.N.M.O.V.E...W.I.N.S.E.T.O.N.T.O.P...W.I.N.S.E.T.S.T.A.T.E...W.I.N.S.E.T.T.I.T.L.E...W.I.N.S.E.T.T.R.A.N.S...W.I.N.W.A.I.T...W.I.N.W.A.I.T.A.C.T.I.V.E...W.I.N.W.A.I.T.C.L.O.S.E.....W.I.N.W.A.I.T.N.O.T.A.C.T.I.V.E.....[:>:]]..[:<:]]..Q\E...E.7.E...C...C.W.M._.G.E.T.C.O.N.T.R.O.L.N.A.M.E...\.....G...C...C.A.u.t.o.I.t......F.S.o.f.t.w.a.r.e.\.A.u.t.o.I.t. .v.3.\.A.u.t.o.I.t....F.%s..#.c.o.m.m.e.n.t.s.-.s.t.a.r.t...#.c.s...#.c.o.m.m.e.n.t.s.-.e.n.d...#.c.e...d.0.b.....C...C...C.C.A.L.L.....D.L.L.C.A.L.L.B.A.C.K.R.E.G.I.S.T.E.R...D.R.I.V.E.G.E.T.F.I.L.E.S.Y.S.T.E.M.....A.U.T.O.I.T.W.I.N.S.E.T.T.I.T.L.E...A.U.T.O.I.T.W.I.N.G.E.T.T.I.T.L.E...C.O.N.S.O.L.E.W.R.I.T.E.E.R.R.O.R...D.L.L.C.A.L.L.B.A.C.K.G.E.T.P.T.R...D.L.L.S.T.R.U.C.T.G.E.T.D.A.T.A.....D.L.L.S.

                                                            C:\Users\user\AppData\Local\Temp\Bass

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:OpenPGP Public Key
                                                            Category:dropped
                                                            Size (bytes):61440
                                                            Entropy (8bit):4.95323177323416
                                                            Encrypted:false
                                                            SSDEEP:384:JGiwxFr9LE/MpfhwHLWAkqLyH3Per2Wfn2HuboETcKiKjxq/l1qIvtx4MjNyREl:JG5bAGWrT+UTcL4qHq25NKEl
                                                            MD5:B9C92C528AAC10D5D9520D157CBDDC57
                                                            SHA1:8F1DE21B9910F1F5601AD1828A47414F4A8CA3DE
                                                            SHA-256:12494B11637277961825098976E7F789AA099CD65A4AEA3616D23E0549F8C960
                                                            SHA-512:B4807E4BC67C859D724A9E83F79D611F8ED6617469BBE86542872F64E53E4B98C7F12CB15C9DE7A67BCB3421C5E2E93F850EA35CA5DAFA8F5E83C43B196C83BD
                                                            Malicious:false
                                                            Preview:............................................................................................................................................................................................................................m.m.m.m.m...........................................................................................m...m.m.m.m.m...m.m.................................................................................................................m.m.m.m.m.m.m.....m.m.m.m.m.m.m.m.m.m.m.m.m.m...4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.m.m.m.m.m.m.m.m.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m...............................................................................................................................................................f.........................m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.

                                                            C:\Users\user\AppData\Local\Temp\Blake

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):186368
                                                            Entropy (8bit):7.998911837050045
                                                            Encrypted:true
                                                            SSDEEP:3072:M7jI9Dh8XC3AL6eQd7xMnPE2f2g+aK1h/XAc569WbediWo2NQEEp0Oiy0AZAZnvv:4jmWCQLW9MnP+YC6WCdibeQEEmOiylZG
                                                            MD5:F895D0C5DA4CF4B1A053B28CC3D11957
                                                            SHA1:D3CC81C1EF60E924505F805CF188A158AAB05D63
                                                            SHA-256:40BAE31C25DB506601F9C69A11F16227E45124724C7E7E39D1BE7258333F31D9
                                                            SHA-512:1FA814ECAEFD596D2F088E1CFE4B9FBEE7F67E0FD4D65452D13578E4345120F651453D690B56582E680F0FF240DA13A93A317CED7A5CE858D9837C2DBD0997DD
                                                            Malicious:false
                                                            Preview:MC...Y.......Xy;.4....E|1..%{.....47...w).j.{O.W.c...G..p.E.T.C:Zt...y5{a..../.P.*.....h.........V...A..F.:[.S......3.`..bo.%.~)...p....E.M.TFZ.....Af....#..r5.-b>.../.....i......7..C..[aj4..,..d....x.1B..m..E........{...2.0m.6......._.bP2`...".]~...N..u.Y..e@x.......XX...O-.y7[...z...u....l...X&-/...$"....i>j_..]OL,......1..#.l.s..u}......nx..V..`......X...&.nY.~._.1...U..X..OPB...q..!...[.$.[...A."6..:....*..+.......D.#.!Zm..(.&...+...>.u..~W..L..P#\}....Qz...l.nCQ..O.....(M.rr..D..C....KS....pf..?.~t.|..2.p.kF.....LCd...I.....YV...{...<2..iwi.:).g1.S..8i........Q.N.k..N.V..Y3."b.J..+ .}.."..-...t...-......._...t.X..?Gf..o.4.On..m;3..T...B..P.........$~uG{..<.....,..o...}..Q.S...m......J...')%....Tv.:...d....h...K?oG6 Q.D.Z..F ...m=.j..i..].......?...s.n.$..7I.?.m...hL)Em\...R....T..Cb.z...!......U?H:.m.y..dz.i.b.....7L...X7..hJB.g%9.Q......$.C%.E.ML..+.Ik.U#.u..F6.<b.`c.."z_ .3.......`p,,S.....20.....3....C.3 .9.E.$4m.@..).......&G]{...

                                                            C:\Users\user\AppData\Local\Temp\Category

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):23278
                                                            Entropy (8bit):7.990246299434285
                                                            Encrypted:true
                                                            SSDEEP:384:PiH1txr3Hp/f0lJoBBucnUmu/gQ4p8uzKGVbwMI+pwjJb4q1/WlZHfT7PLV:aH1txTHNuoBBuqU1gwu/IMwjV5U/T7Z
                                                            MD5:744D957358190ED5E658E5410EFFB89A
                                                            SHA1:8C2235E8EFFB359C0F1D53768A0FA44CF93AE63F
                                                            SHA-256:BE303E92319DF05E83E93B6C632F2476EE9AF84F5D5A3DEFDE788D94FB4505D3
                                                            SHA-512:46CC1DEC09013EF03FC4B794A2B1CBA1667D3E00FB3D740BD662E342A7D9CB108F74AA83BFE6C96F5EC6F106428434E6255F462103D4CC5FA5A828E9FDEF2CFA
                                                            Malicious:false
                                                            Preview:...........m..%.F......4T1.g.....,.`.^O.O....%1..<J.I...z...)J..:w..XA...M:.C.......}lE....U.L.....P.;z....._.-^j..&.FG,.......S....J....t..?..~@."..2..V..A.t..&.....g....a...-L......D.T#.R.{$.&.B..W..IN.'.)..M.#d..<..F>.Ox.Oa}.J.d......,^<>....G...+..`]I9.9..3yp.C.u......./.2.0.kG..EjM.C.^..+ZOR.........OV...x....X.i..QC[Be..O..].#&..-..;...3.g`..8.....B.....Bx!M....b^R.'KX.8lwg0...G...G.g..r.K.Z..+...=x.z -..pW..\..=P.x.8..J.AU.4M...4.....mTpI.+.u ..g...j6..%.'.`.....R>`..B........p....../.0.+jy.)..,.+........../......t8.....H....I.pm..o.!.......Z...X.$.U).KC..Da.4.q.j9g.U.D.:...*../X`...ZW.U.K.Jcb.ah....f.u..."wy...E.Iu.{,...T%~8.(...K.d...; ...2e.N..?.HZ....(-R.....C......7nrX.".xY)........6..C.Qr..B.(u..R.na1...O...K...q..1..Me.xu......x..B.O..g..b6..b;.....,.v.....}...`.0..'.A.".M......W.nvo.....q.h...$......2.~...&#~.5.an...I`.[....Cj...\.n.....S.}..!.v8$....j...'......BB..P.:..<..}....A..(..F$..X....Ny.B<....o.(!..].=..

                                                            C:\Users\user\AppData\Local\Temp\Compete

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):8192
                                                            Entropy (8bit):6.5483294401297645
                                                            Encrypted:false
                                                            SSDEEP:96:xuMgMAEpjysGMoV74ORLgEGZr+Kvd35u1G5qLHrqvcDwmXDDSr/l8OoAFsizZ2oz:xPAEByss7XLNUrnliH5QlEboAtyYba1
                                                            MD5:3DFA6BF53AD5515FDA77AEEF0D76FE4D
                                                            SHA1:4B101F073DC15E4E0B245D761B7B9E031C8E75B4
                                                            SHA-256:C164721BF7A110FC79554B7D55DA8B824F09708682008E7B1B965A1ADD35BA86
                                                            SHA-512:218B484875A3245BC8B16DBA238DD2E477514B56AC1861BB1E477944570DE06DBCE6DA778D0C6B775CF7C6FD22E4CAAC4BE3FA22106E748293C248867B72E014
                                                            Malicious:false
                                                            Preview:....}...E.....pu5.M...]...f..f;..E.u........M..E.u.3...f..f;......@...u.S.u.SP.K....U...u.B.U.;.t +...N;u...;.}..}..t......E..@........F._^[..]...U....SV..W3.9~.tV.~..tP.M..AS...u....u..l......~5.M........~..E..PW..q...M..E.P.nS..G;.|.M..#......3._^[..]...V..N...t0.~..t*.v$.V..v .v4j..v..6.6.......F(..~..f(...^.2.^.U...,SV..M.W.t....u..M..s..~..}......E...y:h....j.WP.u....6.#.......y...3.....V3..M.WS.....E...E...3....E...j.V.u..u.j..u..0.......;s.t?.M.+.PQS.M..E....E.P.M......u..M......u.G.E...t.;.u..C.+.PV...E.+.VPS.M.......E.P.M..x.....t..E..P.U!...M..7"...M../"...._^[..]...U....SVW.M..d....u..}....E..X...;_.......3..E.8E.t.S.......f.8{u..C..E......3..E..M.......6.6..........P.B..Y..t&..Q.E...A.........M....P.......;G.|..u..;...}....Yt..}..t!..;G.t.P......f.8}u......E.......M..K!.._^..[..]...U..V...P...E..t.V.....Y..^]...U..W......tV.G.V.0.1...u..p..1..3.j.Z............Q.H....O....1V.A3...u.V..3...G..0.....G... .0^_]...U..SV.u.Wj.hH6I.V....=.......u....3.@_^[

                                                            C:\Users\user\AppData\Local\Temp\Compile

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):13312
                                                            Entropy (8bit):6.5759444698507625
                                                            Encrypted:false
                                                            SSDEEP:384:qqKWeMdoWDpWpbdIoQYfkbrOzCeTmCBo0v:jeINDpWPIDJ0vv
                                                            MD5:E769F265D7749DDEA00C3DF2FD1B8056
                                                            SHA1:316E8C459279E0F4178EEA894815B9043C6BD9B9
                                                            SHA-256:EF40A243A2355A6C71A25BC3B396D86757E90F8F8A6656D568AFEF75B29A7A41
                                                            SHA-512:16B2AA1E5263109E45593B03FCF449CB2F0053B97E4607FC9FDFE3294497873939FAC0BBF2E2D925D135E378ED57E991E3D8A7A828FD7776716B6DE7F4B5443E
                                                            Malicious:false
                                                            Preview:.......uD........ty.H...t..~<.ul.x..uf..t...j.Q.P..N..F.P.v...j..v(j.j.Q.R,.?.H...t8.x..u*.e...U...Rh.<I.Q...M...t...Q.P..E.P...Q.....j.Q.P.^]...U..E.=;...u..E j.Yf..3.Af.H.3..9=+...u..E j.Yf...@.......=....u..E j.Yf..3...=....t......].$.U..SV.u.Wj.[Sh.<I.V...P.......u..O(.E...3.....Sh.<I.V.}P.......u..O0..Sh.<I.V.eP.......t.Sh.<I.V.RP.......u....H..Sh.<I.V.8P.......t.Sh,<I.V.%P.......u..O4.Sh,=I.V..P.......u..O,.i...Sh.;I.V..O.........O.......t..u.V.........@.._^[]...U..SV.u.Wj.[Sh.;I.V...O.......u....E...3..`Sh.<I.V.O.......t.Sh.;I.V..O.......u..O...Sh\<I.V.gO.......u..O..Sh.<I.V.OO.......u..O...@.._^[]...U..V.u..N..Q.........A.................F..H..F.........H................U...F.Rh.<I..H..F..@.P......x2.F..H... Pj.Q...RH.M..F....P.u...Q.R..E.P...Q.3........^]...U..E..@.....t.j.j..p...X.I.3.]...U..E..@.....t.j.j..p...X.I.]...U...u..u..u..u...@.I.]...U...u..M..u..I..k...]...U...u..M..u..I..B...]...U...u..M..u..I..;...]...U..V.u.W.}...t...V.P....G..H...t...Q.P..G._.p.3.

                                                            C:\Users\user\AppData\Local\Temp\Concentration

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:OpenPGP Secret Key
                                                            Category:dropped
                                                            Size (bytes):6144
                                                            Entropy (8bit):7.939485352823763
                                                            Encrypted:false
                                                            SSDEEP:96:OeNvLIDiOzXKAGFkXPgZqF3HwV58LNzFN/B7jJjmekHUE4pgr5WGe3:OeB6rRGFkP3I+BnvJ6eXbGe3
                                                            MD5:815798C438E7114C729702E6615DEB2F
                                                            SHA1:C409F3CF1D68E1B15A4CAAC5BDDB3917042E1E13
                                                            SHA-256:0497B121DEFB623951C64AAE2F8163455EB156A8D697F0E274FCB41DC71E3A00
                                                            SHA-512:2F20ED92C61392C913D099265983FD1C57F425C1865AE8F0E72DF691561A2857AF12539E43241B3022A9539934C48A19FA8F67FEB844D23B5E82089B7E19D3FE
                                                            Malicious:false
                                                            Preview:.8}..O.`]....M.&@.1.z@..'p..;.'....$.Q....".o.t.Bv.9..D...0...g`,..n`..P....'P...Z.;}...j.K..$..u.IQ.....;e.07A...v.-....:............K/....1.j....E.S.o.w....,B.Z.....c..x..r.........={......V....B.@GU.X......>.qc.^..|...=.{...FGG..m......DQu....X..J.....=..8...;.....z..T...].. -.Z.U...<.d......Q...wb..A>...K{@....+..(.m...&......c*.w..CTc.&..E............9.h_.[.+f.a.Z.8.o%h...Lte..&.7.|..u$>."..!.:z........_..C.p..U\.paM._d.E=.~wR...3.......]....7..K.;|.........G....fV..{..(......nh.(...6n.m.ye||..K/.td..[FGG.{.f.@....N.Dq..ZYY.....h4000.G.}.w...._.....".....V.......8H.jE&s..P..$...AbK....j{.h2F..Tj.?.>ZY...T.m.;.=..Rt.`g...;4...8.X..JZ/Q.b.1.",r..dA...V...fZ./...T...PZ.C..xT*...@..l^_....cx.....=.?.+W..T.2._f..2....:..(..4Mq..%...].v~.....g.y...[H..}.I..x..0...5X.F.w8.i.,......+W...g...x.{p-U.h'.....:/V+.4...<......w..=q.....r.%4[-q....T#..H........"q...)..E..@."..V>.h7...`..0.`h...0}?....M'...$.U." WE.*...........9.....Z..).M.DR.....

                                                            C:\Users\user\AppData\Local\Temp\Correctly

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):10240
                                                            Entropy (8bit):6.541078079670849
                                                            Encrypted:false
                                                            SSDEEP:192:Effs/ecsUAo/HaHbx91Q7ridl8Uvh306IEZ/F6Q+2aM2o:YfKesAGa7Hl8Uvhk8F6Q+ldo
                                                            MD5:1465936467E006225FD6AC4AF0786FB9
                                                            SHA1:7DD7AD433B92F0B6F4D33AAC37362315B77CD5BE
                                                            SHA-256:3E26CB1284308905B98BF70844571FA78AD7F93F0F181AB75EEBEA22DD0AE7BA
                                                            SHA-512:364C92BBC1F400EDAF03DFA42073FD57B8DEA27CE5F48C22D72593F7310E7F3E4F299C2173B417AA28A4AEE29C5927EF9313011EC13F57EF59FD200531973EB3
                                                            Malicious:false
                                                            Preview:QSW.}....u..{.........e...e..V....I..}..........j...4.I.P..`.I.j.PV...L...d.I..E...t8.E.PW..`.I.....L....L.;.t.j.PQ..d.I..E....L.j.PV..d.I....E..}..uV.}..uP..uL...L.;.uC;...L.u;.c ..5...=d.I.t j..5..L.V....L.....L.;.t.j.QP....L.j.PV..^_[..]...U.....A..t7.E.3.e..A.e.....f.E.E....f.E.E..E.E.j.PQ.M.....I...j..u..u..u.....I...]...U..V..3..F..F..E.......f.F.f..u.2..EP....I....f...t.S...j....P.......I..F....t..F.....t..F.....[t..F....^]...U..V..3.3.F..E..N..N..N...<.u.2...Q...P....I..F...^]...U..E.P.u..u...$.....].U..QVW..3..G..8.t.F......|...u.3..7.E.P.u...`.I..u.j.h8.......I.j.h.....u....j.P....I..D.._^..]...U..VW..3..M..G.9.t.F......|.."h....j..t...4.....I..4...X.I..d..._^]...U..V.u..Q.3.92t.@......|...t.j..u..u.V.4.....I.^]...U..V.u..Q.3.92t.@......|...t.j..u..u.V.4.....I.^]...U..S.].V..W..l.I..C..F...tWj.Z;.r...V.3..j.Z.........Q.}...3..F.Y9~.v2j..k.....Y..t..K..........3.F....G;~.r....f...f.._..^[]...U..U.V.....>J..B..F..B..N..F..B..F..B..F..B..F...=....u.V...........

                                                            C:\Users\user\AppData\Local\Temp\Ever

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):27648
                                                            Entropy (8bit):6.644465569593187
                                                            Encrypted:false
                                                            SSDEEP:768:RzJsDXtiC84Ll9iRfdB1gpjXgckS9cAXKOd+3F:RzJW784Lle+1X/tcATs3F
                                                            MD5:01267CCB3155A2EEF1EDF24558E912B4
                                                            SHA1:3B5747832EE31B9E9095B1D8375A056D6428389D
                                                            SHA-256:2B714805547AECEB1B970147E8E5EF58376F544158595F90F35B082A5039973B
                                                            SHA-512:55D95C3CD927FE55CBF9AC4643DA71D3F83D28F35C11211C39D78A2A886D7D6AFCFEA5F8A5C4E0BC659D30E83F4E10B5C2D994608DE6D7E9EBADFC98A5075997
                                                            Malicious:false
                                                            Preview:.P.D$.Pj..L$D.........L$8.\....D$(P.L$..x...j..t$..L$ ......u..D$P....t..D$P;.u..L$.......L$(......L$.......>...Q...W..X.I._^..[..].U...<SVW3......VPj.Vj...PQ.3....I...U....u.2..Ij.Y3..u.V.}.u..E..u.Pj(.E.u.Pj..E.Ph..-.R..P.I..u.....X.I...t..E....._^[..].U..(tL.....x%.u...@...tSV3......VPj.Vj.PQ....I.....tDW3..E......}.u..V.u..u....E.Pj..E.Pj..E.Ph..-.S..P.I.S....X.I._..u...@....3.8E....^[..].U...4...SVW3.Vh....j.[SVSh....Q....I......u...@...|h(.........VP.(............................u.j(Yj.XVf.......E.PR......f......PRPh,...W........P.I.W....X.I...t.3.f.}....._^[..].V..F.HP.s...f.8\t.hL,I....X...^.U.....E.V.u...K.VP.7....u..E.VP.*....E.P.E.P...... ..t.3.@.....u.j..u.V..0.I...t.PV..4.I...t.SWP..8.I..e..3.E.f;H.s}.x...G.j.PV..0.I..........SV..4.I..E...t|SV..<.I..u..E...8.I.......uL..E.;.u...O....uL.;.u...G.;..uL.t .E.....M.A.M...@.;.r.3._[^..]...j.RSh....j..u..u.....I...uL...3.@..U......SVW...hX.K..........u..M.V.....|....M.......M........|.........M.......M..

                                                            C:\Users\user\AppData\Local\Temp\Fellowship

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):47104
                                                            Entropy (8bit):6.535870496996456
                                                            Encrypted:false
                                                            SSDEEP:768:ssu1izubGntN6IZOjAV0SMg4XJ80RGrkx3zN3AFR97T98+sDkXLAlf:sl2ub2tBOjAeKmCFYNB3OFTR7bAlf
                                                            MD5:4165E5E1422A6A39D353CEFDD571C734
                                                            SHA1:B5AFDC5CB65F92E35DBC89F42F8E6E323F1AFB18
                                                            SHA-256:9E4E5030BD410099D96B5990B4B7FE00B82EC8A6A160CE14BFD0B06C4AD0D494
                                                            SHA-512:8703DAFF4B5310A5F22D7D660872958D808B23FBB9C6CDFA1F46A556AB6799ED61D9A524155515674551DBB9619F0CC41AEEDDD89191C79E01DEB4ADE8C508C7
                                                            Malicious:false
                                                            Preview:;........~.........N..........F......S.........B...........$.0.@..E......u.f.90tCQ.Y....].....U......B....we.$.X.@..E......u.f.90t'Q.&..............Q...x..c.....Xu..Y.....Q...x........Xu.....]..b....[..~...3..w...3......u.jz.....u.......[.@.h.D.}.@...@...@.[.@...@...@.{.D...D...@...D...@...@...@...@...@...D...@...D.U.....e...E.e..V....E.....VP.u..u........x..M..t......E....3....M........^..]...U..E.....F....}..u..}..u4.}..u7.}..u=.}..uC.} .uI.}$.......3.]. .j.h........j.jw....j.h........j.h........j.h........j.js...U....SVW.}...M.3.j.C.....A....Zf9P.........pbL...D........._^[..]...U....SVW...........7....]..U.j......B....Yf9H.tS.e...E..e....j.PSR.E............xK...p....~..uH.N..E.P.4....~...F.u;.M..@.......U....B.j....Yf9H.u _^[..]....M..~.....F..H8.@8....@...Pjr...U...0.E.SV.u.3.W.M..]....x.....]..E.......1......E.}.;W........E.N....E.O............E..E.;E........O......I.f;M.M.M.../...;E..._....w.....u...@..E..E.f9E...)...j..E.PVW.............}...M.].

                                                            C:\Users\user\AppData\Local\Temp\Founder

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):41984
                                                            Entropy (8bit):6.487364785579847
                                                            Encrypted:false
                                                            SSDEEP:768:qoDCHT5xv8xV9J7J6Ax6zNGB0toYyncyH9JRpHbDYA22HbbjNbkBYYTrI3:JC7v8xV96AE11yHxpfYAz7FbkdHI3
                                                            MD5:D7355E9B85613F6E502632DAC93C9552
                                                            SHA1:8C87ED802BA382D90D4732128BA85689FF63625B
                                                            SHA-256:B895AE581AB3CD38897C5144C17D519F5ECCE9D40B2BB0EB3D45E604E96A1A17
                                                            SHA-512:38B812ED646EEB028C434CF43F2CBF373C4700CE6548DED490A8B75BB03E0B54D031F3C0C42415D71B652057668AC153EDDA9F77AF0116D412C72046F66C15AA
                                                            Malicious:false
                                                            Preview:.b...t$..5..I...|$..t..t$...L$H.T....L$(.K....L$8.B..._^3.[..]...U......T.d$..SV..L$<W.\$..h....L$0._....L$P.V....}..G..D$ ...t...........G..0...b@...N..........A..B..A..B..A..B....D$`P.D$DP.D$XP......D$0.......D$D.A..D$H.A..D$L.A....D$,P.D$,P.......u)..j.j..H.....a...u....h@...&..F..........|$D.tT.D$.P.t$..t$H..$.I...t73.WP...H....D.....Wj..H....ta...u.....@...F......>.-....L$....L$..D$,3.P.D$.P.D$$V.....PVh..I.V.t$lQ..`.I...tIVP...H..........3.VGW.H.....a...u....?...&..|$...~........t$.....I......|$ ........G..p.....>...F.h.K..0..!..Y...G.Yu..p.....>...F..0.....Y..E.....G..p....>...F..8.E..@..p....>...F.SWj.3.S.0.t$ ....I..........T$.SP...H.........u.....>..........p....B>...F.h..K..0.[!..Y...G.Y.......p.....>...F..0.7...Y..E.....G..p.....=...F..8.E..@..p.....=...F.SW3.3.GWS.0.t$ ....I.....a....T$.SP...H....X....u....5>...~....;....p....=...F.h..K..0. ..Y...G.Y.......p....r=...F.3.j.Z.@..D$.....D$ .........Q.,...Y.O..D$..q....;=...V..L$..t$.AQ.....$L...D$.Y3..F..t.f.<N

                                                            C:\Users\user\AppData\Local\Temp\Glasses

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):52224
                                                            Entropy (8bit):3.7344593475657724
                                                            Encrypted:false
                                                            SSDEEP:768:lq9BxyyM0Dj2Bmgari0UPD/3Efrafd0maNBZikE:lq9Bxhgari/D/3EfraF0HikE
                                                            MD5:2DB28D8DAE81D58781C54234889596F4
                                                            SHA1:AC258FA1A10E0CFA7FC1966C9AB747AF10910F91
                                                            SHA-256:E5EC151ED3884450B594DB14292879D070D1533B8464269347DAE4010FECC7DF
                                                            SHA-512:6C02CEAB55A1FDF75D5EC2BF80D8CB454AAE4F75825AFA5C572A5E113EA4558FB31CE53C342C54EDBE7B8AC8DC49A03AA449CE88543D6B38F7F87D12183B3C6D
                                                            Malicious:false
                                                            Preview:T.T.A.B.............S.H.O.W.D.R.O.P.D.O.W.N.........H.I.D.E.D.R.O.P.D.O.W.N.........A.D.D.S.T.R.I.N.G...............D.E.L.S.T.R.I.N.G...............F.I.N.D.S.T.R.I.N.G.............S.E.T.C.U.R.R.E.N.T.S.E.L.E.C.T.I.O.N...........G.E.T.C.U.R.R.E.N.T.S.E.L.E.C.T.I.O.N...........S.E.L.E.C.T.S.T.R.I.N.G.........I.S.C.H.E.C.K.E.D...C.H.E.C.K...U.N.C.H.E.C.K...G.E.T.S.E.L.E.C.T.E.D...........G.E.T.L.I.N.E.C.O.U.N.T.........G.E.T.C.U.R.R.E.N.T.L.I.N.E.....G.E.T.C.U.R.R.E.N.T.C.O.L.......E.D.I.T.P.A.S.T.E...............G.E.T.L.I.N.E...S.E.N.D.C.O.M.M.A.N.D.I.D.......G.E.T.I.T.E.M.C.O.U.N.T.........G.E.T.S.U.B.I.T.E.M.C.O.U.N.T...G.E.T.T.E.X.T...G.E.T.S.E.L.E.C.T.E.D.C.O.U.N.T.................I.S.S.E.L.E.C.T.E.D.............S.E.L.E.C.T.A.L.L...............S.E.L.E.C.T.C.L.E.A.R...........S.E.L.E.C.T.I.N.V.E.R.T.........D.E.S.E.L.E.C.T.................F.I.N.D.I.T.E.M.................V.I.E.W.C.H.A.N.G.E.............G.E.T.T.O.T.A.L.C.O.U.N.T.......C.O.L.L.A.P.S.E.....E.X.P.A.N.D.....m.s.c.t.l.s._.s.

                                                            C:\Users\user\AppData\Local\Temp\Humor

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:ASCII text, with very long lines (408), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):7988
                                                            Entropy (8bit):5.05530450415697
                                                            Encrypted:false
                                                            SSDEEP:192:5+H8E74QpXW25+VLVJqam2fSz4WtJZJFCIMXVTeXE3WKyK:5J0s2spyamcSkWtrCBp3WKyK
                                                            MD5:8B46EC4185CBD19EF8AF364753B6D10D
                                                            SHA1:B8406FED6DFA3B76E60E552F77A26A41985DCD4B
                                                            SHA-256:E77DD54FFDE60F92A29C02402771E9EF577F71A03B351A4A6FCAB2F16EA84D71
                                                            SHA-512:7646F6F9804DA67AFE0086F6871B8E31BAE646E1ABB2BAF6D2CD8D8752494658280D2E736D9204867A0A2DE14D1E87394FBFC6C5A3B8A5A74D196D1C2B39156B
                                                            Malicious:false
                                                            Preview:Set Cleared=d..MLVqInvasion Hard West Contracts Trick Debate ..yEiEnabled Sandra Cunt Dr Gm Scheduling Hungarian Aim Governing ..tvTYColorado Health Stronger Requiring Mattress Grande Pakistan Valued Paris ..lLTsDriver Nicaragua Transportation Commentary Penis ..XCVisa Edt Tft Offline Owner ..YykAssault Wind Difference Sometimes Nintendo Multimedia Phones Spare Move ..lrDTitle Qualities Jefferson Listening Process Exhibitions Purse ..TcDisc Laser Af Etc Dial Rep Bi Kick ..gAwONebraska Writes Horny ..Set Former=E..ULPuts Transparency ..bxVjBound Stanford Andrews Fewer Beautiful Parks Liverpool Extent ..yDHcPrimarily Provides Contrast Boat ..gTChubby Thu Mainstream Employ Entity Grass Fighter Enable Preservation ..JbxRecovery Welfare ..aVwChapter Evident ..PdContributing Deployment Encouraging ..XXkCarriers Sg Schema Fatal Calculator Woman Lighting ..ZYXLights ..kEZzRecommendation Activation Ms Internship Lbs Yang Clinton Catalog ..Set Arrangements=6..LAKill Neighborhood ..LqAppointment

                                                            C:\Users\user\AppData\Local\Temp\Humor.cmd

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                            File Type:ASCII text, with very long lines (408), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):7988
                                                            Entropy (8bit):5.05530450415697
                                                            Encrypted:false
                                                            SSDEEP:192:5+H8E74QpXW25+VLVJqam2fSz4WtJZJFCIMXVTeXE3WKyK:5J0s2spyamcSkWtrCBp3WKyK
                                                            MD5:8B46EC4185CBD19EF8AF364753B6D10D
                                                            SHA1:B8406FED6DFA3B76E60E552F77A26A41985DCD4B
                                                            SHA-256:E77DD54FFDE60F92A29C02402771E9EF577F71A03B351A4A6FCAB2F16EA84D71
                                                            SHA-512:7646F6F9804DA67AFE0086F6871B8E31BAE646E1ABB2BAF6D2CD8D8752494658280D2E736D9204867A0A2DE14D1E87394FBFC6C5A3B8A5A74D196D1C2B39156B
                                                            Malicious:false
                                                            Preview:Set Cleared=d..MLVqInvasion Hard West Contracts Trick Debate ..yEiEnabled Sandra Cunt Dr Gm Scheduling Hungarian Aim Governing ..tvTYColorado Health Stronger Requiring Mattress Grande Pakistan Valued Paris ..lLTsDriver Nicaragua Transportation Commentary Penis ..XCVisa Edt Tft Offline Owner ..YykAssault Wind Difference Sometimes Nintendo Multimedia Phones Spare Move ..lrDTitle Qualities Jefferson Listening Process Exhibitions Purse ..TcDisc Laser Af Etc Dial Rep Bi Kick ..gAwONebraska Writes Horny ..Set Former=E..ULPuts Transparency ..bxVjBound Stanford Andrews Fewer Beautiful Parks Liverpool Extent ..yDHcPrimarily Provides Contrast Boat ..gTChubby Thu Mainstream Employ Entity Grass Fighter Enable Preservation ..JbxRecovery Welfare ..aVwChapter Evident ..PdContributing Deployment Encouraging ..XXkCarriers Sg Schema Fatal Calculator Woman Lighting ..ZYXLights ..kEZzRecommendation Activation Ms Internship Lbs Yang Clinton Catalog ..Set Arrangements=6..LAKill Neighborhood ..LqAppointment

                                                            C:\Users\user\AppData\Local\Temp\Hz

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):44032
                                                            Entropy (8bit):7.8507813814985985
                                                            Encrypted:false
                                                            SSDEEP:768:g0kkuhsRqI5o+oyyxVxCaw2F8aP6VOHQznzp8G7bJu1UY3dLi29NcNngX+F+2tz6:g06LDykFIcizp97bA3EKNcpzjIt
                                                            MD5:CB12A78DA9BDB4CE51D789154D460775
                                                            SHA1:9FA7C905A2CC725E92717EC6AFA50472C7FF1819
                                                            SHA-256:56A77E5EFD1777B97119D3EB1AA0991F2B7940260221E8CBC11B6D3D8E959BFB
                                                            SHA-512:7C48062F1A551B66FE6D08985AB0220A8F8491E29C0A784D273EBD248F808535BA25C936EC3CEBC18B3C501D7375A27A94177FBE72AC73379763B9F6B3EC9A88
                                                            Malicious:false
                                                            Preview:..p........Vz{............^..............{AL............Y{.............d..f.......X.....AO............f.......B...............Q.......Af..............~.......4n.............,.......C................X.............................B..............d....................EV.......Z...............[........VI........L.......U..................d.........O.................Z.................^.........................Y...............................c....d.......].....................p.............\.........^c......................p.....................`c........................p.j..................hp..........................ppi...............d.p............................npi...........oepp...............................fpppiopooiippm....................................fcdipmifcf....................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\Intro

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):20480
                                                            Entropy (8bit):7.984960013127064
                                                            Encrypted:false
                                                            SSDEEP:384:4WdiBlONel2gNA5ysqre+kfYx161larmyF4cUF+JEdYAHLaJC51goV:4WdinOEgg+ys6kQ3+laXM77HLqnoV
                                                            MD5:CF5EBE3EA303D4329F2F8B9F1A746BC9
                                                            SHA1:2C9DE83E640FDC1813113EC9C2EFC9F2A7A6DF18
                                                            SHA-256:244D2BCCF0F0D141736B7E6F9119B9DA16452A4D57E7FD23DABFA97B37B8C2A2
                                                            SHA-512:D77470A64D7BD7B45A61D4A3F1FCC136B444BEEEDCC5408386F9F69AC82038607C5FCEEA0CD18418CD5C0FD362C10A9A69EFD87A24D5E08E9CC6BEEF45701D47
                                                            Malicious:false
                                                            Preview:...f.z....b.x....J....>Qu...N......6j.....1..!2.H .....#c.s.9.L-i.d.S..h.i5f..........+...X....ny.i...PH..9OB~.....;...K.... ..o..#..Q.=..O=..n..>..LZ.....y.^.v\....B..s......6.F..J.'N.......?0..).... /-.N....4.....U.5.L......42!a..6.%Mh..c....S97..3.]...W..x......htt...t.d..4.....1..|..D.Z.%K01>j.\w..h...H....}fv+.`.....#..2..4..0{...z.<^.hJ.k.N@..LB..o.~si...1J)...o..n...7.3...r#. ..3.L.h".{.g..W.7.]...r..f..^....{uc..s...|m..<;....}..$...$.v.`...(.03;...I.....u..N....y.X...Q1.|...}DN.K(.N..`.. ...a......K2.|.u{). .P...l6q.%..>00.......Q.E.:....#....b..x..0.[*..FGG.z.J(...n3......N.{-......O....1..]...'......-[.R.dc.>.$....W.8x.....0..6.."...].v....q...?..J.L....$.<...iu?>...X,.^..gI[..[...Z......N..u.7^.>`.=.~....E.wC.I...=."4..LNNbjj...z+.G~..=....1?...$.Z.......%m|.D...F....9...D..?m.d26..X,..n.j..........p.T.37`/.....x.Z.).....l.2.J.....K6@j.MR&.'y."......bYb.{w..?q%>..O.\.4...I.1M./D"....h.F..7.|..w......g^...!..........{.4,..

                                                            C:\Users\user\AppData\Local\Temp\Located

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):53248
                                                            Entropy (8bit):6.652892461856609
                                                            Encrypted:false
                                                            SSDEEP:768:6+ylIt0su0B4y+aZmzddtw1E1Yd5dArqsfGuYJhLgBF9OR7F8ufnz4kVDz:pylIusu0B4MmHtt1OPeRQnz4qDz
                                                            MD5:AFCDA50A83DF21E1BD26C94D76C62FE8
                                                            SHA1:197C1EC9CCCF431CDF4D32A52836F3E0376D7CB4
                                                            SHA-256:5B437896E2856B002151ED7987139A41AA5FAF61C106D4084EA99D9C990BF83F
                                                            SHA-512:98820F90FEA6C0D6B0CA7FB24C91A24ABDB222043F4C7E624824D384CAC0EDF6DF37C77C2058F581D3AD29313A9615F0B42C7B8F5BA65C4D4FA282A0CFFF4937
                                                            Malicious:false
                                                            Preview:...+..rc..U..SV...W.}.j...........3..G..A.Zf..@.........;.~^........... ..qd..........B...f..p..9d...V .........w......A..$...A..G...........+....O._^[]....d..............~E.........j.Z;...vc.....~,.................t...%....=......rd...O..O......v...j!...X+...j)Xf..'t\f..(tVf;.tQf..-tKf..#tJf..$tDf;.t?f..+t93.@.G....!tM...tA..;t1..Ht!j.Z..Uu.....................3..... ....b.........b..j.Z...........b..3..........A...A..\E.............U....SV...E.}...W3..E.....0.........J.f;.t|...f;.ttf;.to.J.f;.tg3..@.3..CB.............1.,..0}N...u..}....qc..3._^[..]...t1.."~..5c....6t...8t...}..gc..=....~..Fc..3.@....}..t.....yc..3.F."c..U..QSVW.}...M....3....@dJ...A.6........=......gc..=..........=..........=..........=..........=....th=....ta=....tZ=....tS..}te=....t==....t6..U..^c....V..Uc....^..Lc........c.......|c..3._^[..].E.@P.Uc....N.3.B.. ..>c.....7c...u..6c..f..aw.jUXf;...Yc.......U...(SVW..}.j.Y..XJ....U..H..E.f..u...x............f.DE.f..KIy.E.3..._^f..C[u.....].2...

                                                            C:\Users\user\AppData\Local\Temp\Lt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:OpenPGP Secret Key
                                                            Category:dropped
                                                            Size (bytes):164864
                                                            Entropy (8bit):7.998940246424731
                                                            Encrypted:true
                                                            SSDEEP:3072:PuCXNQFfAmB7JT2hFyXIi4ysn+y0Izo1VmLxAa7e1QVVZA/1D7uu:PHCFfAFqXYJsA48LxAI5YIu
                                                            MD5:9A38088063BEFBFE5BC42CE1EFEE415C
                                                            SHA1:BA053ED65728229E97440E32F35E135112727109
                                                            SHA-256:A41DA2AD3185828A33445F225D53F194E4A1B04272492C53BD99278FE7B37AF8
                                                            SHA-512:FC3E9715286F6EF95E33544C971DBF51B0CC5CA293E3CB348B7A2245D52D6B7407FF3DDA31C43A61AE6C99E1F9A891680431D76DBBFE097B7F2D5B1D9C3C1664
                                                            Malicious:false
                                                            Preview:.2.....u....K.wET."v._.3.P.;.4VFv....Q...q.......P.S.AfK.TKkX......j%.E.k..d&.3..)o...5...A....R...H{..o.F.x.[s..Kt.Q+'....}>.....G.. H...RM...B..Egs._......0#...2..,....@.....D.OGP0.T..B...../.pB./2.e.......J.b..=...~....4.`....).}...%6......h.S..]....j.0...!..S+RP...1$.R.aU..6`d.*Y%Yx.....;..(.?. ..a...[.N...C....*e/9.SP-...-k.?v....+...".....&5.9.BR.t......L...9A.:...1a,....6.^M...C..v..G..*.{.....(\!.G.......3.....!........C._n.g...).{Y,6.L!g.k...C.P8...h<..n.;{.. 0.._...M.+..a._<.....%...j...U#mo..;..E..N..p..f..rrc........Z.+....,$#%h...B.PR..S..c..(!.]....:~.L.vs......4..HW.S.'.(*?..N7\a.O.....:w.....9[...._".....{...8...sP.I.1..2..".2.<.js..U.....}..hB.&tT.'.Y/.lu.U.#i>...PE`iS................{,.LaZ...]$L...%...<...N..S.#."...=_.sZ$..?.6.+.!WEv.S....-.l..M/.=p.Jf+...Z.'...;.;.e....%[....\}.....J...kv.....7.1.....o...e.q..1y2.].|-.L,...d7._.h..c.EoC0.f..B\.}ix2_w.?l.!~.*..D.3.c.xx.L62.(b.0...-X."...$.N.i..J.l}h..D.*`....C...

                                                            C:\Users\user\AppData\Local\Temp\Miniature

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):39668
                                                            Entropy (8bit):6.982356594854894
                                                            Encrypted:false
                                                            SSDEEP:768:hrUCVoyOQ5DuOKHnPiamE9w97OUg4eVDqp8VQ7A:hrnVRCOa69E9wFOUg/Rqp8b
                                                            MD5:9B2CC3CFE829D7EC1D60A4BC50FD9097
                                                            SHA1:8E346E7C6ABE42A06754F89A626A591E2C623AAB
                                                            SHA-256:D615C12587DC55349F2403072D3040CCB14AF82B4CB1721B989F7FF65C9292EB
                                                            SHA-512:8324797008DF611DC95BCFAAF72714AC438D8B31ED550DCD910958A6B4F064D78B8B97D5E1668C249762CECA0C9B585BF9A18E83E340EB29A786D0151A116A57
                                                            Malicious:false
                                                            Preview:.......................................................?....................................................................................................................(....... ..... .....@...................................S6 ecA%.sM).~X/.~V..sN).dA%.T7!i............................I...T...zN$..d1..r9..q8..`..sI".P+..I-......................@)..T1..pA...Z+..}G...^...^..|G..V*.f<..K,..@'..............A+..M/..kB...U)..k;...Z...q...q...[..l;..S'.a;..C)..@+......M5!L............2!..A-......................................M6!S2"..111.........sss.'''.................................---./...L1......sss.........MMM.bbb.........................yyy.#...D-..T5..kD#.!...............""".........>>>.................X7..G-..]< ..[0.fD(..................... ............... .^?&.zM).P3..eE+..c8..zS.K9+.OON.........kkk.ihh.........\\\.J9+..wP.~T0.X=%.lQ:.jD...c...z.J?5.........................8/(...w...^.{W9.fK5.zbPP.aA...n......}..........................~n......b.oQ7.waNW....z_I..g.......

                                                            C:\Users\user\AppData\Local\Temp\Nd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:PDP-11 overlaid pure executable
                                                            Category:dropped
                                                            Size (bytes):29696
                                                            Entropy (8bit):6.475457272197305
                                                            Encrypted:false
                                                            SSDEEP:768:wb3jsJhQlEF2VVay1N5J3SoO6Qku2ox3hOk3Y:wbgjQWq8GV3jOTJh1o
                                                            MD5:5A266EEC30EACC63DAA99878F4CB0B72
                                                            SHA1:050076B95A44BB16AB24B63B15C5DD5459B85874
                                                            SHA-256:6561B06876FEF0C918D554B61E9515EF8E4BC9029ABCBA1E7268D82D423D8DA7
                                                            SHA-512:F0667E3DDA0C10842EB2E4FEB09622C72B665299C5C9D9EC0E9E659B7F3B6B4D0F6C655FA4AA76F11B8907DAB8A04246F0EDAEE1EB357539A8FAE0236703FCD4
                                                            Malicious:false
                                                            Preview:............!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...y..U..........".................*.............@.................................w.....@...@.......@.....................L...|....................8..0....0...q...;..............................@X..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...............................@..@.reloc...q...0...r..................@..B.........................................................................................................................................................................................................................................................................................................DQL......h..C.....Y...L..h.C..{..

                                                            C:\Users\user\AppData\Local\Temp\Optimize

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):17408
                                                            Entropy (8bit):6.509527573507022
                                                            Encrypted:false
                                                            SSDEEP:192:OrQBcgyTMPtcETjr3D80GMKTY89cKyjB+mOofFsBk2yR6DXAhADUh95ybOIOo9AC:OrCcLgTjr3D8kcHyjJFsBNywAhADsULr
                                                            MD5:7833DB1E09C318E19A18117D87960318
                                                            SHA1:701E55234EAFAE688E8149DD0FA74A597F7D0EA8
                                                            SHA-256:8E613765BBA64B8A3D650FDBA3DFD7AD40558AC9319336F48389AC847FDFDA46
                                                            SHA-512:75777BBC0410396C421476FE2502C612FAE363ED87C948DC97617BBFBE668F04DF260AC43C8DD15EEC661529B5D6B3F434927ADFA53C6A28757101BFA8595093
                                                            Malicious:false
                                                            Preview:....813.....]C*.:.i./.h.O+++...{.0==-..k../..%/...2 B0..`..L&..~......NNN....]........B.....YvL..SR|...TnZ.$J..7vlAR....IDAT..vl.QS...Z>......&z..<.G.....m..i<~...........X.....H$.o..ZYY.JL~.!..^........AEk ..X...?....d2..N..D"1....d0==...Q.\..+...l..N.2...,.)h...H......}%...L.....F...0.%..,.........8.sss...?l...........~.....).Z..+..+.K...@rP.AH2.c......>.&...|>....\........A...{.-6.Md...D......0n... ..G.U.af\.D....A.........@+4.y......q..U....s.\..v.4==......7oV#.....|....P~....@./...<.2.[.....L....7...FGGgI.....cdd..x\.?(..z..?......u..N....~.e}z- Ss..... .c...|Fz.pO..*R.....1==.h4....=..?.D"........./W.W...+..."..[.K ..R.5. i.6nmm9>..H2.Ld2.[f......D........ ..I.Ty.2....:..u../.~..u.?...&..^....H&...............Z ..lff&y......r]..............%P.../...=z.Y]]....Z*.V,..D"1!Tw..B.,.....>5.@k..LHN.h..%.H...=_>...H...d....t......b......~.V.mz<.....n......W..b4.%.H.^.d.+g.....`(.` ....X...?.lllL....J.r.b.,.....E$.I1.0..\...m.^Ky......k(.0.."-..

                                                            C:\Users\user\AppData\Local\Temp\Pepper

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):78
                                                            Entropy (8bit):2.448303597829603
                                                            Encrypted:false
                                                            SSDEEP:3:CkLOvNUqt/vll:CGq
                                                            MD5:37D8A9DB0253FB2410345A012DEB0C12
                                                            SHA1:964314E1D6B3632CD22AE95D3731139D5136443A
                                                            SHA-256:B34BE6A42ADE40EB84BEDF48A2651E1389EA6A32EB9FAB652E10AF253ADE437F
                                                            SHA-512:D8564667106D712381EFD04F811FDCC9BEDE88ECBCAE1FF48D24E56CCCD02689A780CFC3AC3226C3FC19EC4BB844BD67E12F3C361D7586508293CB924F54205F
                                                            Malicious:false
                                                            Preview:TRUEANALOGMINDOC..MZ......................@...................................

                                                            C:\Users\user\AppData\Local\Temp\Pontiac

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):45056
                                                            Entropy (8bit):5.030971375798974
                                                            Encrypted:false
                                                            SSDEEP:768:osWjcdeDvFQC7VkrHpluuxdCvEHKKgItUHk:osWjcdmQuklluhvEHKxk
                                                            MD5:57F6091B9D7F02A70F51BABB2E8E33A2
                                                            SHA1:1EC92FF6C37AE1B66A956AB521B561376C2CAB1A
                                                            SHA-256:E5F17527B397125F260651BCD5FFA2DF07B50C1A2C983073C10589EF38BF18A1
                                                            SHA-512:451833C1807B66DFBC90FE48E95B4F05D77AC49220CC20E6574028DC119A6FCA93C9D49C42102619E6D0DAF4281C21355BED0E2581C97EDEB0130DB0AB491622
                                                            Malicious:false
                                                            Preview:-.S.E...t.h.-.T.H...t.r.-.T.R...u.r.-.P.K...i.d.-.I.D...u.k.-.U.A...b.e.-.B.Y...s.l.-.S.I...e.t.-.E.E...l.v.-.L.V...l.t.-.L.T...f.a.-.I.R...v.i.-.V.N...h.y.-.A.M...a.z.-.A.Z.-.L.a.t.n.....e.u.-.E.S...m.k.-.M.K...t.n.-.Z.A...x.h.-.Z.A...z.u.-.Z.A...a.f.-.Z.A...k.a.-.G.E...f.o.-.F.O...h.i.-.I.N...m.t.-.M.T...s.e.-.N.O...m.s.-.M.Y...k.k.-.K.Z...k.y.-.K.G...s.w.-.K.E...u.z.-.U.Z.-.L.a.t.n.....t.t.-.R.U...b.n.-.I.N...p.a.-.I.N...g.u.-.I.N...t.a.-.I.N...t.e.-.I.N...k.n.-.I.N...m.l.-.I.N...m.r.-.I.N...s.a.-.I.N...m.n.-.M.N...c.y.-.G.B...g.l.-.E.S...k.o.k.-.I.N.....s.y.r.-.S.Y.....d.i.v.-.M.V.....q.u.z.-.B.O.....n.s.-.Z.A...m.i.-.N.Z...a.r.-.I.Q...d.e.-.C.H...e.n.-.G.B...e.s.-.M.X...f.r.-.B.E...i.t.-.C.H...n.l.-.B.E...n.n.-.N.O...p.t.-.P.T...s.r.-.S.P.-.L.a.t.n.....s.v.-.F.I...a.z.-.A.Z.-.C.y.r.l.....s.e.-.S.E...m.s.-.B.N...u.z.-.U.Z.-.C.y.r.l.....q.u.z.-.E.C.....a.r.-.E.G...z.h.-.H.K...d.e.-.A.T...e.n.-.A.U...e.s.-.E.S...f.r.-.C.A...s.r.-.S.P.-.C.y.r.l.....s.e.-.F.I...q.u.z.-.P.E.....a.r.-.L.

                                                            C:\Users\user\AppData\Local\Temp\Precipitation

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):25600
                                                            Entropy (8bit):6.507217585416609
                                                            Encrypted:false
                                                            SSDEEP:768:O+jBAfe6TtgguvkFec+jJ5PZvimdFiFGbC:ZfUCJ5h3Fw
                                                            MD5:F751364CFA63775137CB5146FE58A499
                                                            SHA1:2B74004F95CEDF6EEEAA413ADF3572962C8F5754
                                                            SHA-256:24144F909C12F3BB5D11ED1FA3052D22079198E6E5CB0748EC740E8075925A0D
                                                            SHA-512:62116162EDA5AC185EB9BBE5165390487EE0C05DDF328B513944ECFBCD0D5E0D7CC2A19F23A07A78BF61B559CCDEE34728E7FD957301D5C66F00DEEF4EBF93D5
                                                            Malicious:false
                                                            Preview:..X..0.D$..G..p.........F.....DX.P.\...Y..t#.G.C.p.........F......XkD$........D$..\$..\$..D$4.D$..?...j.j....H....d"...M.h..I..............j....v..L$X......G.j).p....f.....t..L$d..........9....v..L$h.....G.j).0...6.....t.......P..........v..L$H.d....|$..w..L$0.....T$,Q.t$(.L$0.t$(..........u.Pj..<....t$.Q.L$(.{.....u..M..D$TP.....Jj....u.j............H.u.j......j.......u.........&..F.......j.j..H....@!...L$ .r..._^3.[..]......LG..KG.xKG.DKG..KG..JG..JG..JG.{JG.U...o.....u.V.u........&..F.....^3.]...U..E..@....x..u....x..t.V.u....b....&..F.....^3.]...U.....E.VW.@..0.......N....E..A..E.A..E..A..M..E.........u..u...|.I..E.P......u...........M..F......>....._3.^..]...U..E..@....x..u....@.V.u.....u................u.....3.@.F..........&..F.....3.^]...U..E.V.@..0.~..u..6j).........t..u....W...3.@.F.....j*........u....t..6............)....&..F.....3.^]...U..QQ.E.VW...@....y..u....@..x..u....y..u....U.RP.C.....t..u.........E....E..F......F..".u........&.3.@j..F.P...H........_3

                                                            C:\Users\user\AppData\Local\Temp\Previously

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):23552
                                                            Entropy (8bit):6.5589376742169385
                                                            Encrypted:false
                                                            SSDEEP:384:dQRiUYoelmXaQtviQM5uOcylkpDNQeScHgkYSO+qlf2eE4TJH05eZ3ChIYXBdSsu:dZoeqaQ1/uu1ylkp5VAkGh2RDuaIYXBg
                                                            MD5:C289C1EF7516A3290E029D6A7E5135FE
                                                            SHA1:78CBEB2FFA4339E531DB791A1E9F2E745B917519
                                                            SHA-256:EDCC787AF1FA464F28F3D01A414FA94509512A79E988C9A6E6DCBB25AB4A25F8
                                                            SHA-512:C85C7F16182BD65D0805FB77856506DC49C16BADB62F497F043AB8601E1C26D9C8DD44E85A76BCFCF5F107001E3FC21AF4FFFA0462F1B862784324D679A5966B
                                                            Malicious:false
                                                            Preview:.M..\......K......@.f;E.t0f..@uIBj3.....Yf9H........C......@.Ph.......t....M..2....M..*..._^[..]...j.jn..C.......@.Pj.XP....C..D....@.Ph.....U....SV.u.W..3.j..F.A[.M..@.f9X.u..M.3..j.e...E.e..j.P.E..M.PV.......x..N..E....f9X.t...@...Pjr......M...._^[..]....M........M.u..e...3..~..\....>.tC........8.t.........8.t.........8.u...C.....M..@.@.......;].|..j.h.......=....{...U...LSV3.3.W...].@.]..M..]..]..E..oM...u..E.......H.E.E..E..E..P.H....}....U.........}........I3........J...f9p..u.u...........Ht#Ht.H......Hu.K..u...I.E...M.M...u.8].u..A.3..E...E.....f9H.u..8.u...j..U.Y...E...P.E.PR..............U..M..E.@....f.x..u.....0......E...E.."...C......E.@......@.Pjr.<.}..t&.E...t..E.P..\....|....}...E.u..E.....E.j.......h...........M..}....M..u..._^[..]...U.......S3.VW...E.3.E.A.E.E...L..}.M..u!....tL.h..I....L......h$.C...z..Y.u..]....C.A.....3.f9B.u7.....t"HHt.Ht...B.Pj......j.Z.A.....3.B....B...Pjn......U..=.rL...U.u.j.Z....u.B.U..K...j3_.E........f9x

                                                            C:\Users\user\AppData\Local\Temp\Purchasing

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):63488
                                                            Entropy (8bit):6.700214587939564
                                                            Encrypted:false
                                                            SSDEEP:1536:ADzMdMhrNCsGJh5yA05E22VelTXzSj9xb7XDh1RlyxcZqvi1:0M0lAYrlTGj91DhrlyQ
                                                            MD5:1FBEEEB8A198656EFBF434AF4366A042
                                                            SHA1:35A2A4CA3BB39B79E79EB16EACA4D76B0D4A85E0
                                                            SHA-256:5A2EEA9C51D2C4449DC72A543E782E687B12AC0845D2A2C9706DA0365FDB87A0
                                                            SHA-512:9C9E1745F2397CD13B26B58609600EA79F165760BBDB20420CBB15E698B20520FB7C1782B73F2ECEB8A236BD1CA7A71DE442AB73F1A29FE4AE8201FC6B8341ED
                                                            Malicious:false
                                                            Preview:..P....U..}.;...n9...E...M.@P.u.V.u..u..2.........'4...E.U....B.U.;.s.3...4.....u..F|...E...........9..;F|...9...........;E....8..f.......f#......f;.u.....E...@..P.u.V.u..u..-2.......t..3...E...M.@P.u.V.u..u...2......}............n3...E.9E....8...M.;N|..............M.%....=....u.............%...............M.......v...n..28...................M......8...M..E....E.@P.u.V.u..u..[1.........].....2............7..;..............2...E.9E....7...E.;F|..a..........E.......v...n...7...................M.....z7...E...M.@.E.P.u.V.u..u...0.......t../2...E...}.@P.u...V.u..u..0..........2...E.9E... 7..;~|sr.......U..t*..%....=....u.............%..............R.U..)!..........6...E....E.@P.u...V.u..u...0.......t..1............6..;......\.............6..;V|..{6..;......;....M..........`6..;N|..W6........E...}.@P.u...V.u..u../..........1...U....M.E.;E....6...F|+.;.w....P.u.W.'F.......u..}..:.U.........F|...+.;..........P.E.PW..E..............M.<O.E....E.@P.u...V.u..u.../...M...

                                                            C:\Users\user\AppData\Local\Temp\Scary

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):28672
                                                            Entropy (8bit):6.466205625101586
                                                            Encrypted:false
                                                            SSDEEP:768:F79sAOOWNMZmwfHh17McqQHEdQ7iwDIUKh:F9sAO+kdIlDbKh
                                                            MD5:345A00A391EF07A9A2EBC03D00C87457
                                                            SHA1:F86D44EF822ADE1207F99597723C60CE51EDD7A1
                                                            SHA-256:95562ACA3CB3D37E726B77DAAB78F0BAF4866465B93E42A4DEA2F969989C35EB
                                                            SHA-512:0BA81C9DE1EE2E4F0D8727E2630A59ED842BC101BC6C408ED0C6F5F9A77988943160FBDF03499671EF74391EB5CE5C48B0CDAB740A6DEDA05BEA57152DB5839D
                                                            Malicious:false
                                                            Preview:P...R...x..u..M..Gs...u....WW.H.......E.P...Q..E.P...Q.....3.h....Pf............P.R...E.....U.E........E..E.E.3..E.E..U..U.P.U..E.x.F..}.....I.....t;.M.......P.r........PW....I.W..f.......t".M.......P.r....3.P..j..H........}..t..u.....`.I..M..x?.._^3.[..]...U.....$....G=..S.].3.VW...D$..C..L$,.|$..p....o...F.3.B.{...T$(.0r..C..H..r..3.B;.u...3...3...\$.f9........L$(.....+u..........-u....3........Rtg..rtb..AtY..atT..StK..stF..Ht<..ht7..Nt+..nt&..Ot...ot...Tt...t..M........................j.X..j...j ....;.u....|$....D$....3.f9...V....E..@..0....n...N..T$....D$..A..D$..A..D$ .A...D$$....#....$0...P.D$4P..$8...P..$<...P.t$(.c.......$0...P..$4...P..P....$8...P.D$<P..O.......$0...Ph......0.I..=..I...$0...P...t@.L$0.7o....t..D$0P....I..L$..t$.....#.P.D$4P....I...u8..$0...P..u....]n..3..F........s.u....Fn..3..F........e..tN.D$0P..D$0h.K.P.{O..YY...t$..t$..L$0.D$4.t$.VP......u..u.....m..3..F.........$0...P..L$...<.._^3.[..]...U..E.Vj...@..0.E.P.......t).......E.......p

                                                            C:\Users\user\AppData\Local\Temp\Se

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):26624
                                                            Entropy (8bit):6.279320534560886
                                                            Encrypted:false
                                                            SSDEEP:768:/PDqdU7SIc/jnsRf4rJsb25v0hL4G+CAiwo8Z8T5RZWfeTcmr5DhaED:/2dU7SP/jnsF4rJsx9RZqegm5kED
                                                            MD5:0CBB04B1F3A1713685E51D611C9958C5
                                                            SHA1:907E4DE587C4C2FC12418F36158428B7252D083D
                                                            SHA-256:D5BD599E463E0087634C0A3BE19C15839832D61BA48488DDEFF5D83E4013A0F8
                                                            SHA-512:25F7E9AD1B4A361C18597646FF470E2B15993242C49F8EA0F40A1691855584DD3E861385D33E11D5EA3176764521A39291AB32369AA024B42E25EB74C037BA30
                                                            Malicious:false
                                                            Preview:.9E.r<.M.+.f..f;.4...u%.............f.A.......f;.6...u.............E...........E.;E.......f...E.....f#E..E.....f;E.E.u.....E.......;E...:.......9E.........x.....t(9E.v_j.......R..M.P.Y..............t8.V....9E.r-.M.+.f..f;.4...u........t-f.A.f;.6...t ........x....E...U.9U.......r..........E..U.f.z...........t.........;......f.:..........U.....;...1............;.t....;.t.;........E...U..F....}....'....E..E...........t0................$.4hD...(......,....<.U..U.;.w5.}...Q..,........U.t.;.s.f.......f#......f;.u.....U.....3...|...9u.tu..t*9E.sl.u.......R..M.P...........L....U..;........+..M.;.w*f..f;.4...u..............f.A.f;.6.................|....U.9u.......;......;.....v5f.z..u.;.s*f.:.u$.G.....u....t....t........u.....U....U..u.....................M....~".U.+.}.E.+......8.X....~.+....p..........Q..M...........|!.......P.........P.E....P........9].~..M.............8dJ.....Q...;...Y...3..[.......i....E..<}....;.~......3...4.+......;.....#...9...G.......v.;.r..&...

                                                            C:\Users\user\AppData\Local\Temp\Seek

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):28672
                                                            Entropy (8bit):5.915263981899243
                                                            Encrypted:false
                                                            SSDEEP:384:nBjwTZwNKm7AI4xhLk5QdSJBkHn7DPhJhFTqUF2zCTWy1x1ab5lbTHVi5GwUvc7z:B+I0IKQ8SbkXhdqgWWwr2G+jvEHHU
                                                            MD5:7B8A3A110041FF45398E6B411E012938
                                                            SHA1:C007FA1E32340D06C6FF94E566E6E54ADE8455C7
                                                            SHA-256:AEF4DD356C6667D6D58A158B3CEB7ABEF485669651679E4F800A5F5CA5FA6668
                                                            SHA-512:7E364645072F287B49B319444C1EBF7418CB5570F9F986D5598FB2B32C3DA58899D39571236783062CE726E7BD2398504C0FCC4E13D00E20445EF97331C076F8
                                                            Malicious:false
                                                            Preview:......j.....I...._^[..]...U..S.].W.u..3......E.YY..t...+;.....3..|..Y........~.2..'V.u.W.3V.r......3.f..~^9E.t.G..?......._[]...VW..4.I.....h.I.....tmS..gL.V....y.....tY...hL...W....0.x......t?..$hL.....9.t1.V..$hL.............u.......P......Ph.....1....I.[_^.U..}..t..u...gL..x......hL......hL....u.3.....hL.......0..<.I.3.@]...U....hL.W.}...t.W..gL..<x......u.2.......hL.V....0..u...\.I.9.t.2.....j.V..gL..3u....t....E.j.h..H.....x....E.....|....E..........E..%LhL....PhL.........l....ThL...p....XhL..6..x.I..}..LhL......t.;.t.P..gL..Jw.......u..'...^_]...U..}..t..u...gL..Yw......hL......hL....u.3..-..hL.Wj.......8W..\.I..M.j.W....\.I..M._..3.@]...U.....|hL.VW.}..E...t=..99t..E.P.M..y....E...M..y..u..E..|hL.P.(....DQ......wi...7.u..~..u.3..-.M...^..V.M.}..Ti...E.|hL.P.R....M..Xi..3.@_^..]...U..}..t..u...gL..cv......hL......hL....tW..hL.V....0.~..t.9..gL.u....gL...v...H.I..f...}..t#.u..u...L.I..F...4.I.9.u...hL...gL.^]...U..}..t..u...gL...u......hL......hL....u.3..-..hL..

                                                            C:\Users\user\AppData\Local\Temp\Sic

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):49152
                                                            Entropy (8bit):5.797845051243723
                                                            Encrypted:false
                                                            SSDEEP:768:EoLVNIo8DJWxWWbP75qcaTlKWzhQVNsbSSkLQ7PqYIueIVvaOsibz1:PL/4aj5Vf7gqYrui31
                                                            MD5:9C4A2E0B1A7548FA2A3EADF25A82673C
                                                            SHA1:90F49BA8DEDB9074726DCD3C01D9814C1482945E
                                                            SHA-256:7046618D867C1B0E66FEFFC8986B45D66A989D3F60731C932331A817391A9B4B
                                                            SHA-512:9937B5BAA87D3F8C14D393B9E73EC7BBD5E7AFAB868DA1521874E613278A5020FF1B932E96F59EA007C0494E6FA2A28E2387F6B506ADACD87C07ACD0E1CCECB9
                                                            Malicious:false
                                                            Preview:v..6..|.I..f$..G...t..p$.G..w.^_]....7..3...W......u#.?..u._.V.w$...2...W.......Y..u.^_..w......Y...A(....t..A0j..RP.U..............U....S.].VW.....K...2..E.................3..d$..G.;G........O..G.....D5.F.A..G....r..w..W...........E..E..<.t9<.tP.K.............C....9C.rB.S....E.....C..K........x...j..E...P......t..}....2..._^..[..]...=.A....Z......C...ty......P.C..e............t..K.AQPV......3........3.s...j..E.Ph.....w..7....I..........E..............E.....q..._^[..].........U....SV..M......E..P......t .u..E.P.......M..]...^..[..]...2...U....SV..F,...us.e..j.XP.E.....Yj..E.........3.CY..tt...E..E..P.......u#.u...u..u......YV.....Y2..^[..]....u..E.P.k....M...........t(...t#...t....t......p....u.......e....u.......U..QSVW...M.......u.3.].9.v%j..E...P.......t!.u..M..E.../...C;.r...._^[..]....E...u...U....SV..M..@....u..E...P......t .u..E.P.......M......^..[..]...2...U..A,...t%...t ...t....t....t....u.]....].....].....A,...w3.$.=<A.......j ..........j@......

                                                            C:\Users\user\AppData\Local\Temp\Technologies

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):66560
                                                            Entropy (8bit):6.766766918528127
                                                            Encrypted:false
                                                            SSDEEP:1536:Vxj/JiB27MlRHq6EQU7uLQT6unj5ctpYuYtWGJG2kQyyv:VqM7MlRKecTF5c2p02kQ/
                                                            MD5:CEE4EA617F6D78EDC814E113DEB23AF6
                                                            SHA1:4653F7BBE7C1857B1175DF5826EDDF5F21AABF37
                                                            SHA-256:CDE6901A10D8DFE4C6DEAE40BA432A0817623B0C3C59F98A3E98F5029648CC64
                                                            SHA-512:092F290D43B9B69609F09648C135545C352BCEE8BF53AC6681452E6ADC55730DD6082A708B448D3EF2D732A4BF8FB5FD777C12C337784DF07AE2AEC3CF94C8A8
                                                            Malicious:false
                                                            Preview:....M...O.E..t.f.u..U......f#.f.u...t......f..f.u..E.j.QQ..$.1.......#j.Q..Q..$..........................^.E..8_].U..QQ.M..E..E..........%........]...f.M..E...].U..}......E.u...u.@].}.....u...u.j.X].M......f#.f;.u.j.......f;.u..E.....u...t.j...3.].U..E.. t.j.....t.3.@]..t.j.....t.j.X].........].S..QQ......U.k..l$........P.K.3.E.V.s .C.VP.s..........u&.e..P.C.P.C.P.s..C .s.P.E.P.....s ....s..c....=..L..Yu)..t%.C.V....\$....\$..C...$.s.P......$..P.X.....$....V.....C.YY.M.3.^.+.....]..[.U....S.].V.......t..E..t.j.....Y..........t..E..t.j..v...Y....u.............E........j..S....E.Y.....#.tT=....t7=....t.;.ub.M.........p.K....{L.H.M..........{,..p.K..2.M..........z...p.K....M..........z...`.K.....`.K.......................E........W3....t.G.M...........D.........E.PQQ..$.....E..........E..U...=....}.3...G.W..3.....Au.B.E............f.E..E.;.})+.E..E..t...u.G...E...E.t.......E..m.Iu..E..t....E.....3.G.._t.j......Y......t..E. t.j .....Y...3...^...[..].U..=..L..u%.u..E...

                                                            C:\Users\user\AppData\Local\Temp\Tion

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):12288
                                                            Entropy (8bit):6.399121727243068
                                                            Encrypted:false
                                                            SSDEEP:192:8zk9hQpFL2OGmLmXQWbAq98Hg7wjhjt1XDcegBMtWS+XQVlfu6NW1/:CvgmLmXQWbAqTwj1XIegjSbZm
                                                            MD5:6152E5059BDF115EF3C7B8562E3D2DAA
                                                            SHA1:FC3537BD2C572F1E5F44C62FFDC341725EFC5122
                                                            SHA-256:4EEC518BB557354048323338141015C3FD5633C81B0ADEBC4554DF823F8C3B17
                                                            SHA-512:DA1DD8832112B2F91FD5FB258BE7E6E6ED6C75735690277F3D419F8536B1BF06D4E0AB4053A51D5FAA43EB1E7847FCCC827E0721FBB2B076D5704B176033B9F5
                                                            Malicious:false
                                                            Preview:.G......G..%.}....n....T$.3....@S.G.P...H.......V....I..L$H.9p.._^..[..]...U..QS.].VW.E...{..r..C..H......t..E...C..p....{....F..8.C..0...j....F....u........Y..u..u........&..F....._^3.[..]...U..SV.u.2.~..r..F..H........t...F..0........N..........u..u....{....&..F.....^3.[]...U..........SVW..3..M.h..I..\$8......E..@..0......N....D$..A..D$..A..D$..A..L$..D$.....l...t$..t$.....I....K..L$..s^....t.jc.l...K..L$..]^....t.j..V. .K..L$..G^....t.j..@.4.K..L$..1^....t.j..*.@.K..L$...^....t.j....P.K..L$...^....t.j.^...`.K..L$...]..........3.ja.D$L[.D$.S.L$....hp.K..L$...j...t$.....I.;.t...cu(...t#hL,I..L$..d...t$..t$..h...YG.D$..YC..z~..........M......O.3.Q..FVS.\$..Z....d$4..D$,j.VPS.|$<.t$H........L$ ...;.|e.\$HS.L$<..k..P.L$$.Q...Vj..D$(P.t$........L$ .z....L$8.gm..F...;.~....T$4...H........H...j.j.....L$..7m.._^3.[..]...U........k..SVWj.......I....E..@..8......O....E..A..E.A..E..A..M..E......h....3.......PWWWWW.u.....I..M...t.......P.....h..I......Wj..H.........

                                                            C:\Users\user\AppData\Local\Temp\Tranny

                                                            Download File
                                                            Process:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):35840
                                                            Entropy (8bit):7.994801100442519
                                                            Encrypted:true
                                                            SSDEEP:768:HfvkzWD0cilJR7czChAME9572gQMCHsa0tOgh5P:/vL3i97FdE3qgQMCz0tOgnP
                                                            MD5:66D04BBFA2B3B805940FF6D39004F6FD
                                                            SHA1:7CFD832694CBA11437A2BBA62A8C809B133BA0E3
                                                            SHA-256:4FE85AD2A1CA692AC79BE4BBB8E67D0C745B40D57A4B5358E3BA3E5A9DF0B842
                                                            SHA-512:F68D52EB55FE879806AA6899E0C2263C400628E3076F2173A2D6D00E62BDF4E6EC7A7E5BE0E60D1E5E0007DBB8A6A679CC18110AE1AD0DE2F93EE32B897E362A
                                                            Malicious:false
                                                            Preview:...l..1..W..Z....f#n....Y^.Fut...r..N.x.AX.......H.7=.Z............Q.:.TUGh......<...g4.....6m...*.r.Et...j.q).^.....F...N\_.r....5g..C...a."..|FmW8....:x.C}.gw..^Vc...GjSZ9....l.!..fYW"...<./.....}g...I....W......o...;8jX..l*{+h....$.f.j..k....l...}....<..G.t)7J.......#c.....(6.W/..<.}..i......N_.Z.rC.a.wM........Z.d......?...X....$........NW...=..N.>.....@:.].P"..m.VJn...3h.0..#.rn..rVV...c@.F.......`..m..FQ:D...p..W7.k..#C[0(...Ce....U.....,..te....1..3.-....!......,;...V.#..._..5z.H.....S..>.........B....u.ICWkq....L...i..Y..6.Z....o.:bX..4; .$.8.\.<;..%K.(^..?...0.;N.KWL7..:2.j..K.NQ<A9.^.=.G.Z3..M.., .X.u.,...XVVeK<C6.G.....lsL.e..6..V..,....k.u.o..Zr....D)^...w.......p......aFB./..K....c....N..W=4.5...9.....L...{...[.w!.W8.E....7G.*...P....m.<7.Xf..BP.D.\...]{.d....2..v.I.oH..'...t.P..#9..S..!.;]..f>.su.8.<...[....T..h......J6...l...zS...,....\........5..21..4Y..]....w......tz.y..e.X/.... ..JVRt......l.%..P....'..v|..#.

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):7.977422924365237
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            File size:975'909 bytes
                                                            MD5:5223a85ff161e8818f0e514048051e7d
                                                            SHA1:9574d384a9f3b449f64cf14a022df3c8c383e279
                                                            SHA256:7632e569071acc40bce87af592e4cc2476d9c088906a1e6651614860b4754bf8
                                                            SHA512:a7860963ea26be9a3f41aea30bace94211bfe36d249062d1b91833a2675c4ddf7c60387bc0c167a484da4f228de382b8a0d054edafe49d59080452c601e8a950
                                                            SSDEEP:24576:oXwOyoMvAJeqI8X6aGvX2T8NZrymq1I1bYSLsbUAYilGEADGKel:bFvAJeq7KmQ/rymq6YSLsbDdrqGKel
                                                            TLSH:1C25232003A15C3EECD70E74B6B09D2B297A38825464D06F5714CEEDFF21189DDACB6A
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8.....

                                                            File Icon

                                                            Icon Hash:80f07878d83a9244

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x403883
                                                            Entrypoint Section:.text
                                                            Digitally signed:true
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:5
                                                            OS Version Minor:0
                                                            File Version Major:5
                                                            File Version Minor:0
                                                            Subsystem Version Major:5
                                                            Subsystem Version Minor:0
                                                            Import Hash:be41bf7b8cc010b614bd36bbca606973

                                                            Authenticode Signature

                                                            Signature Valid:false
                                                            Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                            Signature Validation Error:The digital signature of the object did not verify
                                                            Error Number:-2146869232
                                                            Not Before, Not After
                                                            • 14/03/2023 01:00:00 06/04/2025 01:59:59
                                                            Subject Chain
                                                            • CN="Now.gg, INC", O="Now.gg, INC", L=Campbell, S=California, C=US, SERIALNUMBER=4559077, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
                                                            Version:3
                                                            Thumbprint MD5:B36E3D9DABB354A9E7F4DF3CC89D1E23
                                                            Thumbprint SHA-1:DBC310671AC6A69DB3643A6B93824251D4AA329A
                                                            Thumbprint SHA-256:E1DD51B2509B140813272E25325E41E7B50A9EB5DD6D937A9A832579235E45FF
                                                            Serial:04F9D50A6C792C9FD39D472E9837B5FF

                                                            Entrypoint Preview

                                                            Instruction
                                                            sub esp, 000002D4h
                                                            push ebx
                                                            push ebp
                                                            push esi
                                                            push edi
                                                            push 00000020h
                                                            xor ebp, ebp
                                                            pop esi
                                                            mov dword ptr [esp+18h], ebp
                                                            mov dword ptr [esp+10h], 00409268h
                                                            mov dword ptr [esp+14h], ebp
                                                            call dword ptr [00408030h]
                                                            push 00008001h
                                                            call dword ptr [004080B4h]
                                                            push ebp
                                                            call dword ptr [004082C0h]
                                                            push 00000008h
                                                            mov dword ptr [00472EB8h], eax
                                                            call 00007F309549DD6Bh
                                                            push ebp
                                                            push 000002B4h
                                                            mov dword ptr [00472DD0h], eax
                                                            lea eax, dword ptr [esp+38h]
                                                            push eax
                                                            push ebp
                                                            push 00409264h
                                                            call dword ptr [00408184h]
                                                            push 0040924Ch
                                                            push 0046ADC0h
                                                            call 00007F309549DA4Dh
                                                            call dword ptr [004080B0h]
                                                            push eax
                                                            mov edi, 004C30A0h
                                                            push edi
                                                            call 00007F309549DA3Bh
                                                            push ebp
                                                            call dword ptr [00408134h]
                                                            cmp word ptr [004C30A0h], 0022h
                                                            mov dword ptr [00472DD8h], eax
                                                            mov eax, edi
                                                            jne 00007F309549B33Ah
                                                            push 00000022h
                                                            pop esi
                                                            mov eax, 004C30A2h
                                                            push esi
                                                            push eax
                                                            call 00007F309549D711h
                                                            push eax
                                                            call dword ptr [00408260h]
                                                            mov esi, eax
                                                            mov dword ptr [esp+1Ch], esi
                                                            jmp 00007F309549B3C3h
                                                            push 00000020h
                                                            pop ebx
                                                            cmp ax, bx
                                                            jne 00007F309549B33Ah
                                                            add esi, 02h
                                                            cmp word ptr [esi], bx

                                                            Rich Headers

                                                            Programming Language:
                                                            • [ C ] VS2008 SP1 build 30729
                                                            • [IMP] VS2008 SP1 build 30729
                                                            • [ C ] VS2010 SP1 build 40219
                                                            • [RES] VS2010 SP1 build 40219
                                                            • [LNK] VS2010 SP1 build 40219

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x9b340xb4.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000x41f0.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xebaad0x2978.ndata
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000x964.ndata
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2d0.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x6dae0x6e0000499a6f70259150109c809d6aa0e6edFalse0.6611150568181818data6.508529563136936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x80000x2a620x2c0007990aaa54c3bc638bb87a87f3fb13e3False0.3526278409090909data4.390535020989255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0xb0000x67ebc0x200014871d9a00f0e0c8c2a7cd25606c453False0.203125data1.4308602597540492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .ndata0x730000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0xf40000x41f00x42004fd75a7cc24e9a0d1cc9f674c5cfb03eFalse0.8312618371212122data7.28207784114741IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xf90000xf320x100056248d3a971e7bbd3412ca8081b0ade9False1.002685546875data7.942409812969812IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0xf41f00x24e4PNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.001164760694621
                                                            RT_ICON0xf66d80x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.6042805100182149
                                                            RT_ICON0xf78000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.7296099290780141
                                                            RT_DIALOG0xf7c680x100dataEnglishUnited States0.5234375
                                                            RT_DIALOG0xf7d680x11cdataEnglishUnited States0.6056338028169014
                                                            RT_DIALOG0xf7e880x60dataEnglishUnited States0.7291666666666666
                                                            RT_GROUP_ICON0xf7ee80x30dataEnglishUnited States0.875
                                                            RT_MANIFEST0xf7f180x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                                            Imports

                                                            DLLImport
                                                            KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                            USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                            GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                            SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                            ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                            COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                            ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                            VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                            2024-07-26T16:43:16.230581+0200TCP2046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:42:13.988174+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970552.165.165.26192.168.2.5
                                                            2024-07-26T16:43:27.736518+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:16.407742+0200TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response122454971445.140.147.183192.168.2.5
                                                            2024-07-26T16:43:26.561611+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:27.343120+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:21.989854+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:24.352512+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:22.350809+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:23.988408+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:26.978648+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:25.096072+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:24.168146+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:22.656385+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:26.302540+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:24.544199+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:26.081968+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:25.111609+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:26.744227+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:24.778983+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:22.855683+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:27.161304+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:21.793638+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:42:52.561065+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971252.165.165.26192.168.2.5
                                                            2024-07-26T16:43:22.172217+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:21.464546+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183
                                                            2024-07-26T16:43:21.648004+0200TCP2046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)122454971445.140.147.183192.168.2.5
                                                            2024-07-26T16:43:27.520559+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4971412245192.168.2.545.140.147.183

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jul 26, 2024 16:43:00.402858973 CEST4971312245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:00.407917976 CEST122454971345.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:00.407993078 CEST4971312245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:00.416127920 CEST4971312245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:00.726857901 CEST4971312245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:01.336164951 CEST4971312245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:01.502053022 CEST122454971345.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:01.503854990 CEST4971312245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:01.510416031 CEST122454971345.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:01.510488987 CEST4971312245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:01.511276960 CEST122454971345.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:01.511286974 CEST122454971345.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:01.511291981 CEST122454971345.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:01.515562057 CEST122454971345.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:01.517221928 CEST122454971345.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:06.541618109 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:06.546730995 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:06.546817064 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:06.547122002 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:06.552639008 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:16.196607113 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:16.230581045 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:16.235573053 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:16.407742023 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:16.461157084 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:21.464545965 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:21.469782114 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:21.647324085 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:21.647433043 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:21.647578955 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:21.647614956 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:21.647624969 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:21.647722006 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:21.648004055 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:21.695631027 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:21.793637991 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:21.799084902 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:21.980452061 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:21.989854097 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:21.996815920 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:22.168603897 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:22.172216892 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:22.178824902 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:22.349566936 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:22.350809097 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:22.355959892 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:22.525645971 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:22.570655107 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:22.656384945 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:22.671840906 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:22.845230103 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:22.855683088 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:22.860971928 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:22.861011982 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:22.861040115 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:22.862768888 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:22.862797976 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:22.862828970 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:23.202116966 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:23.258153915 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:23.988408089 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:23.993709087 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:24.165599108 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:24.168145895 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:24.180710077 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:24.350528002 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:24.352511883 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:24.357722044 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:24.537285089 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:24.544198990 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:24.549165964 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:24.719012976 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:24.773730040 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:24.778983116 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:24.784765005 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.012443066 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.054898024 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.096071959 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.111371040 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.111398935 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.111414909 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.111428022 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.111438990 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.111450911 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.111464977 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.111608982 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.111695051 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.111707926 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.111746073 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.116573095 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.116591930 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.116616964 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.116630077 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.116647959 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.116660118 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.116672039 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.116679907 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.116702080 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.116714954 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.116940022 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.117007017 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.117518902 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.117533922 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.117547035 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.117559910 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.117566109 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.117584944 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.117609024 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.123102903 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.123161077 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.123965025 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.123984098 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.124062061 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.124135017 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.132514000 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.132540941 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.132555008 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.132565975 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.132569075 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.132577896 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.132580042 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.132589102 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.132601023 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.132606983 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.132611990 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.132621050 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.132623911 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.132635117 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.132644892 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.132666111 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.132677078 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.133398056 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133472919 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133511066 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133527040 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133568048 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133572102 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.133579969 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133584976 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.133594036 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133614063 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.133635998 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.133636951 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133650064 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133661985 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133671999 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.133675098 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133687973 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133697987 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.133718014 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.133719921 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133742094 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.133759975 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133773088 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133795977 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133826017 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133837938 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133857965 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133902073 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133913994 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133924961 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133960009 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133970976 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.133981943 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.134087086 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.134098053 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.134109020 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.134124041 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.134135962 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.134155989 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.134169102 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.134180069 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.134207964 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.134238958 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.134251118 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.134272099 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.134284973 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.134335041 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.134346962 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.134368896 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.134380102 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.134391069 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.134439945 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.134512901 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.138181925 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.138200045 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.138274908 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.138313055 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.138406992 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.138499975 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.138695002 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.138732910 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.139205933 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.139643908 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.140350103 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.140362978 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.140563011 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.140577078 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.140691996 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.140928030 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.140940905 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.140953064 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.140966892 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141110897 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141123056 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141134024 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141146898 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141202927 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141213894 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141236067 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141247034 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141259909 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141293049 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141372919 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141385078 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141396046 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141410112 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141421080 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141522884 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141597033 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141608953 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141619921 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141634941 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141645908 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141704082 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141838074 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141851902 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.141927004 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142045975 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142059088 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142080069 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142146111 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142158031 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142168999 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142189026 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142199993 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142231941 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.142252922 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142287970 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.142302036 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142313957 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142323971 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142364025 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142375946 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142466068 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142515898 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142528057 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142538071 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142615080 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142627001 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142638922 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142649889 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142793894 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142806053 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.142889977 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143007040 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143018961 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143029928 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143151045 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143166065 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143234968 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143332958 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143345118 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143393040 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143474102 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143553972 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143604994 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143610001 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143642902 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143655062 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143691063 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143703938 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143718958 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143755913 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143810034 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143902063 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143913984 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143925905 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143939018 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.143949986 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.144053936 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.144115925 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.144434929 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.144463062 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.144635916 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.144689083 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.147464037 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.147578001 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.147660017 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.147741079 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.147797108 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.147835970 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.147876024 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.147962093 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.147974968 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.147986889 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148000956 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148013115 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148032904 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148098946 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148111105 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148125887 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148138046 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148268938 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148281097 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148293972 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148319006 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148332119 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148343086 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148354053 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148380041 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148463964 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148477077 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148510933 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148521900 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148533106 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148570061 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148591995 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148637056 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148648977 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148724079 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148761988 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148775101 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148786068 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148814917 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148825884 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148857117 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148907900 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148919106 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148930073 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148951054 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148962975 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.148973942 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.149059057 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.149070024 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.149081945 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.149092913 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.149104118 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.149116993 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.149629116 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.149825096 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.149979115 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.149995089 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.150049925 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.150182009 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150194883 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150332928 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150345087 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150357008 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150372028 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150382996 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150404930 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150415897 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150454044 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150465012 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150578022 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150589943 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150600910 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150614977 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150667906 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150679111 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150708914 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150749922 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150762081 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150782108 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150842905 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150855064 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150876045 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150979042 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.150991917 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151002884 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151134014 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151145935 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151156902 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151169062 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151180983 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151201963 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151212931 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151223898 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151237011 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151295900 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151308060 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151393890 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151582003 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151593924 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151633978 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151654959 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151665926 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151741982 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151766062 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151777029 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151787996 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151801109 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151812077 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.151886940 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.155019045 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.155036926 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.155047894 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.155069113 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.155088902 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.155101061 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.155175924 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.155205965 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.155252934 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.155261993 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.155328035 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.155354977 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.155587912 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.155670881 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.155777931 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.155790091 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.155812025 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.155991077 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156002998 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156013966 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156024933 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156035900 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156047106 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156131029 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156142950 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156153917 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156164885 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156176090 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156297922 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156320095 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156351089 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156410933 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156423092 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156434059 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156532049 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156543970 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156629086 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156641006 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156651974 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156672955 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156685114 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156696081 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156775951 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156788111 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156800032 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156810999 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156824112 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156953096 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156965017 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156976938 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.156991959 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.157004118 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.157092094 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.157105923 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.157118082 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.160240889 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.160320044 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.160435915 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.160448074 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.160535097 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.160574913 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.160583973 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.160608053 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.160619974 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.160629988 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.160681009 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.160720110 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.160792112 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.160804033 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.160836935 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.160933018 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161245108 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161326885 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161339045 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161351919 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161365032 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161446095 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161458015 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161469936 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161484003 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161494970 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161576986 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161588907 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161600113 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161622047 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161892891 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161906004 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161917925 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161938906 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161950111 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.161962032 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.162010908 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.162095070 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.162106991 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.162118912 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.162132978 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.162142992 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.162175894 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.162255049 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.162266970 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.162287951 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.162298918 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.162309885 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.162331104 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.162343025 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.162353992 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.162364960 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.162494898 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.162507057 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.162539005 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.165565968 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.165582895 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.165718079 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.165744066 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.165802002 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.165890932 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.166229963 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.166251898 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.166265965 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.166364908 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.166503906 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.166543961 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.166554928 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.166567087 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.166652918 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.166665077 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.166699886 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.166801929 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.166815042 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.166881084 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.166918039 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167031050 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167078018 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167089939 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167102098 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167112112 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167123079 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167236090 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167318106 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167331934 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167417049 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167428970 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167440891 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167489052 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167700052 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167712927 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167725086 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167737961 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167748928 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167808056 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167850018 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167861938 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167892933 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167937994 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167949915 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.167983055 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.168082952 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.168096066 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.168107986 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.168121099 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.168132067 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.168183088 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.168224096 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.168246984 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.168258905 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.171922922 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.171936989 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.171960115 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.171974897 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.171998024 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.172049999 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:25.172219992 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.172233105 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.172291994 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.172359943 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.172372103 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.172432899 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.172535896 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.172548056 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.172944069 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.173069954 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.173664093 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.173837900 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.173976898 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.173989058 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.174469948 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.174525023 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.174535990 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.174629927 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.174643040 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.174654007 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.174665928 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.174709082 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.174868107 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.174880981 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.174952030 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.175043106 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.175086021 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.175098896 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.175111055 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.175132036 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.175143003 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.175174952 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.175228119 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.175239086 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.175333023 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.175385952 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.175396919 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.175754070 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.176187038 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.176228046 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.176240921 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.176302910 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.176350117 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.176362038 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.176430941 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.176443100 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.176454067 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.176477909 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.176997900 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.177273035 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.177297115 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.177350044 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.177362919 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.177457094 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.177520037 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.177531958 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.177542925 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.177556038 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.177567959 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.177642107 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.177679062 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.177762032 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.177776098 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.177845001 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.177891016 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.178004026 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.178016901 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.178061962 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.178117990 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.178131104 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.178181887 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.178299904 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.178313017 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.178392887 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.178435087 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.178447008 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:25.219765902 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.046818018 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.081968069 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:26.087469101 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.258704901 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.302540064 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:26.310154915 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.310173035 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.310185909 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.310200930 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.310213089 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.310229063 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.310241938 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.313684940 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.313699961 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.313714981 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.316371918 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.316390991 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.316421986 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.316435099 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.316447973 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.316536903 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.316550016 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.559189081 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.561610937 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:26.567634106 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.740652084 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.744226933 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:26.750654936 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.925313950 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:26.976783037 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:26.978647947 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:26.984720945 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:27.157116890 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:27.161303997 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:27.166441917 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:27.342663050 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:27.343120098 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:27.350025892 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:27.519727945 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:27.520559072 CEST4971412245192.168.2.545.140.147.183
                                                            Jul 26, 2024 16:43:27.526510000 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:27.699578047 CEST122454971445.140.147.183192.168.2.5
                                                            Jul 26, 2024 16:43:27.736517906 CEST4971412245192.168.2.545.140.147.183

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jul 26, 2024 16:41:58.728007078 CEST6077453192.168.2.51.1.1.1
                                                            Jul 26, 2024 16:41:58.743746042 CEST53607741.1.1.1192.168.2.5

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Jul 26, 2024 16:41:58.728007078 CEST192.168.2.51.1.1.10x170aStandard query (0)WTYoyXMgGLmyIq.WTYoyXMgGLmyIqA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Jul 26, 2024 16:41:58.743746042 CEST1.1.1.1192.168.2.50x170aName error (3)WTYoyXMgGLmyIq.WTYoyXMgGLmyIqnonenoneA (IP address)IN (0x0001)false

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:10:41:52
                                                            Start date:26/07/2024
                                                            Path:C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe"
                                                            Imagebase:0x400000
                                                            File size:975'909 bytes
                                                            MD5 hash:5223A85FF161E8818F0E514048051E7D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:10:41:55
                                                            Start date:26/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exit
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:10:41:55
                                                            Start date:26/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:10:41:55
                                                            Start date:26/07/2024
                                                            Path:C:\Windows\SysWOW64\tasklist.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:tasklist
                                                            Imagebase:0xed0000
                                                            File size:79'360 bytes
                                                            MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:10:41:55
                                                            Start date:26/07/2024
                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:findstr /I "wrsa.exe opssvc.exe"
                                                            Imagebase:0x470000
                                                            File size:29'696 bytes
                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:10:41:56
                                                            Start date:26/07/2024
                                                            Path:C:\Windows\SysWOW64\tasklist.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:tasklist
                                                            Imagebase:0xed0000
                                                            File size:79'360 bytes
                                                            MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:10:41:56
                                                            Start date:26/07/2024
                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
                                                            Imagebase:0x470000
                                                            File size:29'696 bytes
                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:10:41:56
                                                            Start date:26/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c md 154571
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:10:41:56
                                                            Start date:26/07/2024
                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:findstr /V "TRUEANALOGMINDOC" Pepper
                                                            Imagebase:0x470000
                                                            File size:29'696 bytes
                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:10:41:57
                                                            Start date:26/07/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cmd /c copy /b Lt + Blake + Tranny + Category 154571\i
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:10:41:57
                                                            Start date:26/07/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\154571\Eco.pif
                                                            Wow64 process (32bit):true
                                                            Commandline:154571\Eco.pif 154571\i
                                                            Imagebase:0xb60000
                                                            File size:937'776 bytes
                                                            MD5 hash:B06E67F9767E5023892D9698703AD098
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2601109444.0000000004131000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2649255360.0000000004C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2594664194.0000000005111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2590852384.0000000004C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2590491562.0000000004BE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2594309934.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2601087269.00000000041B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2649400665.0000000004A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2593561909.0000000004A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2594488822.0000000004BE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2593417176.0000000004B43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2649155250.0000000004B44000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2590274232.0000000004AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2593236483.0000000004BE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2649346741.0000000004BE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2590740976.0000000004ABB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2590274232.0000000004A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2590411622.0000000005113000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2590333622.0000000004BE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000003.2601050359.0000000004ABB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 0%, ReversingLabs
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:10:41:57
                                                            Start date:26/07/2024
                                                            Path:C:\Windows\SysWOW64\timeout.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:timeout 5
                                                            Imagebase:0xb10000
                                                            File size:25'088 bytes
                                                            MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:10:42:53
                                                            Start date:26/07/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe
                                                            Imagebase:0xc0000
                                                            File size:65'440 bytes
                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 0%, ReversingLabs
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:17
                                                            Start time:10:42:53
                                                            Start date:26/07/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe
                                                            Imagebase:0xef0000
                                                            File size:65'440 bytes
                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000011.00000002.2929941333.0000000003319000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000011.00000002.2929013537.0000000001302000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:12.9%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:20.6%
                                                              Total number of Nodes:1523
                                                              Total number of Limit Nodes:37
                                                              execution_graph 4170 402fc0 4171 401446 18 API calls 4170->4171 4172 402fc7 4171->4172 4173 403017 4172->4173 4174 40300a 4172->4174 4177 401a13 4172->4177 4175 406805 18 API calls 4173->4175 4176 401446 18 API calls 4174->4176 4175->4177 4176->4177 4178 4023c1 4179 40145c 18 API calls 4178->4179 4180 4023c8 4179->4180 4183 40726a 4180->4183 4186 406ed2 CreateFileW 4183->4186 4187 406f04 4186->4187 4188 406f1e ReadFile 4186->4188 4189 4062a3 11 API calls 4187->4189 4190 4023d6 4188->4190 4193 406f84 4188->4193 4189->4190 4191 4071e3 CloseHandle 4191->4190 4192 406f9b ReadFile lstrcpynA lstrcmpA 4192->4193 4194 406fe2 SetFilePointer ReadFile 4192->4194 4193->4190 4193->4191 4193->4192 4197 406fdd 4193->4197 4194->4191 4195 4070a8 ReadFile 4194->4195 4196 407138 4195->4196 4196->4195 4196->4197 4198 40715f SetFilePointer GlobalAlloc ReadFile 4196->4198 4197->4191 4199 4071a3 4198->4199 4200 4071bf lstrcpynW GlobalFree 4198->4200 4199->4199 4199->4200 4200->4191 4201 401cc3 4202 40145c 18 API calls 4201->4202 4203 401cca lstrlenW 4202->4203 4204 4030dc 4203->4204 4205 4030e3 4204->4205 4207 405f51 wsprintfW 4204->4207 4207->4205 4222 401c46 4223 40145c 18 API calls 4222->4223 4224 401c4c 4223->4224 4225 4062a3 11 API calls 4224->4225 4226 401c59 4225->4226 4227 406c9b 81 API calls 4226->4227 4228 401c64 4227->4228 4229 403049 4230 401446 18 API calls 4229->4230 4233 403050 4230->4233 4231 406805 18 API calls 4232 401a13 4231->4232 4233->4231 4233->4232 4234 40204a 4235 401446 18 API calls 4234->4235 4236 402051 IsWindow 4235->4236 4237 4018d3 4236->4237 4238 40324c 4239 403277 4238->4239 4240 40325e SetTimer 4238->4240 4241 4032cc 4239->4241 4242 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4239->4242 4240->4239 4242->4241 4243 4048cc 4244 4048f1 4243->4244 4245 4048da 4243->4245 4247 4048ff IsWindowVisible 4244->4247 4251 404916 4244->4251 4246 4048e0 4245->4246 4261 40495a 4245->4261 4248 403daf SendMessageW 4246->4248 4250 40490c 4247->4250 4247->4261 4252 4048ea 4248->4252 4249 404960 CallWindowProcW 4249->4252 4262 40484e SendMessageW 4250->4262 4251->4249 4267 406009 lstrcpynW 4251->4267 4255 404945 4268 405f51 wsprintfW 4255->4268 4257 40494c 4258 40141d 80 API calls 4257->4258 4259 404953 4258->4259 4269 406009 lstrcpynW 4259->4269 4261->4249 4263 404871 GetMessagePos ScreenToClient SendMessageW 4262->4263 4264 4048ab SendMessageW 4262->4264 4265 4048a3 4263->4265 4266 4048a8 4263->4266 4264->4265 4265->4251 4266->4264 4267->4255 4268->4257 4269->4261 4270 4022cc 4271 40145c 18 API calls 4270->4271 4272 4022d3 4271->4272 4273 4062d5 2 API calls 4272->4273 4274 4022d9 4273->4274 4275 4022e8 4274->4275 4279 405f51 wsprintfW 4274->4279 4278 4030e3 4275->4278 4280 405f51 wsprintfW 4275->4280 4279->4275 4280->4278 4281 4050cd 4282 405295 4281->4282 4283 4050ee GetDlgItem GetDlgItem GetDlgItem 4281->4283 4284 4052c6 4282->4284 4285 40529e GetDlgItem CreateThread CloseHandle 4282->4285 4330 403d98 SendMessageW 4283->4330 4287 4052f4 4284->4287 4289 4052e0 ShowWindow ShowWindow 4284->4289 4290 405316 4284->4290 4285->4284 4291 405352 4287->4291 4293 405305 4287->4293 4294 40532b ShowWindow 4287->4294 4288 405162 4301 406805 18 API calls 4288->4301 4335 403d98 SendMessageW 4289->4335 4339 403dca 4290->4339 4291->4290 4296 40535d SendMessageW 4291->4296 4336 403d18 4293->4336 4299 40534b 4294->4299 4300 40533d 4294->4300 4298 40528e 4296->4298 4303 405376 CreatePopupMenu 4296->4303 4302 403d18 SendMessageW 4299->4302 4304 404f72 25 API calls 4300->4304 4305 405181 4301->4305 4302->4291 4306 406805 18 API calls 4303->4306 4304->4299 4307 4062a3 11 API calls 4305->4307 4309 405386 AppendMenuW 4306->4309 4308 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4307->4308 4310 4051f3 4308->4310 4311 4051d7 SendMessageW SendMessageW 4308->4311 4312 405399 GetWindowRect 4309->4312 4313 4053ac 4309->4313 4314 405206 4310->4314 4315 4051f8 SendMessageW 4310->4315 4311->4310 4316 4053b3 TrackPopupMenu 4312->4316 4313->4316 4331 403d3f 4314->4331 4315->4314 4316->4298 4318 4053d1 4316->4318 4320 4053ed SendMessageW 4318->4320 4319 405216 4321 405253 GetDlgItem SendMessageW 4319->4321 4322 40521f ShowWindow 4319->4322 4320->4320 4323 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4320->4323 4321->4298 4326 405276 SendMessageW SendMessageW 4321->4326 4324 405242 4322->4324 4325 405235 ShowWindow 4322->4325 4327 40542f SendMessageW 4323->4327 4334 403d98 SendMessageW 4324->4334 4325->4324 4326->4298 4327->4327 4328 40545a GlobalUnlock SetClipboardData CloseClipboard 4327->4328 4328->4298 4330->4288 4332 406805 18 API calls 4331->4332 4333 403d4a SetDlgItemTextW 4332->4333 4333->4319 4334->4321 4335->4287 4337 403d25 SendMessageW 4336->4337 4338 403d1f 4336->4338 4337->4290 4338->4337 4340 403ddf GetWindowLongW 4339->4340 4350 403e68 4339->4350 4341 403df0 4340->4341 4340->4350 4342 403e02 4341->4342 4343 403dff GetSysColor 4341->4343 4344 403e12 SetBkMode 4342->4344 4345 403e08 SetTextColor 4342->4345 4343->4342 4346 403e30 4344->4346 4347 403e2a GetSysColor 4344->4347 4345->4344 4348 403e41 4346->4348 4349 403e37 SetBkColor 4346->4349 4347->4346 4348->4350 4351 403e54 DeleteObject 4348->4351 4352 403e5b CreateBrushIndirect 4348->4352 4349->4348 4350->4298 4351->4352 4352->4350 4353 4030cf 4354 40145c 18 API calls 4353->4354 4355 4030d6 4354->4355 4357 4030dc 4355->4357 4360 4063ac GlobalAlloc lstrlenW 4355->4360 4358 4030e3 4357->4358 4387 405f51 wsprintfW 4357->4387 4361 4063e2 4360->4361 4362 406434 4360->4362 4363 40640f GetVersionExW 4361->4363 4388 40602b CharUpperW 4361->4388 4362->4357 4363->4362 4364 40643e 4363->4364 4365 406464 LoadLibraryA 4364->4365 4366 40644d 4364->4366 4365->4362 4369 406482 GetProcAddress GetProcAddress GetProcAddress 4365->4369 4366->4362 4368 406585 GlobalFree 4366->4368 4370 40659b LoadLibraryA 4368->4370 4371 4066dd FreeLibrary 4368->4371 4374 4064aa 4369->4374 4377 4065f5 4369->4377 4370->4362 4373 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4370->4373 4371->4362 4372 406651 FreeLibrary 4381 40662a 4372->4381 4373->4377 4375 4064ce FreeLibrary GlobalFree 4374->4375 4374->4377 4383 4064ea 4374->4383 4375->4362 4376 4066ea 4379 4066ef CloseHandle FreeLibrary 4376->4379 4377->4372 4377->4381 4378 4064fc lstrcpyW OpenProcess 4380 40654f CloseHandle CharUpperW lstrcmpW 4378->4380 4378->4383 4382 406704 CloseHandle 4379->4382 4380->4377 4380->4383 4381->4376 4384 406685 lstrcmpW 4381->4384 4385 4066b6 CloseHandle 4381->4385 4386 4066d4 CloseHandle 4381->4386 4382->4379 4383->4368 4383->4378 4383->4380 4384->4381 4384->4382 4385->4381 4386->4371 4387->4358 4388->4361 4389 407752 4393 407344 4389->4393 4390 407c6d 4391 4073c2 GlobalFree 4392 4073cb GlobalAlloc 4391->4392 4392->4390 4392->4393 4393->4390 4393->4391 4393->4392 4393->4393 4394 407443 GlobalAlloc 4393->4394 4395 40743a GlobalFree 4393->4395 4394->4390 4394->4393 4395->4394 4396 401dd3 4397 401446 18 API calls 4396->4397 4398 401dda 4397->4398 4399 401446 18 API calls 4398->4399 4400 4018d3 4399->4400 4408 402e55 4409 40145c 18 API calls 4408->4409 4410 402e63 4409->4410 4411 402e79 4410->4411 4412 40145c 18 API calls 4410->4412 4413 405e30 2 API calls 4411->4413 4412->4411 4414 402e7f 4413->4414 4438 405e50 GetFileAttributesW CreateFileW 4414->4438 4416 402e8c 4417 402f35 4416->4417 4418 402e98 GlobalAlloc 4416->4418 4421 4062a3 11 API calls 4417->4421 4419 402eb1 4418->4419 4420 402f2c CloseHandle 4418->4420 4439 403368 SetFilePointer 4419->4439 4420->4417 4423 402f45 4421->4423 4425 402f50 DeleteFileW 4423->4425 4426 402f63 4423->4426 4424 402eb7 4428 403336 ReadFile 4424->4428 4425->4426 4440 401435 4426->4440 4429 402ec0 GlobalAlloc 4428->4429 4430 402ed0 4429->4430 4431 402f04 WriteFile GlobalFree 4429->4431 4432 40337f 37 API calls 4430->4432 4433 40337f 37 API calls 4431->4433 4437 402edd 4432->4437 4434 402f29 4433->4434 4434->4420 4436 402efb GlobalFree 4436->4431 4437->4436 4438->4416 4439->4424 4441 404f72 25 API calls 4440->4441 4442 401443 4441->4442 4443 401cd5 4444 401446 18 API calls 4443->4444 4445 401cdd 4444->4445 4446 401446 18 API calls 4445->4446 4447 401ce8 4446->4447 4448 40145c 18 API calls 4447->4448 4449 401cf1 4448->4449 4450 401d07 lstrlenW 4449->4450 4451 401d43 4449->4451 4452 401d11 4450->4452 4452->4451 4456 406009 lstrcpynW 4452->4456 4454 401d2c 4454->4451 4455 401d39 lstrlenW 4454->4455 4455->4451 4456->4454 4457 403cd6 4458 403ce1 4457->4458 4459 403ce5 4458->4459 4460 403ce8 GlobalAlloc 4458->4460 4460->4459 4461 402cd7 4462 401446 18 API calls 4461->4462 4465 402c64 4462->4465 4463 402d99 4464 402d17 ReadFile 4464->4465 4465->4461 4465->4463 4465->4464 4466 402dd8 4467 402ddf 4466->4467 4468 4030e3 4466->4468 4469 402de5 FindClose 4467->4469 4469->4468 4470 401d5c 4471 40145c 18 API calls 4470->4471 4472 401d63 4471->4472 4473 40145c 18 API calls 4472->4473 4474 401d6c 4473->4474 4475 401d73 lstrcmpiW 4474->4475 4476 401d86 lstrcmpW 4474->4476 4477 401d79 4475->4477 4476->4477 4478 401c99 4476->4478 4477->4476 4477->4478 4108 407c5f 4109 407344 4108->4109 4110 4073c2 GlobalFree 4109->4110 4111 4073cb GlobalAlloc 4109->4111 4112 407c6d 4109->4112 4113 407443 GlobalAlloc 4109->4113 4114 40743a GlobalFree 4109->4114 4110->4111 4111->4109 4111->4112 4113->4109 4113->4112 4114->4113 4479 404363 4480 404373 4479->4480 4481 40439c 4479->4481 4483 403d3f 19 API calls 4480->4483 4482 403dca 8 API calls 4481->4482 4484 4043a8 4482->4484 4485 404380 SetDlgItemTextW 4483->4485 4485->4481 4486 4027e3 4487 4027e9 4486->4487 4488 4027f2 4487->4488 4489 402836 4487->4489 4502 401553 4488->4502 4490 40145c 18 API calls 4489->4490 4492 40283d 4490->4492 4494 4062a3 11 API calls 4492->4494 4493 4027f9 4495 40145c 18 API calls 4493->4495 4500 401a13 4493->4500 4496 40284d 4494->4496 4497 40280a RegDeleteValueW 4495->4497 4506 40149d RegOpenKeyExW 4496->4506 4498 4062a3 11 API calls 4497->4498 4501 40282a RegCloseKey 4498->4501 4501->4500 4503 401563 4502->4503 4504 40145c 18 API calls 4503->4504 4505 401589 RegOpenKeyExW 4504->4505 4505->4493 4512 401515 4506->4512 4514 4014c9 4506->4514 4507 4014ef RegEnumKeyW 4508 401501 RegCloseKey 4507->4508 4507->4514 4509 4062fc 3 API calls 4508->4509 4511 401511 4509->4511 4510 401526 RegCloseKey 4510->4512 4511->4512 4515 401541 RegDeleteKeyW 4511->4515 4512->4500 4513 40149d 3 API calls 4513->4514 4514->4507 4514->4508 4514->4510 4514->4513 4515->4512 4516 403f64 4517 403f90 4516->4517 4518 403f74 4516->4518 4520 403fc3 4517->4520 4521 403f96 SHGetPathFromIDListW 4517->4521 4527 405c84 GetDlgItemTextW 4518->4527 4523 403fad SendMessageW 4521->4523 4524 403fa6 4521->4524 4522 403f81 SendMessageW 4522->4517 4523->4520 4525 40141d 80 API calls 4524->4525 4525->4523 4527->4522 4528 402ae4 4529 402aeb 4528->4529 4530 4030e3 4528->4530 4531 402af2 CloseHandle 4529->4531 4531->4530 4532 402065 4533 401446 18 API calls 4532->4533 4534 40206d 4533->4534 4535 401446 18 API calls 4534->4535 4536 402076 GetDlgItem 4535->4536 4537 4030dc 4536->4537 4538 4030e3 4537->4538 4540 405f51 wsprintfW 4537->4540 4540->4538 4541 402665 4542 40145c 18 API calls 4541->4542 4543 40266b 4542->4543 4544 40145c 18 API calls 4543->4544 4545 402674 4544->4545 4546 40145c 18 API calls 4545->4546 4547 40267d 4546->4547 4548 4062a3 11 API calls 4547->4548 4549 40268c 4548->4549 4550 4062d5 2 API calls 4549->4550 4551 402695 4550->4551 4552 4026a6 lstrlenW lstrlenW 4551->4552 4553 404f72 25 API calls 4551->4553 4556 4030e3 4551->4556 4554 404f72 25 API calls 4552->4554 4553->4551 4555 4026e8 SHFileOperationW 4554->4555 4555->4551 4555->4556 4564 401c69 4565 40145c 18 API calls 4564->4565 4566 401c70 4565->4566 4567 4062a3 11 API calls 4566->4567 4568 401c80 4567->4568 4569 405ca0 MessageBoxIndirectW 4568->4569 4570 401a13 4569->4570 4578 402f6e 4579 402f72 4578->4579 4580 402fae 4578->4580 4581 4062a3 11 API calls 4579->4581 4582 40145c 18 API calls 4580->4582 4583 402f7d 4581->4583 4588 402f9d 4582->4588 4584 4062a3 11 API calls 4583->4584 4585 402f90 4584->4585 4586 402fa2 4585->4586 4587 402f98 4585->4587 4590 4060e7 9 API calls 4586->4590 4589 403e74 5 API calls 4587->4589 4589->4588 4590->4588 4591 4023f0 4592 402403 4591->4592 4593 4024da 4591->4593 4594 40145c 18 API calls 4592->4594 4595 404f72 25 API calls 4593->4595 4596 40240a 4594->4596 4601 4024f1 4595->4601 4597 40145c 18 API calls 4596->4597 4598 402413 4597->4598 4599 402429 LoadLibraryExW 4598->4599 4600 40241b GetModuleHandleW 4598->4600 4602 40243e 4599->4602 4603 4024ce 4599->4603 4600->4599 4600->4602 4615 406365 GlobalAlloc WideCharToMultiByte 4602->4615 4604 404f72 25 API calls 4603->4604 4604->4593 4606 402449 4607 40248c 4606->4607 4608 40244f 4606->4608 4609 404f72 25 API calls 4607->4609 4611 401435 25 API calls 4608->4611 4613 40245f 4608->4613 4610 402496 4609->4610 4612 4062a3 11 API calls 4610->4612 4611->4613 4612->4613 4613->4601 4614 4024c0 FreeLibrary 4613->4614 4614->4601 4616 406390 GetProcAddress 4615->4616 4617 40639d GlobalFree 4615->4617 4616->4617 4617->4606 4618 402df3 4619 402dfa 4618->4619 4621 4019ec 4618->4621 4620 402e07 FindNextFileW 4619->4620 4620->4621 4622 402e16 4620->4622 4624 406009 lstrcpynW 4622->4624 4624->4621 4625 402175 4626 401446 18 API calls 4625->4626 4627 40217c 4626->4627 4628 401446 18 API calls 4627->4628 4629 402186 4628->4629 4630 4062a3 11 API calls 4629->4630 4634 402197 4629->4634 4630->4634 4631 4021aa EnableWindow 4633 4030e3 4631->4633 4632 40219f ShowWindow 4632->4633 4634->4631 4634->4632 4642 404077 4643 404081 4642->4643 4644 404084 lstrcpynW lstrlenW 4642->4644 4643->4644 4645 405479 4646 405491 4645->4646 4647 4055cd 4645->4647 4646->4647 4648 40549d 4646->4648 4649 40561e 4647->4649 4650 4055de GetDlgItem GetDlgItem 4647->4650 4651 4054a8 SetWindowPos 4648->4651 4652 4054bb 4648->4652 4654 405678 4649->4654 4662 40139d 80 API calls 4649->4662 4653 403d3f 19 API calls 4650->4653 4651->4652 4656 4054c0 ShowWindow 4652->4656 4657 4054d8 4652->4657 4658 405608 SetClassLongW 4653->4658 4655 403daf SendMessageW 4654->4655 4675 4055c8 4654->4675 4684 40568a 4655->4684 4656->4657 4659 4054e0 DestroyWindow 4657->4659 4660 4054fa 4657->4660 4661 40141d 80 API calls 4658->4661 4712 4058dc 4659->4712 4663 405510 4660->4663 4664 4054ff SetWindowLongW 4660->4664 4661->4649 4665 405650 4662->4665 4668 405587 4663->4668 4669 40551c GetDlgItem 4663->4669 4664->4675 4665->4654 4670 405654 SendMessageW 4665->4670 4666 40141d 80 API calls 4666->4684 4667 4058de DestroyWindow EndDialog 4667->4712 4671 403dca 8 API calls 4668->4671 4673 40554c 4669->4673 4674 40552f SendMessageW IsWindowEnabled 4669->4674 4670->4675 4671->4675 4672 40590d ShowWindow 4672->4675 4677 405559 4673->4677 4678 4055a0 SendMessageW 4673->4678 4679 40556c 4673->4679 4687 405551 4673->4687 4674->4673 4674->4675 4676 406805 18 API calls 4676->4684 4677->4678 4677->4687 4678->4668 4682 405574 4679->4682 4683 405589 4679->4683 4680 403d18 SendMessageW 4680->4668 4681 403d3f 19 API calls 4681->4684 4685 40141d 80 API calls 4682->4685 4686 40141d 80 API calls 4683->4686 4684->4666 4684->4667 4684->4675 4684->4676 4684->4681 4688 403d3f 19 API calls 4684->4688 4703 40581e DestroyWindow 4684->4703 4685->4687 4686->4687 4687->4668 4687->4680 4689 405705 GetDlgItem 4688->4689 4690 405723 ShowWindow EnableWindow 4689->4690 4691 40571a 4689->4691 4713 403d85 EnableWindow 4690->4713 4691->4690 4693 40574d EnableWindow 4696 405761 4693->4696 4694 405766 GetSystemMenu EnableMenuItem SendMessageW 4695 405796 SendMessageW 4694->4695 4694->4696 4695->4696 4696->4694 4714 403d98 SendMessageW 4696->4714 4715 406009 lstrcpynW 4696->4715 4699 4057c4 lstrlenW 4700 406805 18 API calls 4699->4700 4701 4057da SetWindowTextW 4700->4701 4702 40139d 80 API calls 4701->4702 4702->4684 4704 405838 CreateDialogParamW 4703->4704 4703->4712 4705 40586b 4704->4705 4704->4712 4706 403d3f 19 API calls 4705->4706 4707 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4706->4707 4708 40139d 80 API calls 4707->4708 4709 4058bc 4708->4709 4709->4675 4710 4058c4 ShowWindow 4709->4710 4711 403daf SendMessageW 4710->4711 4711->4712 4712->4672 4712->4675 4713->4693 4714->4696 4715->4699 4716 4020f9 GetDC GetDeviceCaps 4717 401446 18 API calls 4716->4717 4718 402116 MulDiv 4717->4718 4719 401446 18 API calls 4718->4719 4720 40212c 4719->4720 4721 406805 18 API calls 4720->4721 4722 402165 CreateFontIndirectW 4721->4722 4723 4030dc 4722->4723 4724 4030e3 4723->4724 4726 405f51 wsprintfW 4723->4726 4726->4724 4727 4024fb 4728 40145c 18 API calls 4727->4728 4729 402502 4728->4729 4730 40145c 18 API calls 4729->4730 4731 40250c 4730->4731 4732 40145c 18 API calls 4731->4732 4733 402515 4732->4733 4734 40145c 18 API calls 4733->4734 4735 40251f 4734->4735 4736 40145c 18 API calls 4735->4736 4737 402529 4736->4737 4738 40253d 4737->4738 4739 40145c 18 API calls 4737->4739 4740 4062a3 11 API calls 4738->4740 4739->4738 4741 40256a CoCreateInstance 4740->4741 4742 40258c 4741->4742 4743 40497c GetDlgItem GetDlgItem 4744 4049d2 7 API calls 4743->4744 4749 404bea 4743->4749 4745 404a76 DeleteObject 4744->4745 4746 404a6a SendMessageW 4744->4746 4747 404a81 4745->4747 4746->4745 4750 404ab8 4747->4750 4752 406805 18 API calls 4747->4752 4748 404ccf 4751 404d74 4748->4751 4756 404bdd 4748->4756 4761 404d1e SendMessageW 4748->4761 4749->4748 4759 40484e 5 API calls 4749->4759 4772 404c5a 4749->4772 4755 403d3f 19 API calls 4750->4755 4753 404d89 4751->4753 4754 404d7d SendMessageW 4751->4754 4758 404a9a SendMessageW SendMessageW 4752->4758 4763 404da2 4753->4763 4764 404d9b ImageList_Destroy 4753->4764 4774 404db2 4753->4774 4754->4753 4760 404acc 4755->4760 4762 403dca 8 API calls 4756->4762 4757 404cc1 SendMessageW 4757->4748 4758->4747 4759->4772 4765 403d3f 19 API calls 4760->4765 4761->4756 4767 404d33 SendMessageW 4761->4767 4768 404f6b 4762->4768 4769 404dab GlobalFree 4763->4769 4763->4774 4764->4763 4770 404add 4765->4770 4766 404f1c 4766->4756 4775 404f31 ShowWindow GetDlgItem ShowWindow 4766->4775 4771 404d46 4767->4771 4769->4774 4773 404baa GetWindowLongW SetWindowLongW 4770->4773 4782 404ba4 4770->4782 4785 404b39 SendMessageW 4770->4785 4786 404b67 SendMessageW 4770->4786 4787 404b7b SendMessageW 4770->4787 4781 404d57 SendMessageW 4771->4781 4772->4748 4772->4757 4776 404bc4 4773->4776 4774->4766 4777 404de4 4774->4777 4780 40141d 80 API calls 4774->4780 4775->4756 4778 404be2 4776->4778 4779 404bca ShowWindow 4776->4779 4790 404e12 SendMessageW 4777->4790 4793 404e28 4777->4793 4795 403d98 SendMessageW 4778->4795 4794 403d98 SendMessageW 4779->4794 4780->4777 4781->4751 4782->4773 4782->4776 4785->4770 4786->4770 4787->4770 4788 404ef3 InvalidateRect 4788->4766 4789 404f09 4788->4789 4796 4043ad 4789->4796 4790->4793 4792 404ea1 SendMessageW SendMessageW 4792->4793 4793->4788 4793->4792 4794->4756 4795->4749 4797 4043cd 4796->4797 4798 406805 18 API calls 4797->4798 4799 40440d 4798->4799 4800 406805 18 API calls 4799->4800 4801 404418 4800->4801 4802 406805 18 API calls 4801->4802 4803 404428 lstrlenW wsprintfW SetDlgItemTextW 4802->4803 4803->4766 4804 4026fc 4805 401ee4 4804->4805 4807 402708 4804->4807 4805->4804 4806 406805 18 API calls 4805->4806 4806->4805 4103 4019fd 4104 40145c 18 API calls 4103->4104 4105 401a04 4104->4105 4106 405e7f 2 API calls 4105->4106 4107 401a0b 4106->4107 4808 4022fd 4809 40145c 18 API calls 4808->4809 4810 402304 GetFileVersionInfoSizeW 4809->4810 4811 40232b GlobalAlloc 4810->4811 4815 4030e3 4810->4815 4812 40233f GetFileVersionInfoW 4811->4812 4811->4815 4813 402350 VerQueryValueW 4812->4813 4814 402381 GlobalFree 4812->4814 4813->4814 4817 402369 4813->4817 4814->4815 4821 405f51 wsprintfW 4817->4821 4819 402375 4822 405f51 wsprintfW 4819->4822 4821->4819 4822->4814 4823 402afd 4824 40145c 18 API calls 4823->4824 4825 402b04 4824->4825 4830 405e50 GetFileAttributesW CreateFileW 4825->4830 4827 402b10 4828 4030e3 4827->4828 4831 405f51 wsprintfW 4827->4831 4830->4827 4831->4828 4832 4029ff 4833 401553 19 API calls 4832->4833 4834 402a09 4833->4834 4835 40145c 18 API calls 4834->4835 4836 402a12 4835->4836 4837 402a1f RegQueryValueExW 4836->4837 4839 401a13 4836->4839 4838 402a3f 4837->4838 4842 402a45 4837->4842 4838->4842 4843 405f51 wsprintfW 4838->4843 4841 4029e4 RegCloseKey 4841->4839 4842->4839 4842->4841 4843->4842 4844 401000 4845 401037 BeginPaint GetClientRect 4844->4845 4846 40100c DefWindowProcW 4844->4846 4848 4010fc 4845->4848 4849 401182 4846->4849 4850 401073 CreateBrushIndirect FillRect DeleteObject 4848->4850 4851 401105 4848->4851 4850->4848 4852 401170 EndPaint 4851->4852 4853 40110b CreateFontIndirectW 4851->4853 4852->4849 4853->4852 4854 40111b 6 API calls 4853->4854 4854->4852 4855 401f80 4856 401446 18 API calls 4855->4856 4857 401f88 4856->4857 4858 401446 18 API calls 4857->4858 4859 401f93 4858->4859 4860 401fa3 4859->4860 4861 40145c 18 API calls 4859->4861 4862 401fb3 4860->4862 4863 40145c 18 API calls 4860->4863 4861->4860 4864 402006 4862->4864 4865 401fbc 4862->4865 4863->4862 4867 40145c 18 API calls 4864->4867 4866 401446 18 API calls 4865->4866 4869 401fc4 4866->4869 4868 40200d 4867->4868 4870 40145c 18 API calls 4868->4870 4871 401446 18 API calls 4869->4871 4872 402016 FindWindowExW 4870->4872 4873 401fce 4871->4873 4877 402036 4872->4877 4874 401ff6 SendMessageW 4873->4874 4875 401fd8 SendMessageTimeoutW 4873->4875 4874->4877 4875->4877 4876 4030e3 4877->4876 4879 405f51 wsprintfW 4877->4879 4879->4876 4880 402880 4881 402884 4880->4881 4882 40145c 18 API calls 4881->4882 4883 4028a7 4882->4883 4884 40145c 18 API calls 4883->4884 4885 4028b1 4884->4885 4886 4028ba RegCreateKeyExW 4885->4886 4887 4028e8 4886->4887 4894 4029ef 4886->4894 4888 402934 4887->4888 4889 40145c 18 API calls 4887->4889 4890 402963 4888->4890 4893 401446 18 API calls 4888->4893 4892 4028fc lstrlenW 4889->4892 4891 4029ae RegSetValueExW 4890->4891 4895 40337f 37 API calls 4890->4895 4898 4029c6 RegCloseKey 4891->4898 4899 4029cb 4891->4899 4896 402918 4892->4896 4897 40292a 4892->4897 4900 402947 4893->4900 4901 40297b 4895->4901 4902 4062a3 11 API calls 4896->4902 4903 4062a3 11 API calls 4897->4903 4898->4894 4904 4062a3 11 API calls 4899->4904 4905 4062a3 11 API calls 4900->4905 4911 406224 4901->4911 4907 402922 4902->4907 4903->4888 4904->4898 4905->4890 4907->4891 4910 4062a3 11 API calls 4910->4907 4912 406247 4911->4912 4913 40628a 4912->4913 4914 40625c wsprintfW 4912->4914 4915 402991 4913->4915 4916 406293 lstrcatW 4913->4916 4914->4913 4914->4914 4915->4910 4916->4915 4917 402082 4918 401446 18 API calls 4917->4918 4919 402093 SetWindowLongW 4918->4919 4920 4030e3 4919->4920 3462 403883 #17 SetErrorMode OleInitialize 3536 4062fc GetModuleHandleA 3462->3536 3466 4038f1 GetCommandLineW 3541 406009 lstrcpynW 3466->3541 3468 403903 GetModuleHandleW 3469 40391b 3468->3469 3542 405d06 3469->3542 3472 4039d6 3473 4039f5 GetTempPathW 3472->3473 3546 4037cc 3473->3546 3475 403a0b 3476 403a33 DeleteFileW 3475->3476 3477 403a0f GetWindowsDirectoryW lstrcatW 3475->3477 3554 403587 GetTickCount GetModuleFileNameW 3476->3554 3479 4037cc 11 API calls 3477->3479 3478 405d06 CharNextW 3485 40393c 3478->3485 3481 403a2b 3479->3481 3481->3476 3483 403acc 3481->3483 3482 403a47 3482->3483 3486 403ab1 3482->3486 3487 405d06 CharNextW 3482->3487 3640 403859 3483->3640 3485->3472 3485->3478 3493 4039d8 3485->3493 3582 40592c 3486->3582 3499 403a5e 3487->3499 3491 403ae1 3647 405ca0 3491->3647 3492 403bce 3495 403c51 3492->3495 3497 4062fc 3 API calls 3492->3497 3651 406009 lstrcpynW 3493->3651 3501 403bdd 3497->3501 3502 403af7 lstrcatW lstrcmpiW 3499->3502 3503 403a89 3499->3503 3504 4062fc 3 API calls 3501->3504 3502->3483 3506 403b13 CreateDirectoryW SetCurrentDirectoryW 3502->3506 3652 40677e 3503->3652 3507 403be6 3504->3507 3509 403b36 3506->3509 3510 403b2b 3506->3510 3511 4062fc 3 API calls 3507->3511 3682 406009 lstrcpynW 3509->3682 3681 406009 lstrcpynW 3510->3681 3515 403bef 3511->3515 3514 403b44 3683 406009 lstrcpynW 3514->3683 3518 403c3d ExitWindowsEx 3515->3518 3523 403bfd GetCurrentProcess 3515->3523 3518->3495 3520 403c4a 3518->3520 3519 403aa6 3667 406009 lstrcpynW 3519->3667 3711 40141d 3520->3711 3526 403c0d 3523->3526 3526->3518 3527 403b79 CopyFileW 3529 403b53 3527->3529 3528 403bc2 3530 406c68 42 API calls 3528->3530 3529->3528 3533 406805 18 API calls 3529->3533 3535 403bad CloseHandle 3529->3535 3684 406805 3529->3684 3703 406c68 3529->3703 3708 405c3f CreateProcessW 3529->3708 3532 403bc9 3530->3532 3532->3483 3533->3529 3535->3529 3537 406314 LoadLibraryA 3536->3537 3538 40631f GetProcAddress 3536->3538 3537->3538 3539 4038c6 SHGetFileInfoW 3537->3539 3538->3539 3540 406009 lstrcpynW 3539->3540 3540->3466 3541->3468 3543 405d0c 3542->3543 3544 40392a CharNextW 3543->3544 3545 405d13 CharNextW 3543->3545 3544->3485 3545->3543 3714 406038 3546->3714 3548 4037e2 3548->3475 3549 4037d8 3549->3548 3723 406722 lstrlenW CharPrevW 3549->3723 3730 405e50 GetFileAttributesW CreateFileW 3554->3730 3556 4035c7 3577 4035d7 3556->3577 3731 406009 lstrcpynW 3556->3731 3558 4035ed 3732 406751 lstrlenW 3558->3732 3562 4035fe GetFileSize 3563 4036fa 3562->3563 3576 403615 3562->3576 3739 4032d2 3563->3739 3565 403703 3567 40373f GlobalAlloc 3565->3567 3565->3577 3773 403368 SetFilePointer 3565->3773 3750 403368 SetFilePointer 3567->3750 3569 4037bd 3573 4032d2 6 API calls 3569->3573 3571 40375a 3751 40337f 3571->3751 3572 403720 3575 403336 ReadFile 3572->3575 3573->3577 3578 40372b 3575->3578 3576->3563 3576->3569 3576->3577 3579 4032d2 6 API calls 3576->3579 3737 403336 ReadFile 3576->3737 3577->3482 3578->3567 3578->3577 3579->3576 3580 403766 3580->3577 3580->3580 3581 403794 SetFilePointer 3580->3581 3581->3577 3583 4062fc 3 API calls 3582->3583 3584 405940 3583->3584 3585 405946 3584->3585 3586 405958 3584->3586 3806 405f51 wsprintfW 3585->3806 3807 405ed3 RegOpenKeyExW 3586->3807 3590 4059a8 lstrcatW 3592 405956 3590->3592 3591 405ed3 3 API calls 3591->3590 3797 403e95 3592->3797 3595 40677e 18 API calls 3596 4059da 3595->3596 3597 405a70 3596->3597 3599 405ed3 3 API calls 3596->3599 3598 40677e 18 API calls 3597->3598 3600 405a76 3598->3600 3601 405a0c 3599->3601 3602 405a86 3600->3602 3603 406805 18 API calls 3600->3603 3601->3597 3607 405a2f lstrlenW 3601->3607 3613 405d06 CharNextW 3601->3613 3604 405aa6 LoadImageW 3602->3604 3813 403e74 3602->3813 3603->3602 3605 405ad1 RegisterClassW 3604->3605 3606 405b66 3604->3606 3611 405b19 SystemParametersInfoW CreateWindowExW 3605->3611 3614 403ac1 3605->3614 3612 40141d 80 API calls 3606->3612 3608 405a63 3607->3608 3609 405a3d lstrcmpiW 3607->3609 3617 406722 3 API calls 3608->3617 3609->3608 3615 405a4d GetFileAttributesW 3609->3615 3611->3606 3618 405b6c 3612->3618 3619 405a2a 3613->3619 3668 4060e7 3614->3668 3620 405a59 3615->3620 3616 405a9c 3616->3604 3621 405a69 3617->3621 3618->3614 3624 403e95 19 API calls 3618->3624 3619->3607 3620->3608 3622 406751 2 API calls 3620->3622 3812 406009 lstrcpynW 3621->3812 3622->3608 3625 405b7d 3624->3625 3626 405b89 ShowWindow LoadLibraryW 3625->3626 3627 405c0c 3625->3627 3629 405ba8 LoadLibraryW 3626->3629 3630 405baf GetClassInfoW 3626->3630 3818 405047 OleInitialize 3627->3818 3629->3630 3631 405bc3 GetClassInfoW RegisterClassW 3630->3631 3632 405bd9 DialogBoxParamW 3630->3632 3631->3632 3634 40141d 80 API calls 3632->3634 3633 405c12 3635 405c16 3633->3635 3636 405c2e 3633->3636 3637 405c01 3634->3637 3635->3614 3639 40141d 80 API calls 3635->3639 3638 40141d 80 API calls 3636->3638 3637->3614 3638->3614 3639->3614 3641 403871 3640->3641 3642 403863 CloseHandle 3640->3642 3966 403c83 3641->3966 3642->3641 3648 405cb5 3647->3648 3649 403aef ExitProcess 3648->3649 3650 405ccb MessageBoxIndirectW 3648->3650 3650->3649 3651->3473 4023 406009 lstrcpynW 3652->4023 3654 40678f 3655 405d59 4 API calls 3654->3655 3656 406795 3655->3656 3657 406038 5 API calls 3656->3657 3664 403a97 3656->3664 3663 4067a5 3657->3663 3658 4067dd lstrlenW 3659 4067e4 3658->3659 3658->3663 3660 406722 3 API calls 3659->3660 3662 4067ea GetFileAttributesW 3660->3662 3661 4062d5 2 API calls 3661->3663 3662->3664 3663->3658 3663->3661 3663->3664 3665 406751 2 API calls 3663->3665 3664->3483 3666 406009 lstrcpynW 3664->3666 3665->3658 3666->3519 3667->3486 3669 406110 3668->3669 3670 4060f3 3668->3670 3672 406187 3669->3672 3673 40612d 3669->3673 3676 406104 3669->3676 3671 4060fd CloseHandle 3670->3671 3670->3676 3671->3676 3674 406190 lstrcatW lstrlenW WriteFile 3672->3674 3672->3676 3673->3674 3675 406136 GetFileAttributesW 3673->3675 3674->3676 4024 405e50 GetFileAttributesW CreateFileW 3675->4024 3676->3483 3678 406152 3678->3676 3679 406162 WriteFile 3678->3679 3680 40617c SetFilePointer 3678->3680 3679->3680 3680->3672 3681->3509 3682->3514 3683->3529 3697 406812 3684->3697 3685 406a7f 3686 403b6c DeleteFileW 3685->3686 4027 406009 lstrcpynW 3685->4027 3686->3527 3686->3529 3688 4068d3 GetVersion 3700 4068e0 3688->3700 3689 406a46 lstrlenW 3689->3697 3690 406805 10 API calls 3690->3689 3693 405ed3 3 API calls 3693->3700 3694 406952 GetSystemDirectoryW 3694->3700 3695 406965 GetWindowsDirectoryW 3695->3700 3696 406038 5 API calls 3696->3697 3697->3685 3697->3688 3697->3689 3697->3690 3697->3696 4025 405f51 wsprintfW 3697->4025 4026 406009 lstrcpynW 3697->4026 3698 406805 10 API calls 3698->3700 3699 4069df lstrcatW 3699->3697 3700->3693 3700->3694 3700->3695 3700->3697 3700->3698 3700->3699 3701 406999 SHGetSpecialFolderLocation 3700->3701 3701->3700 3702 4069b1 SHGetPathFromIDListW CoTaskMemFree 3701->3702 3702->3700 3704 4062fc 3 API calls 3703->3704 3705 406c6f 3704->3705 3707 406c90 3705->3707 4028 406a99 lstrcpyW 3705->4028 3707->3529 3709 405c7a 3708->3709 3710 405c6e CloseHandle 3708->3710 3709->3529 3710->3709 3712 40139d 80 API calls 3711->3712 3713 401432 3712->3713 3713->3495 3720 406045 3714->3720 3715 4060bb 3716 4060c1 CharPrevW 3715->3716 3718 4060e1 3715->3718 3716->3715 3717 4060ae CharNextW 3717->3715 3717->3720 3718->3549 3719 405d06 CharNextW 3719->3720 3720->3715 3720->3717 3720->3719 3721 40609a CharNextW 3720->3721 3722 4060a9 CharNextW 3720->3722 3721->3720 3722->3717 3724 4037ea CreateDirectoryW 3723->3724 3725 40673f lstrcatW 3723->3725 3726 405e7f 3724->3726 3725->3724 3727 405e8c GetTickCount GetTempFileNameW 3726->3727 3728 405ec2 3727->3728 3729 4037fe 3727->3729 3728->3727 3728->3729 3729->3475 3730->3556 3731->3558 3733 406760 3732->3733 3734 4035f3 3733->3734 3735 406766 CharPrevW 3733->3735 3736 406009 lstrcpynW 3734->3736 3735->3733 3735->3734 3736->3562 3738 403357 3737->3738 3738->3576 3740 4032f3 3739->3740 3741 4032db 3739->3741 3744 403303 GetTickCount 3740->3744 3745 4032fb 3740->3745 3742 4032e4 DestroyWindow 3741->3742 3743 4032eb 3741->3743 3742->3743 3743->3565 3747 403311 CreateDialogParamW ShowWindow 3744->3747 3748 403334 3744->3748 3774 406332 3745->3774 3747->3748 3748->3565 3750->3571 3753 403398 3751->3753 3752 4033c3 3755 403336 ReadFile 3752->3755 3753->3752 3785 403368 SetFilePointer 3753->3785 3756 4033ce 3755->3756 3757 4033e7 GetTickCount 3756->3757 3758 403518 3756->3758 3760 4033d2 3756->3760 3770 4033fa 3757->3770 3759 40351c 3758->3759 3764 403540 3758->3764 3761 403336 ReadFile 3759->3761 3760->3580 3761->3760 3762 403336 ReadFile 3762->3764 3763 403336 ReadFile 3763->3770 3764->3760 3764->3762 3765 40355f WriteFile 3764->3765 3765->3760 3766 403574 3765->3766 3766->3760 3766->3764 3768 40345c GetTickCount 3768->3770 3769 403485 MulDiv wsprintfW 3786 404f72 3769->3786 3770->3760 3770->3763 3770->3768 3770->3769 3772 4034c9 WriteFile 3770->3772 3778 407312 3770->3778 3772->3760 3772->3770 3773->3572 3775 40634f PeekMessageW 3774->3775 3776 406345 DispatchMessageW 3775->3776 3777 403301 3775->3777 3776->3775 3777->3565 3779 407332 3778->3779 3780 40733a 3778->3780 3779->3770 3780->3779 3781 4073c2 GlobalFree 3780->3781 3782 4073cb GlobalAlloc 3780->3782 3783 407443 GlobalAlloc 3780->3783 3784 40743a GlobalFree 3780->3784 3781->3782 3782->3779 3782->3780 3783->3779 3783->3780 3784->3783 3785->3752 3787 404f8b 3786->3787 3796 40502f 3786->3796 3788 404fa9 lstrlenW 3787->3788 3789 406805 18 API calls 3787->3789 3790 404fd2 3788->3790 3791 404fb7 lstrlenW 3788->3791 3789->3788 3793 404fe5 3790->3793 3794 404fd8 SetWindowTextW 3790->3794 3792 404fc9 lstrcatW 3791->3792 3791->3796 3792->3790 3795 404feb SendMessageW SendMessageW SendMessageW 3793->3795 3793->3796 3794->3793 3795->3796 3796->3770 3798 403ea9 3797->3798 3826 405f51 wsprintfW 3798->3826 3800 403f1d 3801 406805 18 API calls 3800->3801 3802 403f29 SetWindowTextW 3801->3802 3804 403f44 3802->3804 3803 403f5f 3803->3595 3804->3803 3805 406805 18 API calls 3804->3805 3805->3804 3806->3592 3808 405f07 RegQueryValueExW 3807->3808 3809 405989 3807->3809 3810 405f29 RegCloseKey 3808->3810 3809->3590 3809->3591 3810->3809 3812->3597 3827 406009 lstrcpynW 3813->3827 3815 403e88 3816 406722 3 API calls 3815->3816 3817 403e8e lstrcatW 3816->3817 3817->3616 3828 403daf 3818->3828 3820 40506a 3823 4062a3 11 API calls 3820->3823 3825 405095 3820->3825 3831 40139d 3820->3831 3821 403daf SendMessageW 3822 4050a5 OleUninitialize 3821->3822 3822->3633 3823->3820 3825->3821 3826->3800 3827->3815 3829 403dc7 3828->3829 3830 403db8 SendMessageW 3828->3830 3829->3820 3830->3829 3834 4013a4 3831->3834 3832 401410 3832->3820 3834->3832 3835 4013dd MulDiv SendMessageW 3834->3835 3836 4015a0 3834->3836 3835->3834 3837 4015fa 3836->3837 3916 40160c 3836->3916 3838 401601 3837->3838 3839 401742 3837->3839 3840 401962 3837->3840 3841 4019ca 3837->3841 3842 40176e 3837->3842 3843 401650 3837->3843 3844 4017b1 3837->3844 3845 401672 3837->3845 3846 401693 3837->3846 3847 401616 3837->3847 3848 4016d6 3837->3848 3849 401736 3837->3849 3850 401897 3837->3850 3851 4018db 3837->3851 3852 40163c 3837->3852 3853 4016bd 3837->3853 3837->3916 3866 4062a3 11 API calls 3838->3866 3858 401751 ShowWindow 3839->3858 3859 401758 3839->3859 3863 40145c 18 API calls 3840->3863 3856 40145c 18 API calls 3841->3856 3860 40145c 18 API calls 3842->3860 3943 4062a3 lstrlenW wvsprintfW 3843->3943 3949 40145c 3844->3949 3861 40145c 18 API calls 3845->3861 3946 401446 3846->3946 3855 40145c 18 API calls 3847->3855 3872 401446 18 API calls 3848->3872 3848->3916 3849->3916 3965 405f51 wsprintfW 3849->3965 3862 40145c 18 API calls 3850->3862 3867 40145c 18 API calls 3851->3867 3857 401647 PostQuitMessage 3852->3857 3852->3916 3854 4062a3 11 API calls 3853->3854 3869 4016c7 SetForegroundWindow 3854->3869 3870 40161c 3855->3870 3871 4019d1 SearchPathW 3856->3871 3857->3916 3858->3859 3873 401765 ShowWindow 3859->3873 3859->3916 3874 401775 3860->3874 3875 401678 3861->3875 3876 40189d 3862->3876 3877 401968 GetFullPathNameW 3863->3877 3866->3916 3868 4018e2 3867->3868 3880 40145c 18 API calls 3868->3880 3869->3916 3881 4062a3 11 API calls 3870->3881 3871->3916 3872->3916 3873->3916 3884 4062a3 11 API calls 3874->3884 3885 4062a3 11 API calls 3875->3885 3961 4062d5 FindFirstFileW 3876->3961 3887 40197f 3877->3887 3929 4019a1 3877->3929 3879 40169a 3889 4062a3 11 API calls 3879->3889 3890 4018eb 3880->3890 3891 401627 3881->3891 3893 401785 SetFileAttributesW 3884->3893 3894 401683 3885->3894 3911 4062d5 2 API calls 3887->3911 3887->3929 3888 4062a3 11 API calls 3896 4017c9 3888->3896 3897 4016a7 Sleep 3889->3897 3899 40145c 18 API calls 3890->3899 3900 404f72 25 API calls 3891->3900 3902 40179a 3893->3902 3893->3916 3909 404f72 25 API calls 3894->3909 3954 405d59 CharNextW CharNextW 3896->3954 3897->3916 3898 4019b8 GetShortPathNameW 3898->3916 3907 4018f5 3899->3907 3900->3916 3901 40139d 65 API calls 3901->3916 3908 4062a3 11 API calls 3902->3908 3903 4018c2 3912 4062a3 11 API calls 3903->3912 3904 4018a9 3910 4062a3 11 API calls 3904->3910 3914 4062a3 11 API calls 3907->3914 3908->3916 3909->3916 3910->3916 3915 401991 3911->3915 3912->3916 3913 4017d4 3917 401864 3913->3917 3920 405d06 CharNextW 3913->3920 3938 4062a3 11 API calls 3913->3938 3918 401902 MoveFileW 3914->3918 3915->3929 3964 406009 lstrcpynW 3915->3964 3916->3834 3917->3894 3919 40186e 3917->3919 3921 401912 3918->3921 3922 40191e 3918->3922 3923 404f72 25 API calls 3919->3923 3925 4017e6 CreateDirectoryW 3920->3925 3921->3894 3927 401942 3922->3927 3932 4062d5 2 API calls 3922->3932 3928 401875 3923->3928 3925->3913 3926 4017fe GetLastError 3925->3926 3930 401827 GetFileAttributesW 3926->3930 3931 40180b GetLastError 3926->3931 3937 4062a3 11 API calls 3927->3937 3960 406009 lstrcpynW 3928->3960 3929->3898 3929->3916 3930->3913 3934 4062a3 11 API calls 3931->3934 3935 401929 3932->3935 3934->3913 3935->3927 3940 406c68 42 API calls 3935->3940 3936 401882 SetCurrentDirectoryW 3936->3916 3939 40195c 3937->3939 3938->3913 3939->3916 3941 401936 3940->3941 3942 404f72 25 API calls 3941->3942 3942->3927 3944 4060e7 9 API calls 3943->3944 3945 401664 3944->3945 3945->3901 3947 406805 18 API calls 3946->3947 3948 401455 3947->3948 3948->3879 3950 406805 18 API calls 3949->3950 3951 401488 3950->3951 3952 401497 3951->3952 3953 406038 5 API calls 3951->3953 3952->3888 3953->3952 3955 405d76 3954->3955 3956 405d88 3954->3956 3955->3956 3957 405d83 CharNextW 3955->3957 3958 405dac 3956->3958 3959 405d06 CharNextW 3956->3959 3957->3958 3958->3913 3959->3956 3960->3936 3962 4018a5 3961->3962 3963 4062eb FindClose 3961->3963 3962->3903 3962->3904 3963->3962 3964->3929 3965->3916 3967 403c91 3966->3967 3968 403876 3967->3968 3969 403c96 FreeLibrary GlobalFree 3967->3969 3970 406c9b 3968->3970 3969->3968 3969->3969 3971 40677e 18 API calls 3970->3971 3972 406cae 3971->3972 3973 406cb7 DeleteFileW 3972->3973 3974 406cce 3972->3974 4014 403882 OleUninitialize 3973->4014 3975 406e4b 3974->3975 4018 406009 lstrcpynW 3974->4018 3981 4062d5 2 API calls 3975->3981 4003 406e58 3975->4003 3975->4014 3977 406cf9 3978 406d03 lstrcatW 3977->3978 3979 406d0d 3977->3979 3980 406d13 3978->3980 3982 406751 2 API calls 3979->3982 3984 406d23 lstrcatW 3980->3984 3985 406d19 3980->3985 3983 406e64 3981->3983 3982->3980 3988 406722 3 API calls 3983->3988 3983->4014 3987 406d2b lstrlenW FindFirstFileW 3984->3987 3985->3984 3985->3987 3986 4062a3 11 API calls 3986->4014 3989 406e3b 3987->3989 3993 406d52 3987->3993 3990 406e6e 3988->3990 3989->3975 3992 4062a3 11 API calls 3990->3992 3991 405d06 CharNextW 3991->3993 3994 406e79 3992->3994 3993->3991 3997 406e18 FindNextFileW 3993->3997 4006 406c9b 72 API calls 3993->4006 4013 404f72 25 API calls 3993->4013 4015 4062a3 11 API calls 3993->4015 4016 404f72 25 API calls 3993->4016 4017 406c68 42 API calls 3993->4017 4019 406009 lstrcpynW 3993->4019 4020 405e30 GetFileAttributesW 3993->4020 3995 405e30 2 API calls 3994->3995 3996 406e81 RemoveDirectoryW 3995->3996 4000 406ec4 3996->4000 4001 406e8d 3996->4001 3997->3993 3999 406e30 FindClose 3997->3999 3999->3989 4002 404f72 25 API calls 4000->4002 4001->4003 4004 406e93 4001->4004 4002->4014 4003->3986 4005 4062a3 11 API calls 4004->4005 4007 406e9d 4005->4007 4006->3993 4009 404f72 25 API calls 4007->4009 4011 406ea7 4009->4011 4012 406c68 42 API calls 4011->4012 4012->4014 4013->3997 4014->3491 4014->3492 4015->3993 4016->3993 4017->3993 4018->3977 4019->3993 4021 405e4d DeleteFileW 4020->4021 4022 405e3f SetFileAttributesW 4020->4022 4021->3993 4022->4021 4023->3654 4024->3678 4025->3697 4026->3697 4027->3686 4029 406ae7 GetShortPathNameW 4028->4029 4030 406abe 4028->4030 4031 406b00 4029->4031 4032 406c62 4029->4032 4054 405e50 GetFileAttributesW CreateFileW 4030->4054 4031->4032 4034 406b08 WideCharToMultiByte 4031->4034 4032->3707 4034->4032 4036 406b25 WideCharToMultiByte 4034->4036 4035 406ac7 CloseHandle GetShortPathNameW 4035->4032 4037 406adf 4035->4037 4036->4032 4038 406b3d wsprintfA 4036->4038 4037->4029 4037->4032 4039 406805 18 API calls 4038->4039 4040 406b69 4039->4040 4055 405e50 GetFileAttributesW CreateFileW 4040->4055 4042 406b76 4042->4032 4043 406b83 GetFileSize GlobalAlloc 4042->4043 4044 406ba4 ReadFile 4043->4044 4045 406c58 CloseHandle 4043->4045 4044->4045 4046 406bbe 4044->4046 4045->4032 4046->4045 4056 405db6 lstrlenA 4046->4056 4049 406bd7 lstrcpyA 4052 406bf9 4049->4052 4050 406beb 4051 405db6 4 API calls 4050->4051 4051->4052 4053 406c30 SetFilePointer WriteFile GlobalFree 4052->4053 4053->4045 4054->4035 4055->4042 4057 405df7 lstrlenA 4056->4057 4058 405dd0 lstrcmpiA 4057->4058 4059 405dff 4057->4059 4058->4059 4060 405dee CharNextA 4058->4060 4059->4049 4059->4050 4060->4057 4921 402a84 4922 401553 19 API calls 4921->4922 4923 402a8e 4922->4923 4924 401446 18 API calls 4923->4924 4925 402a98 4924->4925 4926 401a13 4925->4926 4927 402ab2 RegEnumKeyW 4925->4927 4928 402abe RegEnumValueW 4925->4928 4929 402a7e 4927->4929 4928->4926 4928->4929 4929->4926 4930 4029e4 RegCloseKey 4929->4930 4930->4926 4931 402c8a 4932 402ca2 4931->4932 4933 402c8f 4931->4933 4935 40145c 18 API calls 4932->4935 4934 401446 18 API calls 4933->4934 4937 402c97 4934->4937 4936 402ca9 lstrlenW 4935->4936 4936->4937 4938 402ccb WriteFile 4937->4938 4939 401a13 4937->4939 4938->4939 4940 40400d 4941 40406a 4940->4941 4942 40401a lstrcpynA lstrlenA 4940->4942 4942->4941 4943 40404b 4942->4943 4943->4941 4944 404057 GlobalFree 4943->4944 4944->4941 4945 401d8e 4946 40145c 18 API calls 4945->4946 4947 401d95 ExpandEnvironmentStringsW 4946->4947 4948 401da8 4947->4948 4950 401db9 4947->4950 4949 401dad lstrcmpW 4948->4949 4948->4950 4949->4950 4951 401e0f 4952 401446 18 API calls 4951->4952 4953 401e17 4952->4953 4954 401446 18 API calls 4953->4954 4955 401e21 4954->4955 4956 4030e3 4955->4956 4958 405f51 wsprintfW 4955->4958 4958->4956 4959 402392 4960 40145c 18 API calls 4959->4960 4961 402399 4960->4961 4964 4071f8 4961->4964 4965 406ed2 25 API calls 4964->4965 4966 407218 4965->4966 4967 407222 lstrcpynW lstrcmpW 4966->4967 4968 4023a7 4966->4968 4969 407254 4967->4969 4970 40725a lstrcpynW 4967->4970 4969->4970 4970->4968 4971 402713 4986 406009 lstrcpynW 4971->4986 4973 40272c 4987 406009 lstrcpynW 4973->4987 4975 402738 4976 40145c 18 API calls 4975->4976 4978 402743 4975->4978 4976->4978 4977 402752 4980 40145c 18 API calls 4977->4980 4982 402761 4977->4982 4978->4977 4979 40145c 18 API calls 4978->4979 4979->4977 4980->4982 4981 40145c 18 API calls 4983 40276b 4981->4983 4982->4981 4984 4062a3 11 API calls 4983->4984 4985 40277f WritePrivateProfileStringW 4984->4985 4986->4973 4987->4975 4988 402797 4989 40145c 18 API calls 4988->4989 4990 4027ae 4989->4990 4991 40145c 18 API calls 4990->4991 4992 4027b7 4991->4992 4993 40145c 18 API calls 4992->4993 4994 4027c0 GetPrivateProfileStringW lstrcmpW 4993->4994 4995 402e18 4996 40145c 18 API calls 4995->4996 4997 402e1f FindFirstFileW 4996->4997 4998 402e32 4997->4998 5003 405f51 wsprintfW 4998->5003 5000 402e43 5004 406009 lstrcpynW 5000->5004 5002 402e50 5003->5000 5004->5002 5005 401e9a 5006 40145c 18 API calls 5005->5006 5007 401ea1 5006->5007 5008 401446 18 API calls 5007->5008 5009 401eab wsprintfW 5008->5009 4115 401a1f 4116 40145c 18 API calls 4115->4116 4117 401a26 4116->4117 4118 4062a3 11 API calls 4117->4118 4119 401a49 4118->4119 4120 401a64 4119->4120 4121 401a5c 4119->4121 4169 406009 lstrcpynW 4120->4169 4168 406009 lstrcpynW 4121->4168 4124 401a62 4128 406038 5 API calls 4124->4128 4125 401a6f 4126 406722 3 API calls 4125->4126 4127 401a75 lstrcatW 4126->4127 4127->4124 4130 401a81 4128->4130 4129 4062d5 2 API calls 4129->4130 4130->4129 4131 405e30 2 API calls 4130->4131 4133 401a98 CompareFileTime 4130->4133 4134 401ba9 4130->4134 4138 4062a3 11 API calls 4130->4138 4142 406009 lstrcpynW 4130->4142 4148 406805 18 API calls 4130->4148 4155 405ca0 MessageBoxIndirectW 4130->4155 4159 401b50 4130->4159 4166 401b5d 4130->4166 4167 405e50 GetFileAttributesW CreateFileW 4130->4167 4131->4130 4133->4130 4135 404f72 25 API calls 4134->4135 4137 401bb3 4135->4137 4136 404f72 25 API calls 4139 401b70 4136->4139 4140 40337f 37 API calls 4137->4140 4138->4130 4143 4062a3 11 API calls 4139->4143 4141 401bc6 4140->4141 4144 4062a3 11 API calls 4141->4144 4142->4130 4150 401b8b 4143->4150 4145 401bda 4144->4145 4146 401be9 SetFileTime 4145->4146 4147 401bf8 FindCloseChangeNotification 4145->4147 4146->4147 4149 401c09 4147->4149 4147->4150 4148->4130 4151 401c21 4149->4151 4152 401c0e 4149->4152 4154 406805 18 API calls 4151->4154 4153 406805 18 API calls 4152->4153 4156 401c16 lstrcatW 4153->4156 4157 401c29 4154->4157 4155->4130 4156->4157 4158 4062a3 11 API calls 4157->4158 4160 401c34 4158->4160 4161 401b93 4159->4161 4162 401b53 4159->4162 4163 405ca0 MessageBoxIndirectW 4160->4163 4164 4062a3 11 API calls 4161->4164 4165 4062a3 11 API calls 4162->4165 4163->4150 4164->4150 4165->4166 4166->4136 4167->4130 4168->4124 4169->4125 5010 40209f GetDlgItem GetClientRect 5011 40145c 18 API calls 5010->5011 5012 4020cf LoadImageW SendMessageW 5011->5012 5013 4030e3 5012->5013 5014 4020ed DeleteObject 5012->5014 5014->5013 5015 402b9f 5016 401446 18 API calls 5015->5016 5021 402ba7 5016->5021 5017 402c4a 5018 402bdf ReadFile 5020 402c3d 5018->5020 5018->5021 5019 401446 18 API calls 5019->5020 5020->5017 5020->5019 5027 402d17 ReadFile 5020->5027 5021->5017 5021->5018 5021->5020 5022 402c06 MultiByteToWideChar 5021->5022 5023 402c3f 5021->5023 5025 402c4f 5021->5025 5022->5021 5022->5025 5028 405f51 wsprintfW 5023->5028 5025->5020 5026 402c6b SetFilePointer 5025->5026 5026->5020 5027->5020 5028->5017 5029 402b23 GlobalAlloc 5030 402b39 5029->5030 5031 402b4b 5029->5031 5032 401446 18 API calls 5030->5032 5033 40145c 18 API calls 5031->5033 5034 402b41 5032->5034 5035 402b52 WideCharToMultiByte lstrlenA 5033->5035 5036 402b93 5034->5036 5037 402b84 WriteFile 5034->5037 5035->5034 5037->5036 5038 402384 GlobalFree 5037->5038 5038->5036 5040 4044a5 5041 404512 5040->5041 5042 4044df 5040->5042 5044 40451f GetDlgItem GetAsyncKeyState 5041->5044 5051 4045b1 5041->5051 5108 405c84 GetDlgItemTextW 5042->5108 5047 40453e GetDlgItem 5044->5047 5054 40455c 5044->5054 5045 4044ea 5048 406038 5 API calls 5045->5048 5046 40469d 5106 404833 5046->5106 5110 405c84 GetDlgItemTextW 5046->5110 5049 403d3f 19 API calls 5047->5049 5050 4044f0 5048->5050 5053 404551 ShowWindow 5049->5053 5056 403e74 5 API calls 5050->5056 5051->5046 5057 406805 18 API calls 5051->5057 5051->5106 5053->5054 5059 404579 SetWindowTextW 5054->5059 5064 405d59 4 API calls 5054->5064 5055 403dca 8 API calls 5060 404847 5055->5060 5061 4044f5 GetDlgItem 5056->5061 5062 40462f SHBrowseForFolderW 5057->5062 5058 4046c9 5063 40677e 18 API calls 5058->5063 5065 403d3f 19 API calls 5059->5065 5066 404503 IsDlgButtonChecked 5061->5066 5061->5106 5062->5046 5067 404647 CoTaskMemFree 5062->5067 5068 4046cf 5063->5068 5069 40456f 5064->5069 5070 404597 5065->5070 5066->5041 5071 406722 3 API calls 5067->5071 5111 406009 lstrcpynW 5068->5111 5069->5059 5075 406722 3 API calls 5069->5075 5072 403d3f 19 API calls 5070->5072 5073 404654 5071->5073 5076 4045a2 5072->5076 5077 40468b SetDlgItemTextW 5073->5077 5082 406805 18 API calls 5073->5082 5075->5059 5109 403d98 SendMessageW 5076->5109 5077->5046 5078 4046e6 5080 4062fc 3 API calls 5078->5080 5089 4046ee 5080->5089 5081 4045aa 5085 4062fc 3 API calls 5081->5085 5083 404673 lstrcmpiW 5082->5083 5083->5077 5086 404684 lstrcatW 5083->5086 5084 404730 5112 406009 lstrcpynW 5084->5112 5085->5051 5086->5077 5088 404739 5090 405d59 4 API calls 5088->5090 5089->5084 5094 406751 2 API calls 5089->5094 5095 404785 5089->5095 5091 40473f GetDiskFreeSpaceW 5090->5091 5093 404763 MulDiv 5091->5093 5091->5095 5093->5095 5094->5089 5097 4047e2 5095->5097 5098 4043ad 21 API calls 5095->5098 5096 404805 5113 403d85 EnableWindow 5096->5113 5097->5096 5099 40141d 80 API calls 5097->5099 5100 4047d3 5098->5100 5099->5096 5102 4047e4 SetDlgItemTextW 5100->5102 5103 4047d8 5100->5103 5102->5097 5104 4043ad 21 API calls 5103->5104 5104->5097 5105 404821 5105->5106 5114 403d61 5105->5114 5106->5055 5108->5045 5109->5081 5110->5058 5111->5078 5112->5088 5113->5105 5115 403d74 SendMessageW 5114->5115 5116 403d6f 5114->5116 5115->5106 5116->5115 5117 402da5 5118 4030e3 5117->5118 5119 402dac 5117->5119 5120 401446 18 API calls 5119->5120 5121 402db8 5120->5121 5122 402dbf SetFilePointer 5121->5122 5122->5118 5123 402dcf 5122->5123 5123->5118 5125 405f51 wsprintfW 5123->5125 5125->5118 5126 4030a9 SendMessageW 5127 4030c2 InvalidateRect 5126->5127 5128 4030e3 5126->5128 5127->5128 5129 401cb2 5130 40145c 18 API calls 5129->5130 5131 401c54 5130->5131 5132 4062a3 11 API calls 5131->5132 5135 401c64 5131->5135 5133 401c59 5132->5133 5134 406c9b 81 API calls 5133->5134 5134->5135 4061 4021b5 4062 40145c 18 API calls 4061->4062 4063 4021bb 4062->4063 4064 40145c 18 API calls 4063->4064 4065 4021c4 4064->4065 4066 40145c 18 API calls 4065->4066 4067 4021cd 4066->4067 4068 40145c 18 API calls 4067->4068 4069 4021d6 4068->4069 4070 404f72 25 API calls 4069->4070 4071 4021e2 ShellExecuteW 4070->4071 4072 40221b 4071->4072 4073 40220d 4071->4073 4075 4062a3 11 API calls 4072->4075 4074 4062a3 11 API calls 4073->4074 4074->4072 4076 402230 4075->4076 5143 402238 5144 40145c 18 API calls 5143->5144 5145 40223e 5144->5145 5146 4062a3 11 API calls 5145->5146 5147 40224b 5146->5147 5148 404f72 25 API calls 5147->5148 5149 402255 5148->5149 5150 405c3f 2 API calls 5149->5150 5151 40225b 5150->5151 5152 4062a3 11 API calls 5151->5152 5155 4022ac CloseHandle 5151->5155 5158 40226d 5152->5158 5154 4030e3 5155->5154 5156 402283 WaitForSingleObject 5157 402291 GetExitCodeProcess 5156->5157 5156->5158 5157->5155 5160 4022a3 5157->5160 5158->5155 5158->5156 5159 406332 2 API calls 5158->5159 5159->5156 5162 405f51 wsprintfW 5160->5162 5162->5155 5163 4040b8 5164 4040d3 5163->5164 5172 404201 5163->5172 5168 40410e 5164->5168 5194 403fca WideCharToMultiByte 5164->5194 5165 40426c 5166 404276 GetDlgItem 5165->5166 5167 40433e 5165->5167 5169 404290 5166->5169 5170 4042ff 5166->5170 5173 403dca 8 API calls 5167->5173 5175 403d3f 19 API calls 5168->5175 5169->5170 5178 4042b6 6 API calls 5169->5178 5170->5167 5179 404311 5170->5179 5172->5165 5172->5167 5174 40423b GetDlgItem SendMessageW 5172->5174 5177 404339 5173->5177 5199 403d85 EnableWindow 5174->5199 5176 40414e 5175->5176 5181 403d3f 19 API calls 5176->5181 5178->5170 5182 404327 5179->5182 5183 404317 SendMessageW 5179->5183 5186 40415b CheckDlgButton 5181->5186 5182->5177 5187 40432d SendMessageW 5182->5187 5183->5182 5184 404267 5185 403d61 SendMessageW 5184->5185 5185->5165 5197 403d85 EnableWindow 5186->5197 5187->5177 5189 404179 GetDlgItem 5198 403d98 SendMessageW 5189->5198 5191 40418f SendMessageW 5192 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5191->5192 5193 4041ac GetSysColor 5191->5193 5192->5177 5193->5192 5195 404007 5194->5195 5196 403fe9 GlobalAlloc WideCharToMultiByte 5194->5196 5195->5168 5196->5195 5197->5189 5198->5191 5199->5184 4077 401eb9 4078 401f24 4077->4078 4079 401ec6 4077->4079 4080 401f53 GlobalAlloc 4078->4080 4081 401f28 4078->4081 4082 401ed5 4079->4082 4089 401ef7 4079->4089 4083 406805 18 API calls 4080->4083 4088 4062a3 11 API calls 4081->4088 4093 401f36 4081->4093 4084 4062a3 11 API calls 4082->4084 4087 401f46 4083->4087 4085 401ee2 4084->4085 4090 402708 4085->4090 4095 406805 18 API calls 4085->4095 4087->4090 4091 402387 GlobalFree 4087->4091 4088->4093 4099 406009 lstrcpynW 4089->4099 4091->4090 4101 406009 lstrcpynW 4093->4101 4094 401f06 4100 406009 lstrcpynW 4094->4100 4095->4085 4097 401f15 4102 406009 lstrcpynW 4097->4102 4099->4094 4100->4097 4101->4087 4102->4090 5200 4074bb 5202 407344 5200->5202 5201 407c6d 5202->5201 5203 4073c2 GlobalFree 5202->5203 5204 4073cb GlobalAlloc 5202->5204 5205 407443 GlobalAlloc 5202->5205 5206 40743a GlobalFree 5202->5206 5203->5204 5204->5201 5204->5202 5205->5201 5205->5202 5206->5205

                                                              Executed Functions

                                                              Function 00403883 Relevance: 59.8, APIs: 22, Strings: 12, Instructions: 304filestringcomCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 7 403923-403937 call 405d06 CharNextW 0->7 8 40391b-40391e 0->8 11 4039ca-4039d0 7->11 8->7 12 4039d6 11->12 13 40393c-403942 11->13 14 4039f5-403a0d GetTempPathW call 4037cc 12->14 15 403944-40394a 13->15 16 40394c-403950 13->16 23 403a33-403a4d DeleteFileW call 403587 14->23 24 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 14->24 15->15 15->16 18 403952-403957 16->18 19 403958-40395c 16->19 18->19 21 4039b8-4039c5 call 405d06 19->21 22 40395e-403965 19->22 21->11 37 4039c7 21->37 26 403967-40396e 22->26 27 40397a-40398c call 403800 22->27 40 403acc-403adb call 403859 OleUninitialize 23->40 41 403a4f-403a55 23->41 24->23 24->40 28 403970-403973 26->28 29 403975 26->29 38 4039a1-4039b6 call 403800 27->38 39 40398e-403995 27->39 28->27 28->29 29->27 37->11 38->21 56 4039d8-4039f0 call 407d6e call 406009 38->56 43 403997-40399a 39->43 44 40399c 39->44 54 403ae1-403af1 call 405ca0 ExitProcess 40->54 55 403bce-403bd4 40->55 46 403ab5-403abc call 40592c 41->46 47 403a57-403a60 call 405d06 41->47 43->38 43->44 44->38 53 403ac1-403ac7 call 4060e7 46->53 57 403a79-403a7b 47->57 53->40 60 403c51-403c59 55->60 61 403bd6-403bf3 call 4062fc * 3 55->61 56->14 65 403a62-403a74 call 403800 57->65 66 403a7d-403a87 57->66 67 403c5b 60->67 68 403c5f 60->68 92 403bf5-403bf7 61->92 93 403c3d-403c48 ExitWindowsEx 61->93 65->66 79 403a76 65->79 73 403af7-403b11 lstrcatW lstrcmpiW 66->73 74 403a89-403a99 call 40677e 66->74 67->68 73->40 78 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 73->78 74->40 85 403a9b-403ab1 call 406009 * 2 74->85 82 403b36-403b56 call 406009 * 2 78->82 83 403b2b-403b31 call 406009 78->83 79->57 99 403b5b-403b77 call 406805 DeleteFileW 82->99 83->82 85->46 92->93 97 403bf9-403bfb 92->97 93->60 96 403c4a-403c4c call 40141d 93->96 96->60 97->93 101 403bfd-403c0f GetCurrentProcess 97->101 107 403bb8-403bc0 99->107 108 403b79-403b89 CopyFileW 99->108 101->93 106 403c11-403c33 101->106 106->93 107->99 109 403bc2-403bc9 call 406c68 107->109 108->107 110 403b8b-403bab call 406c68 call 406805 call 405c3f 108->110 109->40 110->107 120 403bad-403bb4 CloseHandle 110->120 120->107
                                                              APIs
                                                              • #17.COMCTL32 ref: 004038A2
                                                              • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                                                              • OleInitialize.OLE32(00000000), ref: 004038B4
                                                                • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                              • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                                                                • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                              • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                                                              • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe",00000000), ref: 00403904
                                                              • CharNextW.USER32(00000000,"C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe",00000020), ref: 0040392B
                                                              • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                                                              • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                                                              • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                                                              • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                                                              • OleUninitialize.OLE32(?), ref: 00403AD1
                                                              • ExitProcess.KERNEL32 ref: 00403AF1
                                                              • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                                                              • lstrcmpiW.KERNEL32(004D70C8,C:\Users\user\Desktop,004D70C8,~nsu.tmp), ref: 00403B09
                                                              • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                                                              • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                                                              • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                                                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe,004331E8,00000001), ref: 00403B81
                                                              • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                                                              • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                              • String ID: /D=$ _?=$"C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe"$C:\Users\user\Desktop$C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                                                              • API String ID: 2435955865-3685977797
                                                              • Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                              • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                                                              • Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                              • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E
                                                              Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 631 4074bb-4074c0 632 4074c2-4074ef 631->632 633 40752f-407547 631->633 635 4074f1-4074f4 632->635 636 4074f6-4074fa 632->636 634 407aeb-407aff 633->634 640 407b01-407b17 634->640 641 407b19-407b2c 634->641 637 407506-407509 635->637 638 407502 636->638 639 4074fc-407500 636->639 642 407527-40752a 637->642 643 40750b-407514 637->643 638->637 639->637 644 407b33-407b3a 640->644 641->644 647 4076f6-407713 642->647 648 407516 643->648 649 407519-407525 643->649 645 407b61-407c68 644->645 646 407b3c-407b40 644->646 662 407350 645->662 663 407cec 645->663 651 407b46-407b5e 646->651 652 407ccd-407cd4 646->652 654 407715-407729 647->654 655 40772b-40773e 647->655 648->649 650 407589-4075b6 649->650 658 4075d2-4075ec 650->658 659 4075b8-4075d0 650->659 651->645 656 407cdd-407cea 652->656 660 407741-40774b 654->660 655->660 661 407cef-407cf6 656->661 664 4075f0-4075fa 658->664 659->664 665 40774d 660->665 666 4076ee-4076f4 660->666 667 407357-40735b 662->667 668 40749b-4074b6 662->668 669 40746d-407471 662->669 670 4073ff-407403 662->670 663->661 673 407600 664->673 674 407571-407577 664->674 675 407845-4078a1 665->675 676 4076c9-4076cd 665->676 666->647 672 407692-40769c 666->672 667->656 677 407361-40736e 667->677 668->634 682 407c76-407c7d 669->682 683 407477-40748b 669->683 688 407409-407420 670->688 689 407c6d-407c74 670->689 678 4076a2-4076c4 672->678 679 407c9a-407ca1 672->679 691 407556-40756e 673->691 692 407c7f-407c86 673->692 680 40762a-407630 674->680 681 40757d-407583 674->681 675->634 684 407c91-407c98 676->684 685 4076d3-4076eb 676->685 677->663 693 407374-4073ba 677->693 678->675 679->656 694 40768e 680->694 695 407632-40764f 680->695 681->650 681->694 682->656 690 40748e-407496 683->690 684->656 685->666 696 407423-407427 688->696 689->656 690->669 700 407498 690->700 691->674 692->656 698 4073e2-4073e4 693->698 699 4073bc-4073c0 693->699 694->672 701 407651-407665 695->701 702 407667-40767a 695->702 696->670 697 407429-40742f 696->697 704 407431-407438 697->704 705 407459-40746b 697->705 708 4073f5-4073fd 698->708 709 4073e6-4073f3 698->709 706 4073c2-4073c5 GlobalFree 699->706 707 4073cb-4073d9 GlobalAlloc 699->707 700->668 703 40767d-407687 701->703 702->703 703->680 710 407689 703->710 711 407443-407453 GlobalAlloc 704->711 712 40743a-40743d GlobalFree 704->712 705->690 706->707 707->663 713 4073df 707->713 708->696 709->708 709->709 715 407c88-407c8f 710->715 716 40760f-407627 710->716 711->663 711->705 712->711 713->698 715->656 716->680
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                              • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                                                              • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                              • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                                                              Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                              • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleLibraryLoadModuleProc
                                                              • String ID:
                                                              • API String ID: 310444273-0
                                                              • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                              • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                                                              • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                              • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                                                              Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                              • FindClose.KERNEL32(00000000), ref: 004062EC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFileFirst
                                                              • String ID:
                                                              • API String ID: 2295610775-0
                                                              • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                              • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                                                              • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                              • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8
                                                              Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 121 4015a0-4015f4 122 4030e3-4030ec 121->122 123 4015fa 121->123 147 4030ee-4030f2 122->147 125 401601-401611 call 4062a3 123->125 126 401742-40174f 123->126 127 401962-40197d call 40145c GetFullPathNameW 123->127 128 4019ca-4019e6 call 40145c SearchPathW 123->128 129 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 123->129 130 401650-401668 call 40137e call 4062a3 call 40139d 123->130 131 4017b1-4017d8 call 40145c call 4062a3 call 405d59 123->131 132 401672-401686 call 40145c call 4062a3 123->132 133 401693-4016ac call 401446 call 4062a3 123->133 134 401715-401731 123->134 135 401616-40162d call 40145c call 4062a3 call 404f72 123->135 136 4016d6-4016db 123->136 137 401736-4030de 123->137 138 401897-4018a7 call 40145c call 4062d5 123->138 139 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 123->139 140 40163c-401645 123->140 141 4016bd-4016d1 call 4062a3 SetForegroundWindow 123->141 125->147 151 401751-401755 ShowWindow 126->151 152 401758-40175f 126->152 186 4019a3-4019a8 127->186 187 40197f-401984 127->187 128->122 179 4019ec-4019f8 128->179 129->122 204 40179a-4017a6 call 4062a3 129->204 213 40166d 130->213 226 401864-40186c 131->226 227 4017de-4017fc call 405d06 CreateDirectoryW 131->227 205 401689-40168e call 404f72 132->205 210 4016b1-4016b8 Sleep 133->210 211 4016ae-4016b0 133->211 134->147 148 401632-401637 135->148 145 401702-401710 136->145 146 4016dd-4016fd call 401446 136->146 137->122 181 4030de call 405f51 137->181 206 4018c2-4018d6 call 4062a3 138->206 207 4018a9-4018bd call 4062a3 138->207 234 401912-401919 139->234 235 40191e-401921 139->235 140->148 149 401647-40164e PostQuitMessage 140->149 141->122 145->122 146->122 148->147 149->148 151->152 152->122 170 401765-401769 ShowWindow 152->170 170->122 179->122 181->122 190 4019af-4019b2 186->190 187->190 197 401986-401989 187->197 190->122 200 4019b8-4019c5 GetShortPathNameW 190->200 197->190 208 40198b-401993 call 4062d5 197->208 200->122 221 4017ab-4017ac 204->221 205->122 206->147 207->147 208->186 231 401995-4019a1 call 406009 208->231 210->122 211->210 213->147 221->122 229 401890-401892 226->229 230 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 226->230 239 401846-40184e call 4062a3 227->239 240 4017fe-401809 GetLastError 227->240 229->205 230->122 231->190 234->205 241 401923-40192b call 4062d5 235->241 242 40194a-401950 235->242 254 401853-401854 239->254 245 401827-401832 GetFileAttributesW 240->245 246 40180b-401825 GetLastError call 4062a3 240->246 241->242 260 40192d-401948 call 406c68 call 404f72 241->260 250 401957-40195d call 4062a3 242->250 252 401834-401844 call 4062a3 245->252 253 401855-40185e 245->253 246->253 250->221 252->254 253->226 253->227 254->253 260->250
                                                              APIs
                                                              • PostQuitMessage.USER32(00000000), ref: 00401648
                                                              • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                              • SetForegroundWindow.USER32(?), ref: 004016CB
                                                              • ShowWindow.USER32(?), ref: 00401753
                                                              • ShowWindow.USER32(?), ref: 00401767
                                                              • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                              • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                              • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                              • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                              • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                              • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                              • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                              • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                              • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                              • SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                              Strings
                                                              • Rename failed: %s, xrefs: 0040194B
                                                              • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                              • CreateDirectory: "%s" created, xrefs: 00401849
                                                              • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                              • SetFileAttributes failed., xrefs: 004017A1
                                                              • BringToFront, xrefs: 004016BD
                                                              • detailprint: %s, xrefs: 00401679
                                                              • Rename on reboot: %s, xrefs: 00401943
                                                              • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                              • Call: %d, xrefs: 0040165A
                                                              • Rename: %s, xrefs: 004018F8
                                                              • Sleep(%d), xrefs: 0040169D
                                                              • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                              • Aborting: "%s", xrefs: 0040161D
                                                              • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                              • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                              • Jump: %d, xrefs: 00401602
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                              • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                              • API String ID: 2872004960-3619442763
                                                              • Opcode ID: 2a82ad59b9370b3cc3d5141fac41001cfacad1d5dd7d37275e8bf63d0114621f
                                                              • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                                                              • Opcode Fuzzy Hash: 2a82ad59b9370b3cc3d5141fac41001cfacad1d5dd7d37275e8bf63d0114621f
                                                              • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE
                                                              Function 0040592C Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 233stringregistrylibraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 267 40592c-405944 call 4062fc 270 405946-405956 call 405f51 267->270 271 405958-405990 call 405ed3 267->271 279 4059b3-4059dc call 403e95 call 40677e 270->279 276 405992-4059a3 call 405ed3 271->276 277 4059a8-4059ae lstrcatW 271->277 276->277 277->279 285 405a70-405a78 call 40677e 279->285 286 4059e2-4059e7 279->286 292 405a86-405a8d 285->292 293 405a7a-405a81 call 406805 285->293 286->285 287 4059ed-405a15 call 405ed3 286->287 287->285 294 405a17-405a1b 287->294 296 405aa6-405acb LoadImageW 292->296 297 405a8f-405a95 292->297 293->292 301 405a1d-405a2c call 405d06 294->301 302 405a2f-405a3b lstrlenW 294->302 299 405ad1-405b13 RegisterClassW 296->299 300 405b66-405b6e call 40141d 296->300 297->296 298 405a97-405a9c call 403e74 297->298 298->296 306 405c35 299->306 307 405b19-405b61 SystemParametersInfoW CreateWindowExW 299->307 319 405b70-405b73 300->319 320 405b78-405b83 call 403e95 300->320 301->302 303 405a63-405a6b call 406722 call 406009 302->303 304 405a3d-405a4b lstrcmpiW 302->304 303->285 304->303 311 405a4d-405a57 GetFileAttributesW 304->311 310 405c37-405c3e 306->310 307->300 316 405a59-405a5b 311->316 317 405a5d-405a5e call 406751 311->317 316->303 316->317 317->303 319->310 325 405b89-405ba6 ShowWindow LoadLibraryW 320->325 326 405c0c-405c14 call 405047 320->326 328 405ba8-405bad LoadLibraryW 325->328 329 405baf-405bc1 GetClassInfoW 325->329 334 405c16-405c1c 326->334 335 405c2e-405c30 call 40141d 326->335 328->329 330 405bc3-405bd3 GetClassInfoW RegisterClassW 329->330 331 405bd9-405c0a DialogBoxParamW call 40141d call 403c68 329->331 330->331 331->310 334->319 337 405c22-405c29 call 40141d 334->337 335->306 337->319
                                                              APIs
                                                                • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                              • lstrcatW.KERNEL32(004D30C0,00447240), ref: 004059AE
                                                              • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,"C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe"), ref: 00405A30
                                                              • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                                                              • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                                                                • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                              • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                                                              • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                                                              • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                                                                • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                                                              • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                                                              • LoadLibraryW.KERNEL32(RichEd20), ref: 00405BA2
                                                              • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                                                              • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                                                              • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                                                              • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                                                              • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                              • String ID: "C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe"$.DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                              • API String ID: 608394941-3977847073
                                                              • Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                              • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                                                              • Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                              • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E
                                                              Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                              • lstrcatW.KERNEL32(00000000,00000000), ref: 00401A76
                                                              • CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,004CB0B0,00000000,00000000), ref: 00401AA0
                                                                • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                              • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$open
                                                              • API String ID: 4286501637-2478300759
                                                              • Opcode ID: 2ab80255bde4e5d1782dd9130ab292fdec73e4a72f9567b243a786bab725b233
                                                              • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                                                              • Opcode Fuzzy Hash: 2ab80255bde4e5d1782dd9130ab292fdec73e4a72f9567b243a786bab725b233
                                                              • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE
                                                              Function 00403587 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 182COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 428 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 431 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 428->431 432 4035d7-4035dc 428->432 440 403615 431->440 441 4036fc-40370a call 4032d2 431->441 433 4037b6-4037ba 432->433 443 40361a-403631 440->443 447 403710-403713 441->447 448 4037c5-4037ca 441->448 445 403633 443->445 446 403635-403637 call 403336 443->446 445->446 452 40363c-40363e 446->452 450 403715-40372d call 403368 call 403336 447->450 451 40373f-403769 GlobalAlloc call 403368 call 40337f 447->451 448->433 450->448 478 403733-403739 450->478 451->448 476 40376b-40377c 451->476 454 403644-40364b 452->454 455 4037bd-4037c4 call 4032d2 452->455 460 4036c7-4036cb 454->460 461 40364d-403661 call 405e0c 454->461 455->448 464 4036d5-4036db 460->464 465 4036cd-4036d4 call 4032d2 460->465 461->464 475 403663-40366a 461->475 472 4036ea-4036f4 464->472 473 4036dd-4036e7 call 407281 464->473 465->464 472->443 477 4036fa 472->477 473->472 475->464 481 40366c-403673 475->481 482 403784-403787 476->482 483 40377e 476->483 477->441 478->448 478->451 481->464 484 403675-40367c 481->484 485 40378a-403792 482->485 483->482 484->464 486 40367e-403685 484->486 485->485 487 403794-4037af SetFilePointer call 405e0c 485->487 486->464 488 403687-4036a7 486->488 491 4037b4 487->491 488->448 490 4036ad-4036b1 488->490 492 4036b3-4036b7 490->492 493 4036b9-4036c1 490->493 491->433 492->477 492->493 493->464 494 4036c3-4036c5 493->494 494->464
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00403598
                                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                                                                • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                              • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe,C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                              • String ID: "C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe"$C:\Users\user\Desktop$C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                              • API String ID: 4283519449-3581652057
                                                              • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                              • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                                                              • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                              • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C
                                                              Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 495 40337f-403396 496 403398 495->496 497 40339f-4033a7 495->497 496->497 498 4033a9 497->498 499 4033ae-4033b3 497->499 498->499 500 4033c3-4033d0 call 403336 499->500 501 4033b5-4033be call 403368 499->501 505 4033d2 500->505 506 4033da-4033e1 500->506 501->500 507 4033d4-4033d5 505->507 508 4033e7-403407 GetTickCount call 4072f2 506->508 509 403518-40351a 506->509 510 403539-40353d 507->510 521 403536 508->521 523 40340d-403415 508->523 511 40351c-40351f 509->511 512 40357f-403583 509->512 514 403521 511->514 515 403524-40352d call 403336 511->515 516 403540-403546 512->516 517 403585 512->517 514->515 515->505 530 403533 515->530 519 403548 516->519 520 40354b-403559 call 403336 516->520 517->521 519->520 520->505 532 40355f-403572 WriteFile 520->532 521->510 526 403417 523->526 527 40341a-403428 call 403336 523->527 526->527 527->505 533 40342a-403433 527->533 530->521 534 403511-403513 532->534 535 403574-403577 532->535 536 403439-403456 call 407312 533->536 534->507 535->534 537 403579-40357c 535->537 540 40350a-40350c 536->540 541 40345c-403473 GetTickCount 536->541 537->512 540->507 542 403475-40347d 541->542 543 4034be-4034c2 541->543 544 403485-4034bb MulDiv wsprintfW call 404f72 542->544 545 40347f-403483 542->545 546 4034c4-4034c7 543->546 547 4034ff-403502 543->547 544->543 545->543 545->544 550 4034e7-4034ed 546->550 551 4034c9-4034db WriteFile 546->551 547->523 548 403508 547->548 548->521 552 4034f3-4034f7 550->552 551->534 554 4034dd-4034e0 551->554 552->536 556 4034fd 552->556 554->534 555 4034e2-4034e5 554->555 555->552 556->521
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 004033E7
                                                              • GetTickCount.KERNEL32 ref: 00403464
                                                              • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                                                              • wsprintfW.USER32 ref: 004034A4
                                                              • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                                                              • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                                                              Strings
                                                              • ... %d%%, xrefs: 0040349E
                                                              • X1C, xrefs: 004033ED
                                                              • X1C, xrefs: 0040343C
                                                              • OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO, xrefs: 004033A9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: CountFileTickWrite$wsprintf
                                                              • String ID: ... %d%%$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO$X1C$X1C
                                                              • API String ID: 651206458-1396068033
                                                              • Opcode ID: 71a0af70068d15f1e2712f5ef5f0e4f02d53f291cdcd50b6d0822de58acd1dbf
                                                              • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                                                              • Opcode Fuzzy Hash: 71a0af70068d15f1e2712f5ef5f0e4f02d53f291cdcd50b6d0822de58acd1dbf
                                                              • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9
                                                              Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 557 401eb9-401ec4 558 401f24-401f26 557->558 559 401ec6-401ec9 557->559 560 401f53-401f7b GlobalAlloc call 406805 558->560 561 401f28-401f2a 558->561 562 401ed5-401ee3 call 4062a3 559->562 563 401ecb-401ecf 559->563 576 4030e3-4030f2 560->576 577 402387-40238d GlobalFree 560->577 565 401f3c-401f4e call 406009 561->565 566 401f2c-401f36 call 4062a3 561->566 574 401ee4-402702 call 406805 562->574 563->559 567 401ed1-401ed3 563->567 565->577 566->565 567->562 573 401ef7-402e50 call 406009 * 3 567->573 573->576 589 402708-40270e 574->589 577->576 589->576
                                                              APIs
                                                                • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                              • GlobalFree.KERNELBASE(005EF5E8), ref: 00402387
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: FreeGloballstrcpyn
                                                              • String ID: Exch: stack < %d elements$Pop: stack empty$open
                                                              • API String ID: 1459762280-1711415406
                                                              • Opcode ID: 4c8c09c83ece9067cd01ebc7f99896dd0048823aea7dafec600988da42eaf391
                                                              • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                                                              • Opcode Fuzzy Hash: 4c8c09c83ece9067cd01ebc7f99896dd0048823aea7dafec600988da42eaf391
                                                              • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD
                                                              Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 592 4022fd-402325 call 40145c GetFileVersionInfoSizeW 595 4030e3-4030f2 592->595 596 40232b-402339 GlobalAlloc 592->596 596->595 597 40233f-40234e GetFileVersionInfoW 596->597 599 402350-402367 VerQueryValueW 597->599 600 402384-40238d GlobalFree 597->600 599->600 603 402369-402381 call 405f51 * 2 599->603 600->595 603->600
                                                              APIs
                                                              • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                              • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                              • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                              • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                                                                • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                              • GlobalFree.KERNELBASE(005EF5E8), ref: 00402387
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                              • String ID:
                                                              • API String ID: 3376005127-0
                                                              • Opcode ID: 8c326ffdf613bec965b24eefbd291de90d56381beca0eea403caad45aa1d2aeb
                                                              • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                                                              • Opcode Fuzzy Hash: 8c326ffdf613bec965b24eefbd291de90d56381beca0eea403caad45aa1d2aeb
                                                              • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19
                                                              Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 608 402b23-402b37 GlobalAlloc 609 402b39-402b49 call 401446 608->609 610 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 608->610 615 402b70-402b73 609->615 610->615 616 402b93 615->616 617 402b75-402b8d call 405f6a WriteFile 615->617 618 4030e3-4030f2 616->618 617->616 622 402384-40238d GlobalFree 617->622 622->618
                                                              APIs
                                                              • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                              • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                              • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                              • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                              • String ID:
                                                              • API String ID: 2568930968-0
                                                              • Opcode ID: a43f8298630559bd8253c369c7e0cb3863940d209ccab43e1d506770e08af364
                                                              • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                                                              • Opcode Fuzzy Hash: a43f8298630559bd8253c369c7e0cb3863940d209ccab43e1d506770e08af364
                                                              • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68
                                                              Function 00405E7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 625 405e7f-405e8b 626 405e8c-405ec0 GetTickCount GetTempFileNameW 625->626 627 405ec2-405ec4 626->627 628 405ecf-405ed1 626->628 627->626 630 405ec6 627->630 629 405ec9-405ecc 628->629 630->629
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00405E9D
                                                              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                                                              Strings
                                                              • "C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe", xrefs: 00405E88
                                                              • nsa, xrefs: 00405E8C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: CountFileNameTempTick
                                                              • String ID: "C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe"$nsa
                                                              • API String ID: 1716503409-2988625353
                                                              • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                              • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                                                              • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                              • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798
                                                              Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 717 4021b5-40220b call 40145c * 4 call 404f72 ShellExecuteW 728 402223-4030f2 call 4062a3 717->728 729 40220d-40221b call 4062a3 717->729 729->728
                                                              APIs
                                                                • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                              • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202
                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                              Strings
                                                              • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                              • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                              • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                              • API String ID: 3156913733-2180253247
                                                              • Opcode ID: a6f9f0949098482436c6c9f8cce42b162511fb53d9db31c2e6f8192b5b466978
                                                              • Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
                                                              • Opcode Fuzzy Hash: a6f9f0949098482436c6c9f8cce42b162511fb53d9db31c2e6f8192b5b466978
                                                              • Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139
                                                              Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 737 4078c5-4078cb 738 4078d0-4078eb 737->738 739 4078cd-4078cf 737->739 740 407aeb-407aff 738->740 741 407bad-407bba 738->741 739->738 743 407b01-407b17 740->743 744 407b19-407b2c 740->744 742 407be7-407beb 741->742 745 407c4a-407c5d 742->745 746 407bed-407c0c 742->746 747 407b33-407b3a 743->747 744->747 750 407c65-407c68 745->750 751 407c25-407c39 746->751 752 407c0e-407c23 746->752 748 407b61-407b64 747->748 749 407b3c-407b40 747->749 748->750 753 407b46-407b5e 749->753 754 407ccd-407cd4 749->754 758 407350 750->758 759 407cec 750->759 755 407c3c-407c43 751->755 752->755 753->748 757 407cdd-407cea 754->757 760 407be1-407be4 755->760 761 407c45 755->761 762 407cef-407cf6 757->762 763 407357-40735b 758->763 764 40749b-4074b6 758->764 765 40746d-407471 758->765 766 4073ff-407403 758->766 759->762 760->742 768 407cd6 761->768 769 407bc6-407bde 761->769 763->757 771 407361-40736e 763->771 764->740 772 407c76-407c7d 765->772 773 407477-40748b 765->773 774 407409-407420 766->774 775 407c6d-407c74 766->775 768->757 769->760 771->759 776 407374-4073ba 771->776 772->757 777 40748e-407496 773->777 778 407423-407427 774->778 775->757 780 4073e2-4073e4 776->780 781 4073bc-4073c0 776->781 777->765 782 407498 777->782 778->766 779 407429-40742f 778->779 783 407431-407438 779->783 784 407459-40746b 779->784 787 4073f5-4073fd 780->787 788 4073e6-4073f3 780->788 785 4073c2-4073c5 GlobalFree 781->785 786 4073cb-4073d9 GlobalAlloc 781->786 782->764 789 407443-407453 GlobalAlloc 783->789 790 40743a-40743d GlobalFree 783->790 784->777 785->786 786->759 791 4073df 786->791 787->778 788->787 788->788 789->759 789->784 790->789 791->780
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                              • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                                                              • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                              • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                                                              Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 792 407ac3-407ac7 793 407ac9-407bba 792->793 794 407ade-407ae4 792->794 804 407be7-407beb 793->804 796 407aeb-407aff 794->796 797 407b01-407b17 796->797 798 407b19-407b2c 796->798 801 407b33-407b3a 797->801 798->801 802 407b61-407b64 801->802 803 407b3c-407b40 801->803 807 407c65-407c68 802->807 805 407b46-407b5e 803->805 806 407ccd-407cd4 803->806 808 407c4a-407c5d 804->808 809 407bed-407c0c 804->809 805->802 810 407cdd-407cea 806->810 816 407350 807->816 817 407cec 807->817 808->807 812 407c25-407c39 809->812 813 407c0e-407c23 809->813 815 407cef-407cf6 810->815 814 407c3c-407c43 812->814 813->814 823 407be1-407be4 814->823 824 407c45 814->824 818 407357-40735b 816->818 819 40749b-4074b6 816->819 820 40746d-407471 816->820 821 4073ff-407403 816->821 817->815 818->810 825 407361-40736e 818->825 819->796 826 407c76-407c7d 820->826 827 407477-40748b 820->827 829 407409-407420 821->829 830 407c6d-407c74 821->830 823->804 831 407cd6 824->831 832 407bc6-407bde 824->832 825->817 833 407374-4073ba 825->833 826->810 834 40748e-407496 827->834 835 407423-407427 829->835 830->810 831->810 832->823 837 4073e2-4073e4 833->837 838 4073bc-4073c0 833->838 834->820 839 407498 834->839 835->821 836 407429-40742f 835->836 840 407431-407438 836->840 841 407459-40746b 836->841 844 4073f5-4073fd 837->844 845 4073e6-4073f3 837->845 842 4073c2-4073c5 GlobalFree 838->842 843 4073cb-4073d9 GlobalAlloc 838->843 839->819 846 407443-407453 GlobalAlloc 840->846 847 40743a-40743d GlobalFree 840->847 841->834 842->843 843->817 848 4073df 843->848 844->835 845->844 845->845 846->817 846->841 847->846 848->837
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                              • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                                                              • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                              • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                                                              Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 849 407312-407330 850 407332-407335 849->850 851 40733a-407341 849->851 852 407cf0-407cf6 850->852 853 407344-40734a 851->853 854 407350 853->854 855 407cec 853->855 856 407357-40735b 854->856 857 40749b-407aff 854->857 858 40746d-407471 854->858 859 4073ff-407403 854->859 860 407cef 855->860 861 407361-40736e 856->861 862 407cdd-407cea 856->862 870 407b01-407b17 857->870 871 407b19-407b2c 857->871 863 407c76-407c7d 858->863 864 407477-40748b 858->864 866 407409-407420 859->866 867 407c6d-407c74 859->867 860->852 861->855 868 407374-4073ba 861->868 862->860 863->862 869 40748e-407496 864->869 872 407423-407427 866->872 867->862 874 4073e2-4073e4 868->874 875 4073bc-4073c0 868->875 869->858 876 407498 869->876 877 407b33-407b3a 870->877 871->877 872->859 873 407429-40742f 872->873 880 407431-407438 873->880 881 407459-40746b 873->881 884 4073f5-4073fd 874->884 885 4073e6-4073f3 874->885 882 4073c2-4073c5 GlobalFree 875->882 883 4073cb-4073d9 GlobalAlloc 875->883 876->857 878 407b61-407c68 877->878 879 407b3c-407b40 877->879 878->853 886 407b46-407b5e 879->886 887 407ccd-407cd4 879->887 888 407443-407453 GlobalAlloc 880->888 889 40743a-40743d GlobalFree 880->889 881->869 882->883 883->855 891 4073df 883->891 884->872 885->884 885->885 886->878 887->862 888->855 888->881 889->888 891->874
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                              • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                                                              • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                              • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                                                              Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                              • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                                                              • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                              • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                                                              Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                              • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                                                              • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                              • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                                                              Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                              • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                                                              • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                              • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                                                              Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalFree.KERNELBASE(?), ref: 004073C5
                                                              • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                                                              • GlobalFree.KERNELBASE(?), ref: 0040743D
                                                              • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: Global$AllocFree
                                                              • String ID:
                                                              • API String ID: 3394109436-0
                                                              • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                              • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                                                              • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                              • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                                                              Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                              • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                              • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                                                              • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                              • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                                                              Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(00000003,004035C7,C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesCreate
                                                              • String ID:
                                                              • API String ID: 415043291-0
                                                              • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                              • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                                              • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                              • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                                              Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                              • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                                                              • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                              • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                                                              Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID:
                                                              • API String ID: 2738559852-0
                                                              • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                              • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                                              • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                              • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                                              Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,"C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe",004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,"C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe",004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                • Part of subcall function 00406038: CharPrevW.USER32(?,?,"C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe",004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                              • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: Char$Next$CreateDirectoryPrev
                                                              • String ID:
                                                              • API String ID: 4115351271-0
                                                              • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                              • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                                                              • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                              • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                                                              Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: FilePointer
                                                              • String ID:
                                                              • API String ID: 973152223-0
                                                              • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                              • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                                              • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                              • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

                                                              Non-executed Functions

                                                              Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,00000403), ref: 0040512F
                                                              • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                                                              • GetClientRect.USER32(?,?), ref: 00405196
                                                              • GetSystemMetrics.USER32(00000015), ref: 0040519E
                                                              • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                                                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                                                              • ShowWindow.USER32(?,00000008), ref: 0040523A
                                                              • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                                                              • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                                                                • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                              • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                                                              • CloseHandle.KERNEL32(00000000), ref: 004052C0
                                                              • ShowWindow.USER32(00000000), ref: 004052E7
                                                              • ShowWindow.USER32(?,00000008), ref: 004052EC
                                                              • ShowWindow.USER32(00000008), ref: 00405333
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                                                              • CreatePopupMenu.USER32 ref: 00405376
                                                              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                                                              • GetWindowRect.USER32(?,?), ref: 0040539E
                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                                                              • OpenClipboard.USER32(00000000), ref: 0040540B
                                                              • EmptyClipboard.USER32 ref: 00405411
                                                              • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                                                              • GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405427
                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                                                              • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040545D
                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                                                              • CloseClipboard.USER32 ref: 0040546E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                              • String ID: @rD$New install of "%s" to "%s"${
                                                              • API String ID: 2110491804-2409696222
                                                              • Opcode ID: a32262366b6956f6ce6576a17cc772d230ae976b6d31d5dbcf7d3a173ee933fc
                                                              • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                                                              • Opcode Fuzzy Hash: a32262366b6956f6ce6576a17cc772d230ae976b6d31d5dbcf7d3a173ee933fc
                                                              • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59
                                                              Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003F9), ref: 00404993
                                                              • GetDlgItem.USER32(?,00000408), ref: 004049A0
                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                                                              • LoadBitmapW.USER32(0000006E), ref: 00404A02
                                                              • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                                                              • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                                                              • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                                                              • DeleteObject.GDI32(?), ref: 00404A79
                                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                                                              • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                                                              • ShowWindow.USER32(?,00000005), ref: 00404BCF
                                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                                                              • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                                                              • GlobalFree.KERNEL32(?), ref: 00404DAC
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                                                              • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                                                              • ShowWindow.USER32(?,00000000), ref: 00404F49
                                                              • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                                                              • ShowWindow.USER32(00000000), ref: 00404F5B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                              • String ID: $ @$M$N
                                                              • API String ID: 1638840714-3479655940
                                                              • Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                              • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                                                              • Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                              • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                                                              Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                                                              • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                                                              • GetDlgItem.USER32(?,000003FB), ref: 00404527
                                                              • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                                                              • GetDlgItem.USER32(?,000003F0), ref: 00404543
                                                              • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                                                              • SetWindowTextW.USER32(?,?), ref: 00404583
                                                              • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                                                              • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                                                              • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                                                              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                                                              • CoTaskMemFree.OLE32(00000000), ref: 00404648
                                                                • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                                                                • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,"C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe",004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,"C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe",004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                • Part of subcall function 00406038: CharPrevW.USER32(?,?,"C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe",004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000), ref: 00403E8F
                                                              • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                                                                • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                              • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                              • String ID: 82D$@%F$@rD$A
                                                              • API String ID: 3347642858-1086125096
                                                              • Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                              • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                                                              • Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                              • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                                                              Function 00406C9B Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteFileW.KERNEL32(?,?,"C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe"), ref: 00406CB8
                                                              • lstrcatW.KERNEL32(0045C918,\*.*), ref: 00406D09
                                                              • lstrcatW.KERNEL32(?,00408838), ref: 00406D29
                                                              • lstrlenW.KERNEL32(?), ref: 00406D2C
                                                              • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                                                              • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                                                              • FindClose.KERNEL32(?), ref: 00406E33
                                                              Strings
                                                              • "C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe", xrefs: 00406CA4
                                                              • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                                                              • \*.*, xrefs: 00406D03
                                                              • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                                                              • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                                                              • Delete: DeleteFile("%s"), xrefs: 00406DBC
                                                              • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                                                              • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                                                              • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                              • String ID: "C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe"$Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                                              • API String ID: 2035342205-3375120808
                                                              • Opcode ID: 929039bad7d15a30b60f6521e1025dcf5eb1071aca27ca1d219e219807f84f48
                                                              • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                                                              • Opcode Fuzzy Hash: 929039bad7d15a30b60f6521e1025dcf5eb1071aca27ca1d219e219807f84f48
                                                              • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                                                              Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                              • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                                                              • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                                                              • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                                                              • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                                                              • CloseHandle.KERNEL32(?), ref: 004071E6
                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                              • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                              • API String ID: 1916479912-1189179171
                                                              • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                              • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                                                              • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                              • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                                                              Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                              • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                                                                • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                              • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                                                              • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                                                              • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                              • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                              • API String ID: 3581403547-784952888
                                                              • Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                              • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                                                              • Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                              • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                                                              Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                                                              Strings
                                                              • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: CreateInstance
                                                              • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                              • API String ID: 542301482-1377821865
                                                              • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                              • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                                                              • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                              • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                                                              Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: FileFindFirst
                                                              • String ID:
                                                              • API String ID: 1974802433-0
                                                              • Opcode ID: b5b7ab79f27b5d75a187df3fe9f711fb4388b9579a399927462dc59dec62d440
                                                              • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                                                              • Opcode Fuzzy Hash: b5b7ab79f27b5d75a187df3fe9f711fb4388b9579a399927462dc59dec62d440
                                                              • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                                                              Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                                                              • lstrlenW.KERNEL32(?), ref: 004063CC
                                                              • GetVersionExW.KERNEL32(?), ref: 0040642A
                                                                • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                                                              • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                                                              • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                                                              • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                                                              • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                                                              • GlobalFree.KERNEL32(?), ref: 004064DD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                              • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                              • API String ID: 20674999-2124804629
                                                              • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                              • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                                                              • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                              • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                                                              Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                                                              • ShowWindow.USER32(?), ref: 004054D2
                                                              • DestroyWindow.USER32 ref: 004054E6
                                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                                                              • GetDlgItem.USER32(?,?), ref: 00405523
                                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                                                              • IsWindowEnabled.USER32(00000000), ref: 0040553E
                                                              • GetDlgItem.USER32(?,00000001), ref: 004055ED
                                                              • GetDlgItem.USER32(?,00000002), ref: 004055F7
                                                              • SetClassLongW.USER32(?,000000F2,?), ref: 00405611
                                                              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                                                              • GetDlgItem.USER32(?,00000003), ref: 00405708
                                                              • ShowWindow.USER32(00000000,?), ref: 0040572A
                                                              • EnableWindow.USER32(?,?), ref: 0040573C
                                                              • EnableWindow.USER32(?,?), ref: 00405757
                                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                                                              • EnableMenuItem.USER32(00000000), ref: 00405774
                                                              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                                                              • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                                                              • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                                                              • ShowWindow.USER32(?,0000000A), ref: 00405910
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                              • String ID: @rD
                                                              • API String ID: 184305955-3814967855
                                                              • Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                              • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                                                              • Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                              • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E
                                                              Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                                                              • GetDlgItem.USER32(?,000003E8), ref: 00404181
                                                              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
                                                              • GetSysColor.USER32(?), ref: 004041AF
                                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
                                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
                                                              • lstrlenW.KERNEL32(?), ref: 004041D6
                                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
                                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2
                                                                • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
                                                                • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
                                                                • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004
                                                              • GetDlgItem.USER32(?,0000040A), ref: 0040424A
                                                              • SendMessageW.USER32(00000000), ref: 00404251
                                                              • GetDlgItem.USER32(?,000003E8), ref: 0040427E
                                                              • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
                                                              • SetCursor.USER32(00000000), ref: 004042D2
                                                              • ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
                                                              • SetCursor.USER32(00000000), ref: 004042F6
                                                              • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                              • String ID: @%F$N$open
                                                              • API String ID: 3928313111-3849437375
                                                              • Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                              • Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
                                                              • Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                              • Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99
                                                              Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrcpyW.KERNEL32(0045B2C8,NUL), ref: 00406AA9
                                                              • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                                                              • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                                                                • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                              • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                                                              • wsprintfA.USER32 ref: 00406B4D
                                                              • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                                                              • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                                                              • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                                                                • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                              • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                                                              • GlobalFree.KERNEL32(00000000), ref: 00406C52
                                                              • CloseHandle.KERNEL32(?), ref: 00406C5C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                              • String ID: F$%s=%s$NUL$[Rename]
                                                              • API String ID: 565278875-1653569448
                                                              • Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                              • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                                                              • Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                              • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                              • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                              • DeleteObject.GDI32(?), ref: 004010F6
                                                              • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                              • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                              • SelectObject.GDI32(00000000,?), ref: 00401149
                                                              • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                              • DeleteObject.GDI32(?), ref: 0040116E
                                                              • EndPaint.USER32(?,?), ref: 00401177
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                              • String ID: F
                                                              • API String ID: 941294808-1304234792
                                                              • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                              • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                                                              • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                              • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                                                              Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                              • lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                              • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                              • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                              Strings
                                                              • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                              • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                              • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                              • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                              • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                              • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$CloseCreateValuewvsprintf
                                                              • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                              • API String ID: 1641139501-220328614
                                                              • Opcode ID: d79db666ee92a39b53e47641609ed565b43369f8775619f718224e07aa5483b4
                                                              • Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
                                                              • Opcode Fuzzy Hash: d79db666ee92a39b53e47641609ed565b43369f8775619f718224e07aa5483b4
                                                              • Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59
                                                              Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                              • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                              • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                              • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                              • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                              Strings
                                                              • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                              • String ID: created uninstaller: %d, "%s"
                                                              • API String ID: 3294113728-3145124454
                                                              • Opcode ID: c666975226392a23a96cc8c7abb3eb5c8f7508c76e04a15e1ccd320165ca38cb
                                                              • Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
                                                              • Opcode Fuzzy Hash: c666975226392a23a96cc8c7abb3eb5c8f7508c76e04a15e1ccd320165ca38cb
                                                              • Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98
                                                              Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                              • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                                                              • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                                                              • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678), ref: 0040619B
                                                              • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                                                              • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                              • String ID: RMDir: RemoveDirectory invalid input("")
                                                              • API String ID: 3734993849-2769509956
                                                              • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                              • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                                                              • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                              • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                                                              Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                                                              • GetSysColor.USER32(00000000), ref: 00403E00
                                                              • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                                                              • SetBkMode.GDI32(?,?), ref: 00403E18
                                                              • GetSysColor.USER32(?), ref: 00403E2B
                                                              • SetBkColor.GDI32(?,?), ref: 00403E3B
                                                              • DeleteObject.GDI32(?), ref: 00403E55
                                                              • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                              • String ID:
                                                              • API String ID: 2320649405-0
                                                              • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                              • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                                                              • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                              • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                                                              Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                              • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                              • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                              Strings
                                                              • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                              • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                              • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                              • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                                              • API String ID: 1033533793-945480824
                                                              • Opcode ID: aebbfb54fe117075fb91935afd2b3d42be9cb3525beaf419298f1839c78bdf39
                                                              • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                                                              • Opcode Fuzzy Hash: aebbfb54fe117075fb91935afd2b3d42be9cb3525beaf419298f1839c78bdf39
                                                              • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                                                              Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                              • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                              • lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                              • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                              • String ID:
                                                              • API String ID: 2740478559-0
                                                              • Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                              • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                                                              • Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                              • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98
                                                              Function 00406038 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,"C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe",004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                              • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                              • CharNextW.USER32(?,004D70C8,"C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe",004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                              • CharPrevW.USER32(?,?,"C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe",004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                              Strings
                                                              • "C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe", xrefs: 00406042
                                                              • *?|<>/":, xrefs: 0040608A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: Char$Next$Prev
                                                              • String ID: "C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe"$*?|<>/":
                                                              • API String ID: 589700163-4236547037
                                                              • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                              • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                                                              • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                              • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                                                              Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                                                              • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                              • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                              Strings
                                                              • Exec: command="%s", xrefs: 00402241
                                                              • Exec: success ("%s"), xrefs: 00402263
                                                              • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                              • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                              • API String ID: 2014279497-3433828417
                                                              • Opcode ID: 04fd410bbb31de0d7d21d8cf733f8caec58fdd5b228a354368cf1c704b35d166
                                                              • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                                                              • Opcode Fuzzy Hash: 04fd410bbb31de0d7d21d8cf733f8caec58fdd5b228a354368cf1c704b35d166
                                                              • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                                                              Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                                                              • GetMessagePos.USER32 ref: 00404871
                                                              • ScreenToClient.USER32(?,?), ref: 00404889
                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: Message$Send$ClientScreen
                                                              • String ID: f
                                                              • API String ID: 41195575-1993550816
                                                              • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                              • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                                                              • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                              • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                                                              Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                              • MulDiv.KERNEL32(0000F200,00000064,?), ref: 00403295
                                                              • wsprintfW.USER32 ref: 004032A5
                                                              • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                              Strings
                                                              • verifying installer: %d%%, xrefs: 0040329F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                              • String ID: verifying installer: %d%%
                                                              • API String ID: 1451636040-82062127
                                                              • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                              • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                                                              • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                              • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                                                              Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                                                              • wsprintfW.USER32 ref: 00404457
                                                              • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: ItemTextlstrlenwsprintf
                                                              • String ID: %u.%u%s%s$@rD
                                                              • API String ID: 3540041739-1813061909
                                                              • Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                              • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                                                              • Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                              • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                                                              Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                              • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                              • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: Close$DeleteEnumOpen
                                                              • String ID:
                                                              • API String ID: 1912718029-0
                                                              • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                              • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                                                              • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                              • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                                                              Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?), ref: 004020A3
                                                              • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                              • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                              • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                              • DeleteObject.GDI32(00000000), ref: 004020EE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                              • String ID:
                                                              • API String ID: 1849352358-0
                                                              • Opcode ID: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
                                                              • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                                                              • Opcode Fuzzy Hash: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
                                                              • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                                                              Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Timeout
                                                              • String ID: !
                                                              • API String ID: 1777923405-2657877971
                                                              • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                              • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                                                              • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                              • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                                                              Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                              • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                              Strings
                                                              • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                              • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                              • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                              • API String ID: 1697273262-1764544995
                                                              • Opcode ID: 48bae300e43d63654b7fe916574e47b7d5bb67918eda10473d167f607cc9ee43
                                                              • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                                                              • Opcode Fuzzy Hash: 48bae300e43d63654b7fe916574e47b7d5bb67918eda10473d167f607cc9ee43
                                                              • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                                                              Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindowVisible.USER32(?), ref: 00404902
                                                              • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                                                                • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: Window$CallMessageProcSendVisible
                                                              • String ID: $@rD
                                                              • API String ID: 3748168415-881980237
                                                              • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                              • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                                                              • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                              • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                                                              Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                                                              • lstrlenW.KERNEL32 ref: 004026B4
                                                              • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                              • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                              • String ID: CopyFiles "%s"->"%s"
                                                              • API String ID: 2577523808-3778932970
                                                              • Opcode ID: f84dc7438b734d649018535b99f5ff883fadf72990f7ea17a428efaae3f8c2d6
                                                              • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                                                              • Opcode Fuzzy Hash: f84dc7438b734d649018535b99f5ff883fadf72990f7ea17a428efaae3f8c2d6
                                                              • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                                                              Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: lstrcatwsprintf
                                                              • String ID: %02x%c$...
                                                              • API String ID: 3065427908-1057055748
                                                              • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                              • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                                                              • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                              • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                                                              Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                              • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileStringWritelstrcpyn
                                                              • String ID: <RM>$WriteINIStr: wrote [%s] %s=%s in %s$open
                                                              • API String ID: 247603264-1827671502
                                                              • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                              • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                                                              • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                              • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD
                                                              Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OleInitialize.OLE32(00000000), ref: 00405057
                                                                • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                              • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                              • String ID: Section: "%s"$Skipping section: "%s"
                                                              • API String ID: 2266616436-4211696005
                                                              • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                              • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                                                              • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                              • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                                                              Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(?), ref: 00402100
                                                              • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                              • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                              • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                                                                • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                              • String ID:
                                                              • API String ID: 1599320355-0
                                                              • Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                              • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                                                              • Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                              • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                                                              Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                              • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                                                              • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                                                              • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: lstrcpyn$CreateFilelstrcmp
                                                              • String ID: Version
                                                              • API String ID: 512980652-315105994
                                                              • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                              • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                                                              • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                              • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                                                              Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                                                              • GetTickCount.KERNEL32 ref: 00403303
                                                              • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                              • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                              • String ID:
                                                              • API String ID: 2102729457-0
                                                              • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                              • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                                                              • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                              • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                                                              Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                                                              • GlobalFree.KERNEL32(00000000), ref: 0040639E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                              • String ID:
                                                              • API String ID: 2883127279-0
                                                              • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                              • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                                                              • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                              • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                                                              Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                              • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: Window$EnableShowlstrlenwvsprintf
                                                              • String ID: HideWindow
                                                              • API String ID: 1249568736-780306582
                                                              • Opcode ID: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
                                                              • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                                                              • Opcode Fuzzy Hash: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
                                                              • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                                                              Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                              • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileStringlstrcmp
                                                              • String ID: !N~
                                                              • API String ID: 623250636-529124213
                                                              • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                              • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                                                              • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                              • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                                                              Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                              • CloseHandle.KERNEL32(?), ref: 00405C71
                                                              Strings
                                                              • Error launching installer, xrefs: 00405C48
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateHandleProcess
                                                              • String ID: Error launching installer
                                                              • API String ID: 3712363035-66219284
                                                              • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                              • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                                                              • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                              • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                                                              Function 00403C83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNEL32(?,"C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe",00000000,-00000002,00403876,00403AD1,?), ref: 00403C9D
                                                              • GlobalFree.KERNEL32(?), ref: 00403CA4
                                                              Strings
                                                              • "C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe", xrefs: 00403C95
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: Free$GlobalLibrary
                                                              • String ID: "C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe"
                                                              • API String ID: 1100898210-2115154256
                                                              • Opcode ID: 046f1af9a807a40528e8b39a44fdd4b1d1a0d6b4247cdc0a72410f46df1f4411
                                                              • Instruction ID: e0409796cbff133e4cfb682494846e7286bf672da49bec0b05252ac9bde8f2ee
                                                              • Opcode Fuzzy Hash: 046f1af9a807a40528e8b39a44fdd4b1d1a0d6b4247cdc0a72410f46df1f4411
                                                              • Instruction Fuzzy Hash: 05E012338096209BDA315F15EE0875A7B68BF45B77F06012EE8C0BB3A487745C4186D8
                                                              Function 00406751 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004035F3,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe,C:\Users\user\Desktop\7632e569071acc40bce87af592e4cc2476d9c088906a1.exe,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00406757
                                                              • CharPrevW.USER32(80000000,00000000,?,?,?,00000000,00403A47,?), ref: 00406768
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: CharPrevlstrlen
                                                              • String ID: C:\Users\user\Desktop
                                                              • API String ID: 2709904686-1246513382
                                                              • Opcode ID: b7fdc044305c70bb42687b7f0662e1e6e1c83cc406910596c01fe4bf7230c37e
                                                              • Instruction ID: 578b036f622d94ce9a8c11ae272008c7950a84950c1f81d8e7c2595e1eaad068
                                                              • Opcode Fuzzy Hash: b7fdc044305c70bb42687b7f0662e1e6e1c83cc406910596c01fe4bf7230c37e
                                                              • Instruction Fuzzy Hash: B0D05E310005209BC7126B28DF45CAF77BCEF41700346446EF042E7170CB385D9287AD
                                                              Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                              • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: CloseHandlelstrlenwvsprintf
                                                              • String ID: RMDir: RemoveDirectory invalid input("")
                                                              • API String ID: 3509786178-2769509956
                                                              • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                              • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                                                              • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                              • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                                                              Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                              • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                                                              • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                                                              • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2015068765.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2015053636.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015088083.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015116528.00000000004DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2015462703.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_7632e569071acc40bce87af592e4cc2476d9c088906a1.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                              • String ID:
                                                              • API String ID: 190613189-0
                                                              • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                              • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                                                              • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                              • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

                                                              Execution Graph

                                                              Execution Coverage:4.3%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:2.2%
                                                              Total number of Nodes:2000
                                                              Total number of Limit Nodes:57
                                                              execution_graph 100474 b61016 100479 b75ce7 100474->100479 100489 b80f16 100479->100489 100481 b75cef 100482 b6101b 100481->100482 100499 b75f39 100481->100499 100486 b82ea0 100482->100486 100595 b82da4 100486->100595 100488 b61025 100492 b80f1e 100489->100492 100491 b80f38 100491->100481 100492->100491 100494 b80f3c std::exception::exception 100492->100494 100527 b8586c 100492->100527 100544 b83503 DecodePointer 100492->100544 100545 b886fb RaiseException 100494->100545 100496 b80f66 100546 b88631 58 API calls _free 100496->100546 100498 b80f78 100498->100481 100500 b75f42 100499->100500 100502 b75cfb 100499->100502 100501 b82ea0 __cinit 67 API calls 100500->100501 100501->100502 100503 b75d13 100502->100503 100561 b71207 100503->100561 100507 b75d6e 100513 b75d9b 100507->100513 100579 b71981 100507->100579 100509 b75d8f 100583 b7133d 100509->100583 100511 b75e00 GetCurrentProcess IsWow64Process 100512 b75e19 100511->100512 100515 b75e2f 100512->100515 100516 b75e98 GetSystemInfo 100512->100516 100513->100511 100514 bb1018 100513->100514 100575 b755f0 100515->100575 100517 b75e65 100516->100517 100517->100482 100520 b75e41 100523 b755f0 2 API calls 100520->100523 100521 b75e8c GetSystemInfo 100522 b75e56 100521->100522 100522->100517 100524 b75e5c FreeLibrary 100522->100524 100525 b75e49 GetNativeSystemInfo 100523->100525 100524->100517 100525->100522 100528 b858e7 100527->100528 100538 b85878 100527->100538 100555 b83503 DecodePointer 100528->100555 100530 b858ed 100556 b88c88 58 API calls __getptd_noexit 100530->100556 100533 b858ab RtlAllocateHeap 100534 b858df 100533->100534 100533->100538 100534->100492 100536 b85883 100536->100538 100547 b8a2cb 58 API calls __NMSG_WRITE 100536->100547 100548 b8a328 58 API calls 5 library calls 100536->100548 100549 b83201 100536->100549 100537 b858d3 100553 b88c88 58 API calls __getptd_noexit 100537->100553 100538->100533 100538->100536 100538->100537 100542 b858d1 100538->100542 100552 b83503 DecodePointer 100538->100552 100554 b88c88 58 API calls __getptd_noexit 100542->100554 100544->100492 100545->100496 100546->100498 100547->100536 100548->100536 100557 b831cd GetModuleHandleExW 100549->100557 100552->100538 100553->100542 100554->100534 100555->100530 100556->100534 100558 b831fd ExitProcess 100557->100558 100559 b831e6 GetProcAddress 100557->100559 100559->100558 100560 b831f8 100559->100560 100560->100558 100562 b80f16 Mailbox 59 API calls 100561->100562 100563 b71228 100562->100563 100564 b80f16 Mailbox 59 API calls 100563->100564 100565 b71236 GetVersionExW 100564->100565 100566 b71821 100565->100566 100567 b7182d __NMSG_WRITE 100566->100567 100568 b7189a 100566->100568 100571 b71843 100567->100571 100572 b71868 100567->100572 100569 b71981 59 API calls 100568->100569 100570 b7184b _memmove 100569->100570 100570->100507 100587 b71b7c 59 API calls Mailbox 100571->100587 100588 b71c7e 100572->100588 100576 b75619 100575->100576 100577 b755f9 LoadLibraryA 100575->100577 100576->100520 100576->100521 100577->100576 100578 b7560a GetProcAddress 100577->100578 100578->100576 100580 b7198f 100579->100580 100582 b71998 _memmove 100579->100582 100580->100582 100591 b71aa4 100580->100591 100582->100509 100584 b7134b 100583->100584 100585 b71981 59 API calls 100584->100585 100586 b7135b 100585->100586 100586->100513 100587->100570 100589 b80f16 Mailbox 59 API calls 100588->100589 100590 b71c88 100589->100590 100590->100570 100592 b71ab7 100591->100592 100594 b71ab4 _memmove 100591->100594 100593 b80f16 Mailbox 59 API calls 100592->100593 100593->100594 100594->100582 100596 b82db0 __freefls@4 100595->100596 100603 b83379 100596->100603 100602 b82dd7 __freefls@4 100602->100488 100620 b89d6b 100603->100620 100605 b82db9 100606 b82de8 DecodePointer DecodePointer 100605->100606 100607 b82e15 100606->100607 100608 b82dc5 100606->100608 100607->100608 100665 b88904 59 API calls wcstoxl 100607->100665 100617 b82de2 100608->100617 100610 b82e78 EncodePointer EncodePointer 100610->100608 100611 b82e27 100611->100610 100613 b82e4c 100611->100613 100666 b889c4 61 API calls 2 library calls 100611->100666 100613->100608 100615 b82e66 EncodePointer 100613->100615 100667 b889c4 61 API calls 2 library calls 100613->100667 100615->100610 100616 b82e60 100616->100608 100616->100615 100668 b83382 100617->100668 100621 b89d7c 100620->100621 100622 b89d8f EnterCriticalSection 100620->100622 100627 b89df3 100621->100627 100622->100605 100624 b89d82 100624->100622 100651 b83217 58 API calls 3 library calls 100624->100651 100628 b89dff __freefls@4 100627->100628 100629 b89e08 100628->100629 100631 b89e20 100628->100631 100652 b8a2cb 58 API calls __NMSG_WRITE 100629->100652 100639 b89e41 __freefls@4 100631->100639 100654 b8897d 58 API calls 2 library calls 100631->100654 100632 b89e0d 100653 b8a328 58 API calls 5 library calls 100632->100653 100635 b89e35 100637 b89e4b 100635->100637 100638 b89e3c 100635->100638 100636 b89e14 100641 b83201 __mtinitlocknum 3 API calls 100636->100641 100640 b89d6b __lock 58 API calls 100637->100640 100655 b88c88 58 API calls __getptd_noexit 100638->100655 100639->100624 100643 b89e52 100640->100643 100644 b89e1e 100641->100644 100645 b89e5f 100643->100645 100646 b89e77 100643->100646 100644->100631 100656 b89f8b InitializeCriticalSectionAndSpinCount 100645->100656 100657 b82eb5 100646->100657 100649 b89e6b 100663 b89e93 LeaveCriticalSection _doexit 100649->100663 100652->100632 100653->100636 100654->100635 100655->100639 100656->100649 100658 b82ee7 __dosmaperr 100657->100658 100659 b82ebe RtlFreeHeap 100657->100659 100658->100649 100659->100658 100660 b82ed3 100659->100660 100664 b88c88 58 API calls __getptd_noexit 100660->100664 100662 b82ed9 GetLastError 100662->100658 100663->100639 100664->100662 100665->100611 100666->100613 100667->100616 100671 b89ed5 LeaveCriticalSection 100668->100671 100670 b82de7 100670->100602 100671->100670 100672 b67357 100673 b67360 100672->100673 100676 b678f5 100672->100676 100673->100676 100683 b64d37 100673->100683 100675 b66fdb Mailbox 100676->100675 100707 bb85dc 59 API calls _memmove 100676->100707 100679 b6739b 100701 b71680 100679->100701 100680 b9f84b 100708 b71c9c 100680->100708 100684 b64d51 100683->100684 100693 b64d4b 100683->100693 100685 b9d95f 100684->100685 100686 b64d99 100684->100686 100687 b64d57 __itow 100684->100687 100688 b9da58 __i64tow 100684->100688 100694 b80f16 Mailbox 59 API calls 100685->100694 100699 b9d9d7 Mailbox _wcscpy 100685->100699 100716 b837fa 83 API calls 3 library calls 100686->100716 100690 b80f16 Mailbox 59 API calls 100687->100690 100688->100688 100692 b64d71 100690->100692 100692->100693 100712 b71a36 100692->100712 100693->100676 100693->100679 100696 b9d9a4 100694->100696 100697 b80f16 Mailbox 59 API calls 100696->100697 100698 b9d9ca 100697->100698 100698->100699 100700 b71a36 59 API calls 100698->100700 100717 b837fa 83 API calls 3 library calls 100699->100717 100700->100699 100702 b71692 100701->100702 100704 b716ba _memmove 100701->100704 100703 b80f16 Mailbox 59 API calls 100702->100703 100702->100704 100706 b7176f _memmove 100703->100706 100704->100675 100705 b80f16 Mailbox 59 API calls 100705->100706 100706->100705 100707->100680 100709 b71ca7 100708->100709 100710 b71caf 100708->100710 100718 b71bcc 100709->100718 100710->100675 100713 b71a45 __NMSG_WRITE _memmove 100712->100713 100714 b80f16 Mailbox 59 API calls 100713->100714 100715 b71a83 100714->100715 100715->100693 100716->100687 100717->100688 100719 b71bef _memmove 100718->100719 100720 b71bdc 100718->100720 100719->100710 100720->100719 100721 b80f16 Mailbox 59 API calls 100720->100721 100721->100719 100722 b61055 100727 b62a19 100722->100727 100725 b82ea0 __cinit 67 API calls 100726 b61064 100725->100726 100728 b71207 59 API calls 100727->100728 100729 b62a87 100728->100729 100734 b61256 100729->100734 100731 b62b24 100733 b6105a 100731->100733 100737 b613c7 59 API calls 2 library calls 100731->100737 100733->100725 100738 b61284 100734->100738 100737->100731 100739 b61275 100738->100739 100740 b61291 100738->100740 100739->100731 100740->100739 100741 b61298 RegOpenKeyExW 100740->100741 100741->100739 100742 b612b2 RegQueryValueExW 100741->100742 100743 b612d3 100742->100743 100744 b612e8 RegCloseKey 100742->100744 100743->100744 100744->100739 100745 b65ff5 100775 b65ede Mailbox _memmove 100745->100775 100746 b80f16 59 API calls Mailbox 100746->100775 100747 b66a9b 100981 b6a9de 289 API calls 100747->100981 100750 b9ef29 100751 b65190 Mailbox 59 API calls 100750->100751 100756 b9ef1b 100751->100756 100752 b9ef37 100993 bca2fa 89 API calls 4 library calls 100752->100993 100803 b65569 Mailbox 100756->100803 100992 bb6ad4 59 API calls Mailbox 100756->100992 100757 b660e5 100758 b9e067 100757->100758 100763 b663bd Mailbox 100757->100763 100769 b66152 Mailbox 100757->100769 100770 b66abc 100757->100770 100758->100763 100982 bb7890 59 API calls 100758->100982 100759 b71c9c 59 API calls 100759->100775 100761 b80f16 Mailbox 59 API calls 100766 b663d1 100761->100766 100762 b71a36 59 API calls 100762->100775 100763->100761 100778 b66426 100763->100778 100768 b663de 100766->100768 100766->100770 100771 b66413 100768->100771 100772 b9e0a2 100768->100772 100769->100770 100774 b661bf 100769->100774 100987 bb7890 59 API calls 100769->100987 100991 bca2fa 89 API calls 4 library calls 100770->100991 100771->100778 100804 b65447 Mailbox 100771->100804 100983 bdc644 85 API calls 2 library calls 100772->100983 100774->100756 100774->100770 100790 b9e2fd VariantClear 100774->100790 100774->100803 100860 bd2ee9 100774->100860 100865 b6cfd7 100774->100865 100884 bd5be2 100774->100884 100909 bde3d4 100774->100909 100912 bdea30 100774->100912 100920 bde982 100774->100920 100926 bdef7a 100774->100926 100972 b65190 100774->100972 100775->100746 100775->100747 100775->100750 100775->100752 100775->100757 100775->100759 100775->100762 100775->100770 100775->100803 100832 b653b0 100775->100832 100931 bdc11d 100775->100931 100977 b6523c 100775->100977 100985 bc7d7e 59 API calls Mailbox 100775->100985 100986 bb6ad4 59 API calls Mailbox 100775->100986 100984 bdc791 95 API calls Mailbox 100778->100984 100780 b9e0cd 100780->100780 100781 b9e5c1 100988 bca2fa 89 API calls 4 library calls 100781->100988 100782 b9f095 100995 bca2fa 89 API calls 4 library calls 100782->100995 100787 b669fa 100791 b71c9c 59 API calls 100787->100791 100788 b9e5d0 100789 b80f16 59 API calls Mailbox 100789->100804 100790->100774 100791->100803 100792 b9e9ca 100798 b71c9c 59 API calls 100792->100798 100794 b669ff 100794->100781 100794->100782 100795 b71c9c 59 API calls 100795->100804 100796 b71207 59 API calls 100796->100804 100798->100803 100799 bb7890 59 API calls 100799->100804 100800 b9ea97 100800->100803 100989 bb7890 59 API calls 100800->100989 100801 b82ea0 67 API calls __cinit 100801->100804 100804->100781 100804->100787 100804->100789 100804->100792 100804->100794 100804->100795 100804->100796 100804->100799 100804->100800 100804->100801 100804->100803 100805 b9ee58 100804->100805 100807 b65a1a 100804->100807 100815 b66e30 100804->100815 100971 b67e50 289 API calls 2 library calls 100804->100971 100990 bca2fa 89 API calls 4 library calls 100805->100990 100994 bca2fa 89 API calls 4 library calls 100807->100994 100816 b66e4a 100815->100816 100819 b66ff7 100815->100819 100817 b674d0 100816->100817 100816->100819 100821 b66f2c 100816->100821 100824 b66fdb 100816->100824 100817->100824 101000 b649e0 59 API calls wcstoxq 100817->101000 100818 b66fbb Mailbox 100818->100824 100826 b9fb4e 100818->100826 100999 b641c4 59 API calls Mailbox 100818->100999 100819->100817 100819->100818 100823 b67076 100819->100823 100819->100824 100821->100823 100821->100824 100825 b66f68 100821->100825 100823->100818 100823->100824 100823->100826 100997 bb7890 59 API calls 100823->100997 100824->100804 100825->100818 100825->100824 100829 b9f9a1 100825->100829 100827 b9fb60 100826->100827 100998 b83e99 59 API calls __wtof_l 100826->100998 100827->100804 100829->100824 100996 b83e99 59 API calls __wtof_l 100829->100996 100833 b653cf 100832->100833 100856 b653fd Mailbox 100832->100856 100834 b80f16 Mailbox 59 API calls 100833->100834 100834->100856 100835 b82ea0 67 API calls __cinit 100835->100856 100836 b669fa 100837 b71c9c 59 API calls 100836->100837 100855 b65569 Mailbox 100837->100855 100838 b80f16 59 API calls Mailbox 100838->100856 100839 b669ff 100840 b9e5c1 100839->100840 100841 b9f095 100839->100841 101002 bca2fa 89 API calls 4 library calls 100840->101002 101006 bca2fa 89 API calls 4 library calls 100841->101006 100844 b66e30 60 API calls 100844->100856 100845 b9e5d0 100845->100775 100846 b71c9c 59 API calls 100846->100856 100847 b9e9ca 100851 b71c9c 59 API calls 100847->100851 100849 b71207 59 API calls 100849->100856 100851->100855 100852 bb7890 59 API calls 100852->100856 100853 b9ea97 100853->100855 101003 bb7890 59 API calls 100853->101003 100855->100775 100856->100835 100856->100836 100856->100838 100856->100839 100856->100840 100856->100844 100856->100846 100856->100847 100856->100849 100856->100852 100856->100853 100856->100855 100857 b9ee58 100856->100857 100859 b65a1a 100856->100859 101001 b67e50 289 API calls 2 library calls 100856->101001 101004 bca2fa 89 API calls 4 library calls 100857->101004 101005 bca2fa 89 API calls 4 library calls 100859->101005 100861 b6523c 59 API calls 100860->100861 100862 bd2efc 100861->100862 101007 bc7bdb 100862->101007 100864 bd2f04 100864->100774 100866 b64d37 84 API calls 100865->100866 100867 b6d001 100866->100867 101039 b65278 100867->101039 100869 b6d018 100870 b6d57b 100869->100870 100876 b6d439 Mailbox __NMSG_WRITE 100869->100876 101069 b6502b 59 API calls 100869->101069 100870->100774 100874 b64f98 59 API calls 100874->100876 100875 b80b90 62 API calls 100875->100876 100876->100870 100876->100874 100876->100875 100879 b64d37 84 API calls 100876->100879 100880 b71821 59 API calls 100876->100880 100883 b6502b 59 API calls 100876->100883 101044 b8305f 100876->101044 101054 b759d3 100876->101054 101065 b75ac3 100876->101065 101070 b7162d 100876->101070 101075 b7153b 59 API calls 2 library calls 100876->101075 101076 b64f3c 59 API calls Mailbox 100876->101076 100879->100876 100880->100876 100883->100876 100885 bd5c0b 100884->100885 100886 bd5c39 WSAStartup 100885->100886 101144 b6502b 59 API calls 100885->101144 100888 bd5c62 100886->100888 100892 bd5c4d Mailbox 100886->100892 101139 b740cd 100888->101139 100890 bd5c26 100890->100886 101145 b6502b 59 API calls 100890->101145 100892->100774 100893 b64d37 84 API calls 100895 bd5c77 100893->100895 100897 b7402a 61 API calls 100895->100897 100896 bd5c35 100896->100886 100898 bd5c84 inet_addr gethostbyname 100897->100898 100898->100892 100899 bd5ca2 IcmpCreateFile 100898->100899 100899->100892 100900 bd5cc6 100899->100900 100901 b80f16 Mailbox 59 API calls 100900->100901 100902 bd5cdf 100901->100902 101146 b7433f 100902->101146 100905 bd5cf9 IcmpSendEcho 100908 bd5d32 100905->100908 100906 bd5d1a IcmpSendEcho 100906->100908 100907 bd5d99 IcmpCloseHandle WSACleanup 100907->100892 100908->100907 101149 bdcf8e 100909->101149 100911 bde3e4 100911->100774 100914 bdea73 100912->100914 100919 bdea4c 100912->100919 100913 bdea95 100917 bdead9 100913->100917 100913->100919 101284 b6502b 59 API calls 100913->101284 100914->100913 101283 b6502b 59 API calls 100914->101283 101280 bc6669 100917->101280 100919->100774 100923 bde995 100920->100923 100921 b64d37 84 API calls 100922 bde9d2 100921->100922 101345 bc7b51 100922->101345 100923->100921 100925 bde9a4 100923->100925 100925->100774 100927 b64d37 84 API calls 100926->100927 100928 bdef97 100927->100928 101389 bc3fb5 CreateToolhelp32Snapshot Process32FirstW 100928->101389 100930 bdefa6 100930->100774 100932 bdc148 100931->100932 100933 bdc162 100931->100933 101493 bca2fa 89 API calls 4 library calls 100932->101493 101466 bda6c5 100933->101466 100937 b653b0 288 API calls 100938 bdc1ce 100937->100938 100939 bdc260 100938->100939 100942 bdc20f 100938->100942 100964 bdc15a Mailbox 100938->100964 100940 bdc2b6 100939->100940 100941 bdc266 100939->100941 100943 b64d37 84 API calls 100940->100943 100940->100964 101494 bc7d42 59 API calls 100941->101494 100947 bc7707 59 API calls 100942->100947 100945 bdc2c8 100943->100945 100948 b71aa4 59 API calls 100945->100948 100946 bdc289 101495 b735b9 59 API calls Mailbox 100946->101495 100950 bdc23f 100947->100950 100951 bdc2ec CharUpperBuffW 100948->100951 100953 bb6c9f 288 API calls 100950->100953 100954 bdc306 100951->100954 100952 bdc291 Mailbox 101496 b6b020 100952->101496 100953->100964 100955 bdc30d 100954->100955 100956 bdc359 100954->100956 101473 bc7707 100955->101473 100958 b64d37 84 API calls 100956->100958 100959 bdc361 100958->100959 101538 b65376 60 API calls 100959->101538 100964->100775 100965 bdc36b 100965->100964 100966 b64d37 84 API calls 100965->100966 100967 bdc386 100966->100967 101539 b735b9 59 API calls Mailbox 100967->101539 100969 bdc396 100970 b6b020 288 API calls 100969->100970 100970->100964 100971->100804 100974 b6519b 100972->100974 100973 b651d2 100973->100774 100974->100973 102200 b641c4 59 API calls Mailbox 100974->102200 100976 b651fd 100976->100774 100978 b6524a 100977->100978 100979 b65250 100977->100979 100978->100979 100980 b71c9c 59 API calls 100978->100980 100979->100775 100980->100979 100981->100770 100982->100763 100983->100778 100984->100780 100985->100775 100986->100775 100987->100769 100988->100788 100989->100803 100990->100807 100991->100756 100992->100803 100993->100756 100994->100803 100995->100803 100996->100829 100997->100818 100998->100827 100999->100818 101000->100824 101001->100856 101002->100845 101003->100855 101004->100859 101005->100855 101006->100855 101008 bc7d12 101007->101008 101010 bc7bf2 101007->101010 101008->100864 101009 bc7c32 101012 b80f16 Mailbox 59 API calls 101009->101012 101010->101009 101011 bc7c0a 101010->101011 101013 bc7c49 101010->101013 101011->101009 101014 bc7c1a 101011->101014 101027 bc7c28 Mailbox _memmove 101012->101027 101017 b80f16 Mailbox 59 API calls 101013->101017 101024 bc7c66 101013->101024 101021 b80f16 Mailbox 59 API calls 101014->101021 101015 bc7c9f 101019 b80f16 Mailbox 59 API calls 101015->101019 101016 bc7c91 101018 b80f16 Mailbox 59 API calls 101016->101018 101017->101024 101018->101027 101022 bc7ca5 101019->101022 101020 b80f16 Mailbox 59 API calls 101020->101008 101021->101027 101028 bc7893 59 API calls Mailbox 101022->101028 101024->101015 101024->101016 101024->101027 101025 bc7cb1 101029 b7402a WideCharToMultiByte 101025->101029 101027->101020 101028->101025 101030 b74085 101029->101030 101031 b7404e 101029->101031 101038 b73f20 59 API calls Mailbox 101030->101038 101032 b80f16 Mailbox 59 API calls 101031->101032 101034 b74055 WideCharToMultiByte 101032->101034 101037 b73f79 59 API calls 2 library calls 101034->101037 101036 b74077 101036->101027 101037->101036 101038->101036 101040 b80f16 Mailbox 59 API calls 101039->101040 101041 b65285 101040->101041 101042 b71a36 59 API calls 101041->101042 101043 b65294 101041->101043 101042->101043 101043->100869 101045 b8306b 101044->101045 101046 b830e0 101044->101046 101053 b83090 101045->101053 101077 b88c88 58 API calls __getptd_noexit 101045->101077 101079 b830f2 60 API calls 3 library calls 101046->101079 101049 b830ed 101049->100876 101050 b83077 101078 b88f16 9 API calls wcstoxl 101050->101078 101052 b83082 101052->100876 101053->100876 101055 b759fe _memset 101054->101055 101080 b75800 101055->101080 101058 b75a83 101060 b75a9d Shell_NotifyIconW 101058->101060 101061 b75ab9 Shell_NotifyIconW 101058->101061 101062 b75aab 101060->101062 101061->101062 101084 b756f8 101062->101084 101064 b75ab2 101064->100876 101066 b75b25 101065->101066 101067 b75ad5 _memset 101065->101067 101066->100876 101068 b75af4 Shell_NotifyIconW 101067->101068 101068->101066 101069->100876 101071 b80f16 Mailbox 59 API calls 101070->101071 101072 b71652 101071->101072 101073 b80f16 Mailbox 59 API calls 101072->101073 101074 b71660 101073->101074 101074->100876 101075->100876 101076->100876 101077->101050 101078->101052 101079->101049 101081 b75810 101080->101081 101082 b7581c 101080->101082 101081->101058 101114 bc334a 62 API calls _W_store_winword 101081->101114 101082->101081 101083 b75821 DestroyIcon 101082->101083 101083->101081 101085 b75715 101084->101085 101086 b757fa Mailbox 101084->101086 101087 b7162d 59 API calls 101085->101087 101086->101064 101088 b75723 101087->101088 101089 bb0bcc LoadStringW 101088->101089 101090 b75730 101088->101090 101093 bb0be6 101089->101093 101091 b71821 59 API calls 101090->101091 101092 b75745 101091->101092 101094 b75752 101092->101094 101101 bb0bf4 101092->101101 101095 b71c9c 59 API calls 101093->101095 101094->101093 101096 b75760 101094->101096 101102 b75778 _memset _wcscpy 101095->101102 101115 b71900 101096->101115 101100 bb0c37 Mailbox 101132 b837fa 83 API calls 3 library calls 101100->101132 101101->101100 101101->101102 101103 b71207 59 API calls 101101->101103 101104 b757e0 Shell_NotifyIconW 101102->101104 101105 bb0c1e 101103->101105 101104->101086 101131 bc0035 60 API calls Mailbox 101105->101131 101108 bb0c29 101110 b717e0 59 API calls 101108->101110 101109 bb0c56 101111 b71900 59 API calls 101109->101111 101110->101100 101112 bb0c67 101111->101112 101113 b71900 59 API calls 101112->101113 101113->101102 101114->101058 101116 b71914 101115->101116 101117 baf4b4 101115->101117 101133 b718a5 101116->101133 101119 b71c7e 59 API calls 101117->101119 101121 baf4bf __NMSG_WRITE _memmove 101119->101121 101120 b7191f 101122 b717e0 101120->101122 101123 b717f2 101122->101123 101124 baf381 101122->101124 101125 b71680 59 API calls 101123->101125 101138 bb85dc 59 API calls _memmove 101124->101138 101127 b717fe 101125->101127 101127->101102 101128 baf38b 101129 b71c9c 59 API calls 101128->101129 101130 baf393 Mailbox 101129->101130 101131->101108 101132->101109 101134 b718b4 __NMSG_WRITE 101133->101134 101135 b71c7e 59 API calls 101134->101135 101136 b718c5 _memmove 101134->101136 101137 baf471 _memmove 101135->101137 101136->101120 101138->101128 101140 b80f16 Mailbox 59 API calls 101139->101140 101141 b740e0 101140->101141 101142 b71c7e 59 API calls 101141->101142 101143 b740ed 101142->101143 101143->100893 101144->100890 101145->100896 101147 b80f16 Mailbox 59 API calls 101146->101147 101148 b74351 101147->101148 101148->100905 101148->100906 101150 b64d37 84 API calls 101149->101150 101151 bdcfcb 101150->101151 101155 bdd012 Mailbox 101151->101155 101187 bddc56 101151->101187 101153 bdd3df 101237 bddd79 92 API calls Mailbox 101153->101237 101155->100911 101157 bdd3ee 101159 bdd278 101157->101159 101160 bdd3fa 101157->101160 101158 b64d37 84 API calls 101165 bdd063 Mailbox 101158->101165 101200 bdce1f 101159->101200 101160->101155 101165->101155 101165->101158 101174 bdd26a 101165->101174 101220 bc0267 59 API calls 2 library calls 101165->101220 101221 bdd490 61 API calls 2 library calls 101165->101221 101166 bdd2b1 101215 b80d68 101166->101215 101169 bdd2cb 101222 bca2fa 89 API calls 4 library calls 101169->101222 101170 bdd2e4 101223 b647be 101170->101223 101173 bdd2d6 GetCurrentProcess TerminateProcess 101173->101170 101174->101153 101174->101159 101178 bdd455 101178->101155 101183 bdd469 FreeLibrary 101178->101183 101180 bdd31c 101235 bddafa 107 API calls _free 101180->101235 101183->101155 101185 b6523c 59 API calls 101186 bdd32d 101185->101186 101186->101178 101186->101185 101236 b64230 59 API calls Mailbox 101186->101236 101238 bddafa 107 API calls _free 101186->101238 101188 b71aa4 59 API calls 101187->101188 101189 bddc71 CharLowerBuffW 101188->101189 101239 bbf6e6 101189->101239 101193 b71207 59 API calls 101194 bddcaa 101193->101194 101246 b71462 101194->101246 101196 bddcc1 101197 b71981 59 API calls 101196->101197 101198 bddccd Mailbox 101197->101198 101199 bddd09 Mailbox 101198->101199 101259 bdd490 61 API calls 2 library calls 101198->101259 101199->101165 101201 bdce3a 101200->101201 101202 bdce8f 101200->101202 101203 b80f16 Mailbox 59 API calls 101201->101203 101206 bddf01 101202->101206 101205 bdce5c 101203->101205 101204 b80f16 Mailbox 59 API calls 101204->101205 101205->101202 101205->101204 101207 bde12a Mailbox 101206->101207 101214 bddf24 _strcat _wcscpy __NMSG_WRITE 101206->101214 101207->101166 101208 b6502b 59 API calls 101208->101214 101209 b650d5 59 API calls 101209->101214 101210 b65087 59 API calls 101210->101214 101211 b64d37 84 API calls 101211->101214 101212 b8586c 58 API calls __crtGetStringTypeA_stat 101212->101214 101214->101207 101214->101208 101214->101209 101214->101210 101214->101211 101214->101212 101268 bc5caf 61 API calls 2 library calls 101214->101268 101216 b80d7d 101215->101216 101217 b80e15 NtResumeThread 101216->101217 101218 b80de3 101216->101218 101219 b80e03 FindCloseChangeNotification 101216->101219 101217->101218 101218->101169 101218->101170 101219->101218 101220->101165 101221->101165 101222->101173 101224 b647c6 101223->101224 101225 b80f16 Mailbox 59 API calls 101224->101225 101226 b647d4 101225->101226 101227 b647e0 101226->101227 101269 b646ec 101226->101269 101229 b64540 101227->101229 101272 b64650 101229->101272 101231 b6454f 101232 b80f16 Mailbox 59 API calls 101231->101232 101233 b645eb 101231->101233 101232->101233 101233->101186 101234 b64230 59 API calls Mailbox 101233->101234 101234->101180 101235->101186 101236->101186 101237->101157 101238->101186 101240 bbf711 __NMSG_WRITE 101239->101240 101241 bbf750 101240->101241 101244 bbf746 101240->101244 101245 bbf7f7 101240->101245 101241->101193 101241->101198 101243 b714db 61 API calls 101243->101245 101244->101241 101260 b714db 101244->101260 101245->101241 101245->101243 101247 b71471 101246->101247 101248 b714ce 101246->101248 101247->101248 101249 b7147c 101247->101249 101250 b71981 59 API calls 101248->101250 101251 b71497 101249->101251 101252 baf15e 101249->101252 101256 b7149f _memmove 101250->101256 101267 b71b7c 59 API calls Mailbox 101251->101267 101254 b71c7e 59 API calls 101252->101254 101255 baf168 101254->101255 101257 b80f16 Mailbox 59 API calls 101255->101257 101256->101196 101258 baf188 101257->101258 101259->101199 101261 b714e9 CompareStringW 101260->101261 101266 baf190 101260->101266 101264 b7150c 101261->101264 101263 baf1df 101264->101244 101265 b84de8 60 API calls 101265->101266 101266->101263 101266->101265 101267->101256 101268->101214 101270 b80f16 Mailbox 59 API calls 101269->101270 101271 b646f9 101270->101271 101271->101227 101273 b64659 Mailbox 101272->101273 101274 b9d61c 101273->101274 101279 b64663 101273->101279 101275 b80f16 Mailbox 59 API calls 101274->101275 101276 b9d628 101275->101276 101277 b65190 Mailbox 59 API calls 101277->101279 101278 b6466a 101278->101231 101279->101277 101279->101278 101285 bc6685 101280->101285 101282 bc6680 101282->100919 101283->100913 101284->100917 101318 bc65a2 101285->101318 101288 bc671e 101290 bc678e 101288->101290 101294 bc6784 101288->101294 101299 bc6737 101288->101299 101289 bc6706 101334 bc68e0 89 API calls 2 library calls 101289->101334 101292 bc680c 101290->101292 101293 bc67be 101290->101293 101308 bc66aa _memmove 101290->101308 101295 bc68a7 101292->101295 101296 bc6813 101292->101296 101297 bc67de 101293->101297 101298 bc67c3 101293->101298 101294->101290 101317 bc676b 101294->101317 101295->101308 101343 b650d5 59 API calls 101295->101343 101300 bc6889 101296->101300 101301 bc6816 101296->101301 101297->101308 101339 b65087 59 API calls 101297->101339 101298->101308 101338 b65087 59 API calls 101298->101338 101335 bc8b3d 61 API calls 101299->101335 101300->101308 101342 b650d5 59 API calls 101300->101342 101309 bc681a 101301->101309 101310 bc6852 101301->101310 101308->101282 101309->101308 101340 b650d5 59 API calls 101309->101340 101310->101308 101341 b650d5 59 API calls 101310->101341 101311 bc673f 101336 bc8b3d 61 API calls 101311->101336 101315 bc6756 _memmove 101337 bc8b3d 61 API calls 101315->101337 101325 bc7aec 101317->101325 101319 bc65f2 101318->101319 101323 bc65b3 101318->101323 101344 b6502b 59 API calls 101319->101344 101320 bc65f0 101320->101288 101320->101289 101320->101308 101322 b64d37 84 API calls 101322->101323 101323->101320 101323->101322 101324 b8305f _W_store_winword 60 API calls 101323->101324 101324->101323 101326 bc7af7 101325->101326 101327 b80f16 Mailbox 59 API calls 101326->101327 101328 bc7afe 101327->101328 101329 bc7b0a 101328->101329 101330 bc7b2b 101328->101330 101332 b80f16 Mailbox 59 API calls 101329->101332 101331 b80f16 Mailbox 59 API calls 101330->101331 101333 bc7b13 _memset 101331->101333 101332->101333 101333->101308 101334->101308 101335->101311 101336->101315 101337->101317 101338->101308 101339->101308 101340->101308 101341->101308 101342->101308 101343->101308 101344->101320 101346 bc7b5e 101345->101346 101347 b80f16 Mailbox 59 API calls 101346->101347 101348 bc7b65 101347->101348 101351 bc5fa2 101348->101351 101350 bc7ba8 Mailbox 101350->100925 101352 b71aa4 59 API calls 101351->101352 101353 bc5fb5 CharLowerBuffW 101352->101353 101354 bc5fc8 101353->101354 101355 bc6002 101354->101355 101356 b71609 59 API calls 101354->101356 101368 bc5fd2 _memset Mailbox 101354->101368 101357 bc6014 101355->101357 101384 b71609 101355->101384 101356->101354 101358 b80f16 Mailbox 59 API calls 101357->101358 101362 bc6042 101358->101362 101364 bc6061 101362->101364 101387 bc5ede 59 API calls 101362->101387 101363 bc60a0 101365 b80f16 Mailbox 59 API calls 101363->101365 101363->101368 101369 bc60ff 101364->101369 101366 bc60ba 101365->101366 101367 b80f16 Mailbox 59 API calls 101366->101367 101367->101368 101368->101350 101370 b71207 59 API calls 101369->101370 101371 bc6131 101370->101371 101372 b71207 59 API calls 101371->101372 101373 bc613a 101372->101373 101374 b71207 59 API calls 101373->101374 101382 bc6143 _wcscmp 101374->101382 101375 bc6418 Mailbox 101375->101363 101375->101375 101376 b71821 59 API calls 101376->101382 101377 b7153b 59 API calls 101377->101382 101378 b83768 GetStringTypeW 101378->101382 101380 b836ec 59 API calls 101380->101382 101381 bc60ff 60 API calls 101381->101382 101382->101375 101382->101376 101382->101377 101382->101378 101382->101380 101382->101381 101383 b71c9c 59 API calls 101382->101383 101388 b8378e GetStringTypeW _iswctype 101382->101388 101383->101382 101385 b71aa4 59 API calls 101384->101385 101386 b71614 101385->101386 101386->101357 101387->101362 101388->101382 101399 bc4b4f 101389->101399 101391 bc40b1 FindCloseChangeNotification 101391->100930 101392 bc4002 Process32NextW 101392->101391 101397 bc3ffb Mailbox 101392->101397 101393 b71207 59 API calls 101393->101397 101394 b71a36 59 API calls 101394->101397 101396 b717e0 59 API calls 101396->101397 101397->101391 101397->101392 101397->101393 101397->101394 101397->101396 101405 b80044 101397->101405 101456 b7151f 101397->101456 101400 bc4b5d 101399->101400 101401 bc4b76 101399->101401 101400->101401 101404 bc4b7c 101400->101404 101459 b8378e GetStringTypeW _iswctype 101400->101459 101460 b836f5 59 API calls __wcstoi64 101401->101460 101404->101397 101406 b71207 59 API calls 101405->101406 101407 b8005a 101406->101407 101408 b71207 59 API calls 101407->101408 101409 b80062 101408->101409 101410 b71207 59 API calls 101409->101410 101411 b8006a 101410->101411 101412 b71207 59 API calls 101411->101412 101413 b80072 101412->101413 101414 bb6062 101413->101414 101415 b800a6 101413->101415 101416 b71c9c 59 API calls 101414->101416 101417 b71462 59 API calls 101415->101417 101418 bb606b 101416->101418 101419 b800b4 101417->101419 101461 b719e1 101418->101461 101421 b71981 59 API calls 101419->101421 101422 b800be 101421->101422 101423 b800e9 101422->101423 101424 b71462 59 API calls 101422->101424 101426 b80108 101423->101426 101427 bb608b 101423->101427 101443 b80129 101423->101443 101428 b800df 101424->101428 101425 b71462 59 API calls 101430 b8013a 101425->101430 101429 b71609 59 API calls 101426->101429 101431 bb615b 101427->101431 101438 bb6144 101427->101438 101450 bb60c2 101427->101450 101432 b71981 59 API calls 101428->101432 101435 b80112 101429->101435 101434 b8014c 101430->101434 101436 b71c9c 59 API calls 101430->101436 101433 b71821 59 API calls 101431->101433 101432->101423 101451 bb6118 101433->101451 101437 b71c9c 59 API calls 101434->101437 101439 b8015c 101434->101439 101441 b71462 59 API calls 101435->101441 101435->101443 101436->101434 101437->101439 101438->101431 101446 bb612f 101438->101446 101440 b80163 101439->101440 101442 b71c9c 59 API calls 101439->101442 101444 b71c9c 59 API calls 101440->101444 101453 b8016a Mailbox 101440->101453 101441->101443 101442->101440 101443->101425 101444->101453 101445 b71609 59 API calls 101445->101451 101449 b71821 59 API calls 101446->101449 101447 bb6120 101448 b71821 59 API calls 101447->101448 101448->101451 101449->101451 101450->101447 101454 bb610b 101450->101454 101451->101443 101451->101445 101465 b7153b 59 API calls 2 library calls 101451->101465 101453->101397 101455 b71821 59 API calls 101454->101455 101455->101451 101457 b714db 61 API calls 101456->101457 101458 b71537 101457->101458 101458->101397 101459->101400 101460->101404 101462 b719fb 101461->101462 101464 b719ee 101461->101464 101463 b80f16 Mailbox 59 API calls 101462->101463 101463->101464 101464->101423 101465->101451 101467 bda6e0 101466->101467 101472 bda738 101466->101472 101468 b80f16 Mailbox 59 API calls 101467->101468 101470 bda702 101468->101470 101469 b80f16 Mailbox 59 API calls 101469->101470 101470->101469 101470->101472 101540 bb6f3e 59 API calls Mailbox 101470->101540 101472->100937 101474 bc7719 101473->101474 101476 bc7750 101473->101476 101475 b80f16 Mailbox 59 API calls 101474->101475 101474->101476 101475->101476 101477 bb6c9f 101476->101477 101478 bb6ce9 101477->101478 101483 bb6cff Mailbox 101477->101483 101481 b71a36 59 API calls 101478->101481 101479 bb6d2a 101482 bdc11d 289 API calls 101479->101482 101480 bb6d3d 101541 b6a820 101480->101541 101481->101483 101489 bb6d36 101482->101489 101483->101479 101483->101480 101486 bb6de5 101486->100964 101487 bb6d74 101488 bb6dbf 101487->101488 101487->101489 101491 bb6da4 101487->101491 101488->101489 101564 bca2fa 89 API calls 4 library calls 101488->101564 101565 bb6ad4 59 API calls Mailbox 101489->101565 101558 bb6e50 101491->101558 101493->100964 101494->100946 101495->100952 101672 b73740 101496->101672 101498 b6bb86 101775 bca2fa 89 API calls 4 library calls 101498->101775 101500 ba2fe6 101776 bca2fa 89 API calls 4 library calls 101500->101776 101501 b6b07f 101501->101498 101501->101500 101503 ba3004 101501->101503 101535 b6b132 Mailbox _memmove 101501->101535 101777 bca2fa 89 API calls 4 library calls 101503->101777 101505 ba348e 101537 b6b4dd 101505->101537 101807 bca2fa 89 API calls 4 library calls 101505->101807 101506 bb70ed 59 API calls 101506->101535 101507 ba30ba 101507->101537 101779 bca2fa 89 API calls 4 library calls 101507->101779 101512 ba3036 101512->101507 101778 b6a9de 289 API calls 101512->101778 101515 b653b0 289 API calls 101515->101535 101516 b63b31 59 API calls 101516->101535 101519 ba3348 101520 b653b0 289 API calls 101519->101520 101521 ba3378 101520->101521 101521->101537 101801 b639be 101521->101801 101526 b63c30 68 API calls 101526->101535 101527 ba30f3 101780 bca2fa 89 API calls 4 library calls 101527->101780 101528 ba339f 101805 bca2fa 89 API calls 4 library calls 101528->101805 101531 b65190 Mailbox 59 API calls 101531->101535 101532 b71c9c 59 API calls 101532->101535 101533 b80f16 59 API calls Mailbox 101533->101535 101534 b6523c 59 API calls 101534->101535 101535->101498 101535->101505 101535->101506 101535->101512 101535->101515 101535->101516 101535->101519 101535->101526 101535->101527 101535->101528 101535->101531 101535->101532 101535->101533 101535->101534 101535->101537 101677 b63add 101535->101677 101684 b6bc70 101535->101684 101764 b63a40 101535->101764 101781 bb6a45 59 API calls 2 library calls 101535->101781 101782 bda78b 85 API calls Mailbox 101535->101782 101783 bb6a01 59 API calls Mailbox 101535->101783 101784 bc5d5f 68 API calls 101535->101784 101785 b63ea3 101535->101785 101806 bc9f97 59 API calls 101535->101806 101537->100964 101538->100965 101539->100969 101540->101470 101542 ba2c81 101541->101542 101545 b6a84c 101541->101545 101567 bca2fa 89 API calls 4 library calls 101542->101567 101544 ba2c92 101544->101487 101546 ba2c9a 101545->101546 101553 b6a888 _memmove 101545->101553 101568 bca2fa 89 API calls 4 library calls 101546->101568 101549 b80f16 59 API calls Mailbox 101549->101553 101550 ba2cde 101569 b6a9de 289 API calls 101550->101569 101551 b653b0 289 API calls 101551->101553 101553->101549 101553->101550 101553->101551 101554 ba2cf8 101553->101554 101555 b6a975 101553->101555 101556 b6a962 101553->101556 101554->101555 101570 bca2fa 89 API calls 4 library calls 101554->101570 101555->101487 101556->101555 101566 bda78b 85 API calls Mailbox 101556->101566 101559 bb6e68 101558->101559 101562 bdef7a 91 API calls 101559->101562 101571 b6ec83 101559->101571 101646 bc3fa7 101559->101646 101560 bb6ebc 101560->101489 101562->101560 101564->101489 101565->101486 101566->101555 101567->101544 101568->101555 101569->101554 101570->101555 101572 b64d37 84 API calls 101571->101572 101573 b6eca2 101572->101573 101574 b64d37 84 API calls 101573->101574 101575 b6ecb7 101574->101575 101576 b64d37 84 API calls 101575->101576 101577 b6ecca 101576->101577 101578 b64d37 84 API calls 101577->101578 101579 b6ece0 101578->101579 101580 b7162d 59 API calls 101579->101580 101581 b6ecf4 101580->101581 101584 b6ed19 101581->101584 101649 b6502b 59 API calls 101581->101649 101583 ba5a97 101585 b647be 59 API calls 101583->101585 101584->101583 101606 b6ed43 __wopenfile 101584->101606 101587 ba5aaa 101585->101587 101586 b6ef3e 101588 b647be 59 API calls 101586->101588 101589 b64540 59 API calls 101587->101589 101592 ba5c7a 101588->101592 101590 ba5abc 101589->101590 101596 b643d0 59 API calls 101590->101596 101624 ba5ae1 101590->101624 101591 b64d37 84 API calls 101593 b6edca 101591->101593 101594 ba5c83 101592->101594 101595 ba5cc7 101592->101595 101597 b64d37 84 API calls 101593->101597 101600 b64540 59 API calls 101594->101600 101598 b64540 59 API calls 101595->101598 101596->101624 101601 b6eddf 101597->101601 101602 ba5cd1 101598->101602 101599 b6ef0c Mailbox 101599->101560 101605 ba5c8e 101600->101605 101601->101586 101609 b647be 59 API calls 101601->101609 101607 b643d0 59 API calls 101602->101607 101604 ba5b3f 101604->101586 101614 b64540 59 API calls 101604->101614 101608 b64d37 84 API calls 101605->101608 101606->101586 101606->101591 101606->101604 101636 b6ee30 __wopenfile 101606->101636 101610 ba5ced 101607->101610 101612 ba5ca0 101608->101612 101613 b6edfe 101609->101613 101622 b64d37 84 API calls 101610->101622 101611 b6477a 59 API calls 101611->101624 101665 b71364 59 API calls 2 library calls 101612->101665 101613->101604 101616 b6ee09 101613->101616 101618 ba5ba6 101614->101618 101621 b64540 59 API calls 101616->101621 101617 b643d0 59 API calls 101617->101624 101625 b643d0 59 API calls 101618->101625 101619 ba5cb4 101620 b6477a 59 API calls 101619->101620 101626 ba5cc2 101620->101626 101627 b6ee18 101621->101627 101628 ba5d08 101622->101628 101624->101599 101624->101611 101624->101617 101663 b71364 59 API calls 2 library calls 101624->101663 101625->101636 101632 b643d0 59 API calls 101626->101632 101629 b719e1 59 API calls 101627->101629 101666 b71364 59 API calls 2 library calls 101628->101666 101629->101636 101632->101599 101633 ba5d1c 101634 b6477a 59 API calls 101633->101634 101634->101626 101636->101599 101638 ba5bf2 101636->101638 101650 b71364 59 API calls 2 library calls 101636->101650 101651 b6477a 101636->101651 101654 b643d0 101636->101654 101637 ba5c2b 101640 b6477a 59 API calls 101637->101640 101638->101637 101639 ba5c1c 101638->101639 101664 b7153b 59 API calls 2 library calls 101639->101664 101642 ba5c39 101640->101642 101643 b643d0 59 API calls 101642->101643 101644 ba5c4c 101643->101644 101645 b719e1 59 API calls 101644->101645 101645->101586 101668 bc47b7 GetFileAttributesW 101646->101668 101649->101584 101650->101636 101652 b80f16 Mailbox 59 API calls 101651->101652 101653 b64787 101652->101653 101653->101636 101655 b9d5f9 101654->101655 101657 b643e7 101654->101657 101655->101657 101667 b640cb 59 API calls Mailbox 101655->101667 101658 b644ef 101657->101658 101659 b64530 101657->101659 101660 b644e8 101657->101660 101658->101636 101661 b6523c 59 API calls 101659->101661 101662 b80f16 Mailbox 59 API calls 101660->101662 101661->101658 101662->101658 101663->101624 101664->101586 101665->101619 101666->101633 101667->101657 101669 bc3fac 101668->101669 101670 bc47d2 FindFirstFileW 101668->101670 101669->101560 101670->101669 101671 bc47e7 FindClose 101670->101671 101671->101669 101673 b7374f 101672->101673 101676 b7376a 101672->101676 101674 b71aa4 59 API calls 101673->101674 101675 b73757 CharUpperBuffW 101674->101675 101675->101676 101676->101501 101678 b9d2fd 101677->101678 101679 b63aee 101677->101679 101680 b80f16 Mailbox 59 API calls 101679->101680 101681 b63af5 101680->101681 101682 b63b16 101681->101682 101808 b63ba5 59 API calls Mailbox 101681->101808 101682->101535 101685 ba34cf 101684->101685 101696 b6bc95 101684->101696 101937 bca2fa 89 API calls 4 library calls 101685->101937 101687 b6bf3b 101687->101535 101692 b6bf25 Mailbox 101692->101687 101906 b6c460 101692->101906 101694 b6c2ca LockWindowUpdate DestroyWindow GetMessageW 101694->101687 101697 b6c2fc 101694->101697 101758 b6bca5 Mailbox 101696->101758 101938 b65376 60 API calls 101696->101938 101939 bb6def 289 API calls 101696->101939 101698 ba4439 TranslateMessage DispatchMessageW GetMessageW 101697->101698 101698->101687 101698->101698 101699 ba35e3 Sleep 101699->101758 101700 ba3f8d WaitForSingleObject 101704 ba3fad GetExitCodeProcess CloseHandle 101700->101704 101700->101758 101701 b6bf54 timeGetTime 101701->101758 101703 b6c210 Sleep 101703->101758 101712 b6c36b 101704->101712 101705 b71c9c 59 API calls 101705->101758 101706 b71207 59 API calls 101745 ba37c5 Mailbox 101706->101745 101708 ba42d9 Sleep 101708->101745 101709 b80f16 59 API calls Mailbox 101709->101758 101712->101535 101713 b6c324 timeGetTime 101936 b65376 60 API calls 101713->101936 101715 bc3fb5 66 API calls 101715->101745 101717 ba4370 GetExitCodeProcess 101719 ba439c CloseHandle 101717->101719 101720 ba4386 WaitForSingleObject 101717->101720 101718 b64d37 84 API calls 101718->101758 101719->101745 101720->101719 101720->101758 101721 b66cd8 267 API calls 101721->101758 101723 be632a 110 API calls 101723->101745 101724 b66d79 109 API calls 101724->101758 101726 ba3feb 101726->101712 101727 ba37da Sleep 101727->101758 101728 ba43f8 Sleep 101728->101758 101731 b71a36 59 API calls 101731->101745 101732 b65376 60 API calls 101732->101758 101735 b653b0 267 API calls 101735->101758 101736 b63ea3 68 API calls 101736->101745 101737 b6b020 267 API calls 101737->101758 101739 b6c26d 101741 b71a36 59 API calls 101739->101741 101741->101692 101742 bdc11d 267 API calls 101742->101758 101743 bca2fa 89 API calls 101743->101758 101745->101706 101745->101715 101745->101717 101745->101723 101745->101726 101745->101727 101745->101728 101745->101731 101745->101736 101745->101758 101945 bc2a1b 60 API calls 101745->101945 101946 b65376 60 API calls 101745->101946 101947 b66cd8 289 API calls 101745->101947 101949 b8074e timeGetTime 101745->101949 101746 bb6ad4 59 API calls Mailbox 101746->101758 101747 b65190 59 API calls Mailbox 101747->101758 101748 b6a820 267 API calls 101748->101758 101749 b639be 68 API calls 101749->101758 101750 b63a40 59 API calls 101750->101758 101751 b71a36 59 API calls 101751->101758 101752 ba3d43 VariantClear 101752->101758 101753 ba3dd9 VariantClear 101753->101758 101754 b641c4 59 API calls Mailbox 101754->101758 101755 ba3b87 VariantClear 101755->101758 101756 bb7890 59 API calls 101756->101758 101757 b63ea3 68 API calls 101757->101758 101758->101692 101758->101699 101758->101700 101758->101701 101758->101703 101758->101705 101758->101708 101758->101709 101758->101712 101758->101713 101758->101718 101758->101721 101758->101724 101758->101732 101758->101735 101758->101737 101758->101739 101758->101742 101758->101743 101758->101745 101758->101746 101758->101747 101758->101748 101758->101749 101758->101750 101758->101751 101758->101752 101758->101753 101758->101754 101758->101755 101758->101756 101758->101757 101761 bde3d4 130 API calls 101758->101761 101809 b652b0 101758->101809 101818 b69a00 101758->101818 101826 b69c80 101758->101826 101857 be627a 101758->101857 101864 bc3f97 101758->101864 101867 bcc0dd 101758->101867 101874 bcbb43 101758->101874 101925 bc566c 101758->101925 101935 b8074e timeGetTime 101758->101935 101940 be641d 59 API calls 101758->101940 101941 bc9ec5 59 API calls Mailbox 101758->101941 101942 bbde8d 59 API calls 101758->101942 101943 bb6a45 59 API calls 2 library calls 101758->101943 101944 b638ff 59 API calls 101758->101944 101948 bb6ec5 59 API calls 101758->101948 101761->101758 101765 b9d2e1 101764->101765 101768 b63a53 101764->101768 101766 b9d2f1 101765->101766 102191 bb6afa 59 API calls 101765->102191 101769 b63a9a Mailbox 101768->101769 101772 b63a7d 101768->101772 102183 b63b31 101768->102183 101769->101535 101771 b63a83 101771->101769 101774 b65190 Mailbox 59 API calls 101771->101774 101772->101771 101773 b63b31 59 API calls 101772->101773 101773->101771 101774->101769 101775->101500 101776->101537 101777->101537 101778->101507 101779->101537 101780->101537 101781->101535 101782->101535 101783->101535 101784->101535 102192 b63c30 101785->102192 101787 b63eb3 101788 b63f2d 101787->101788 101789 b63ebd 101787->101789 101790 b6523c 59 API calls 101788->101790 101791 b80f16 Mailbox 59 API calls 101789->101791 101793 b63f1d 101790->101793 101792 b63ece 101791->101792 101794 b71207 59 API calls 101792->101794 101795 b63edc 101792->101795 101793->101535 101794->101795 101796 b63eeb 101795->101796 101797 b71bcc 59 API calls 101795->101797 101798 b80f16 Mailbox 59 API calls 101796->101798 101797->101796 101799 b63ef5 101798->101799 102199 b63bc8 68 API calls 101799->102199 101802 b639c9 101801->101802 101803 b639f0 101802->101803 101804 b63ea3 68 API calls 101802->101804 101803->101528 101804->101803 101805->101537 101806->101535 101807->101537 101808->101682 101810 b652c6 101809->101810 101813 b65313 101809->101813 101811 b652d3 PeekMessageW 101810->101811 101810->101813 101812 b652ec 101811->101812 101811->101813 101812->101758 101813->101812 101815 b9de98 TranslateAcceleratorW 101813->101815 101816 b65352 TranslateMessage DispatchMessageW 101813->101816 101817 b6533e PeekMessageW 101813->101817 101950 b6359e 101813->101950 101815->101813 101815->101817 101816->101817 101817->101812 101817->101813 101819 b69a11 101818->101819 101820 b69a31 101819->101820 101821 b69a1d 101819->101821 101989 bca2fa 89 API calls 4 library calls 101820->101989 101955 b694e0 101821->101955 101823 b69a28 101823->101758 101825 ba23a8 101825->101825 101827 b69cb5 101826->101827 101828 ba23ad 101827->101828 101831 b69d1f 101827->101831 101840 b69d79 101827->101840 101829 b653b0 289 API calls 101828->101829 101830 ba23c2 101829->101830 101844 b69f50 Mailbox 101830->101844 101997 bca2fa 89 API calls 4 library calls 101830->101997 101834 b71207 59 API calls 101831->101834 101831->101840 101832 b71207 59 API calls 101832->101840 101835 ba2408 101834->101835 101837 b82ea0 __cinit 67 API calls 101835->101837 101836 b82ea0 __cinit 67 API calls 101836->101840 101837->101840 101838 ba242a 101838->101758 101839 b639be 68 API calls 101839->101844 101840->101832 101840->101836 101840->101838 101843 b69f3a 101840->101843 101840->101844 101842 b6a775 102002 bca2fa 89 API calls 4 library calls 101842->102002 101843->101844 101998 bca2fa 89 API calls 4 library calls 101843->101998 101844->101839 101844->101842 101846 b65190 Mailbox 59 API calls 101844->101846 101847 b653b0 289 API calls 101844->101847 101850 b64230 59 API calls 101844->101850 101853 bca2fa 89 API calls 101844->101853 101854 b71bcc 59 API calls 101844->101854 101856 b6a058 101844->101856 101999 bb7890 59 API calls 101844->101999 102000 bdca74 289 API calls 101844->102000 102001 bdb9ee 289 API calls Mailbox 101844->102001 102003 bd9878 289 API calls Mailbox 101844->102003 101846->101844 101847->101844 101849 ba2729 101849->101758 101850->101844 101853->101844 101854->101844 101856->101758 102004 be6389 101857->102004 101859 be6288 101860 b6bc70 289 API calls 101859->101860 101861 be62b3 101860->101861 101862 b6523c 59 API calls 101861->101862 101863 be62cb 101862->101863 101863->101758 101865 bc47b7 3 API calls 101864->101865 101866 bc3f9e 101865->101866 101866->101758 101868 b64d37 84 API calls 101867->101868 101869 bcc0f3 101868->101869 102022 bc3e72 101869->102022 101871 bcc0fb 101872 bcc0ff GetLastError 101871->101872 101873 bcc114 101871->101873 101872->101873 101873->101758 101875 bcbc28 Mailbox 101874->101875 101876 bcbb62 101874->101876 101878 b64d37 84 API calls 101875->101878 101886 bcbc30 Mailbox 101875->101886 102107 b6502b 59 API calls 101876->102107 101880 bcbc60 101878->101880 101879 bcbb6d 102108 b6502b 59 API calls 101879->102108 101881 b64d37 84 API calls 101880->101881 101883 bcbc72 101881->101883 102061 bc3b4f 101883->102061 101884 bcbb81 101884->101875 101887 b71207 59 API calls 101884->101887 101886->101758 101888 bcbb92 101887->101888 101889 b71207 59 API calls 101888->101889 101890 bcbb9b 101889->101890 101891 b64d37 84 API calls 101890->101891 101892 bcbba8 101891->101892 101893 b80044 59 API calls 101892->101893 101894 bcbbbb 101893->101894 101895 b717e0 59 API calls 101894->101895 101896 bcbbcc 101895->101896 101897 bcbc1e 101896->101897 101898 bc3f97 3 API calls 101896->101898 102110 b6502b 59 API calls 101897->102110 101900 bcbbdb 101898->101900 101900->101897 101901 bcbbdf 101900->101901 101902 b71a36 59 API calls 101901->101902 101903 bcbbec 101902->101903 102109 bc3d8a 63 API calls Mailbox 101903->102109 101905 bcbbf5 Mailbox 101905->101897 101907 b6c46d 101906->101907 102178 b801ff InternetCloseHandle InternetCloseHandle WaitForSingleObject 101906->102178 101909 b6c2b6 101907->101909 101910 ba450c 101907->101910 101909->101687 101913 b6c483 101909->101913 102179 bc7658 7 API calls Mailbox 101910->102179 102180 bc7658 7 API calls Mailbox 101910->102180 101914 b71a36 59 API calls 101913->101914 101915 b6c4ad 101914->101915 101916 b63ea3 68 API calls 101915->101916 101917 b6c4c2 Mailbox 101916->101917 101918 b71a36 59 API calls 101917->101918 101919 b6c4ef 101918->101919 101920 b63ea3 68 API calls 101919->101920 101923 b6c500 Mailbox 101920->101923 101921 b6c524 101921->101694 101923->101921 102181 b65376 60 API calls 101923->102181 102182 bb6def 289 API calls 101923->102182 101926 bc5679 101925->101926 101927 bc56ea 101925->101927 101928 bc567b Sleep 101926->101928 101930 bc5684 QueryPerformanceCounter 101926->101930 101927->101758 101928->101927 101930->101928 101931 bc5692 QueryPerformanceFrequency 101930->101931 101932 bc569c Sleep QueryPerformanceCounter 101931->101932 101933 bc56dd 101932->101933 101933->101932 101934 bc56e1 101933->101934 101934->101927 101935->101758 101936->101758 101937->101696 101938->101696 101939->101696 101940->101758 101941->101758 101942->101758 101943->101758 101944->101758 101945->101745 101946->101745 101947->101745 101948->101758 101949->101745 101951 b635e2 101950->101951 101953 b635b0 101950->101953 101951->101813 101952 b635d5 IsDialogMessageW 101952->101951 101952->101953 101953->101951 101953->101952 101954 b9d1a3 GetClassLongW 101953->101954 101954->101952 101954->101953 101956 b653b0 289 API calls 101955->101956 101957 b6951f 101956->101957 101958 ba1f31 101957->101958 101972 b69527 _memmove 101957->101972 101959 b65190 Mailbox 59 API calls 101958->101959 101964 b69944 101959->101964 101960 ba21f0 101996 bca2fa 89 API calls 4 library calls 101960->101996 101962 ba220e 101962->101962 101963 b69583 101963->101823 101966 b80f16 Mailbox 59 API calls 101964->101966 101965 b6986a 101967 b6987f 101965->101967 101968 ba21e1 101965->101968 101979 b696e3 _memmove 101966->101979 101970 b80f16 Mailbox 59 API calls 101967->101970 101995 bda74b 59 API calls 101968->101995 101982 b6977d 101970->101982 101971 b80f16 59 API calls Mailbox 101971->101972 101972->101960 101972->101963 101972->101964 101972->101971 101973 b696cf 101972->101973 101988 b69741 101972->101988 101973->101964 101975 b696dc 101973->101975 101974 b80f16 Mailbox 59 API calls 101977 b6970e 101974->101977 101976 b80f16 Mailbox 59 API calls 101975->101976 101976->101979 101977->101988 101990 b6cca0 289 API calls 101977->101990 101978 ba21d0 101994 bca2fa 89 API calls 4 library calls 101978->101994 101979->101974 101979->101977 101979->101988 101982->101823 101984 ba21a8 101993 bca2fa 89 API calls 4 library calls 101984->101993 101986 ba2183 101992 bca2fa 89 API calls 4 library calls 101986->101992 101988->101965 101988->101978 101988->101982 101988->101984 101988->101986 101991 b68180 289 API calls 101988->101991 101989->101825 101990->101988 101991->101988 101992->101982 101993->101982 101994->101982 101995->101960 101996->101962 101997->101844 101998->101844 101999->101844 102000->101844 102001->101844 102002->101849 102003->101844 102010 b66de9 102004->102010 102009 be63aa timeGetTime 102009->101859 102011 b6523c 59 API calls 102010->102011 102012 b66e03 102011->102012 102013 b9f33f 102012->102013 102014 b66e0d 102012->102014 102016 b71821 59 API calls 102013->102016 102015 b64d37 84 API calls 102014->102015 102017 b66e1a 102015->102017 102018 b9f34f 102016->102018 102019 b71c9c 59 API calls 102017->102019 102018->102018 102020 b66e28 102019->102020 102020->102009 102021 b6502b 59 API calls 102020->102021 102021->102009 102023 b71207 59 API calls 102022->102023 102024 bc3e91 102023->102024 102025 b71207 59 API calls 102024->102025 102026 bc3e9a 102025->102026 102027 b71207 59 API calls 102026->102027 102028 bc3ea3 102027->102028 102047 b801af 102028->102047 102033 bc3ec9 102035 b80044 59 API calls 102033->102035 102034 b71900 59 API calls 102034->102033 102036 bc3edd FindFirstFileW 102035->102036 102037 bc3efc 102036->102037 102038 bc3f69 FindClose 102036->102038 102037->102038 102041 bc3f00 102037->102041 102043 bc3f74 Mailbox 102038->102043 102039 bc3f44 FindNextFileW 102039->102037 102039->102041 102040 b71c9c 59 API calls 102040->102041 102041->102037 102041->102039 102041->102040 102042 b717e0 59 API calls 102041->102042 102044 b71900 59 API calls 102041->102044 102042->102041 102043->101871 102045 bc3f35 DeleteFileW 102044->102045 102045->102039 102046 bc3f60 FindClose 102045->102046 102046->102043 102059 b91aa0 102047->102059 102050 b801f8 102052 b719e1 59 API calls 102050->102052 102051 b801db 102053 b71821 59 API calls 102051->102053 102054 b801e7 102052->102054 102053->102054 102055 b7133d 59 API calls 102054->102055 102056 b801f3 102055->102056 102057 bc4e59 GetFileAttributesW 102056->102057 102058 bc3eb7 102057->102058 102058->102033 102058->102034 102060 b801bc GetFullPathNameW 102059->102060 102060->102050 102060->102051 102062 b71207 59 API calls 102061->102062 102063 bc3b6c 102062->102063 102064 b71207 59 API calls 102063->102064 102065 bc3b74 102064->102065 102066 b71207 59 API calls 102065->102066 102067 bc3b7c 102066->102067 102068 b71207 59 API calls 102067->102068 102069 bc3b84 102068->102069 102070 b801af 60 API calls 102069->102070 102071 bc3b8e 102070->102071 102072 b801af 60 API calls 102071->102072 102073 bc3b98 102072->102073 102111 bc4def 102073->102111 102075 bc3ba3 102076 bc4e59 GetFileAttributesW 102075->102076 102077 bc3bae 102076->102077 102078 bc3bc0 102077->102078 102079 b71900 59 API calls 102077->102079 102080 bc4e59 GetFileAttributesW 102078->102080 102079->102078 102081 bc3bc8 102080->102081 102082 bc3bd5 102081->102082 102083 b71900 59 API calls 102081->102083 102084 b71207 59 API calls 102082->102084 102083->102082 102085 bc3bdd 102084->102085 102086 b71207 59 API calls 102085->102086 102087 bc3be5 102086->102087 102088 b80044 59 API calls 102087->102088 102089 bc3bf6 FindFirstFileW 102088->102089 102090 bc3d21 FindClose 102089->102090 102100 bc3c19 Mailbox 102089->102100 102096 bc3d2b Mailbox 102090->102096 102091 bc3cf5 FindNextFileW 102091->102100 102092 b71a36 59 API calls 102092->102100 102094 b71c9c 59 API calls 102094->102100 102095 b717e0 59 API calls 102095->102100 102096->101886 102097 b71900 59 API calls 102097->102100 102098 bc3f97 3 API calls 102098->102100 102099 bc3d18 FindClose 102099->102096 102100->102090 102100->102091 102100->102092 102100->102094 102100->102095 102100->102097 102100->102098 102100->102099 102101 bc3d64 CopyFileExW 102100->102101 102103 bc3c97 102100->102103 102106 bc3cd8 DeleteFileW 102100->102106 102122 bc43ce 102100->102122 102101->102100 102102 b7151f 61 API calls 102102->102103 102103->102102 102104 bc3cbb MoveFileW 102103->102104 102105 bc3cab DeleteFileW 102103->102105 102104->102100 102105->102100 102106->102100 102107->101879 102108->101884 102109->101905 102110->101875 102112 b71207 59 API calls 102111->102112 102113 bc4e04 102112->102113 102114 b71207 59 API calls 102113->102114 102115 bc4e0c 102114->102115 102116 b80044 59 API calls 102115->102116 102117 bc4e1b 102116->102117 102118 b80044 59 API calls 102117->102118 102119 bc4e2b 102118->102119 102120 b7151f 61 API calls 102119->102120 102121 bc4e3b Mailbox 102120->102121 102121->102075 102123 bc43ea 102122->102123 102124 bc43fd 102123->102124 102125 bc43ef 102123->102125 102127 b71207 59 API calls 102124->102127 102126 b71c9c 59 API calls 102125->102126 102128 bc43f8 Mailbox 102126->102128 102129 bc4405 102127->102129 102128->102100 102130 b71207 59 API calls 102129->102130 102131 bc440d 102130->102131 102132 b71207 59 API calls 102131->102132 102133 bc4418 102132->102133 102134 b71207 59 API calls 102133->102134 102135 bc4420 102134->102135 102136 b71207 59 API calls 102135->102136 102137 bc4428 102136->102137 102138 b71207 59 API calls 102137->102138 102139 bc4430 102138->102139 102140 b71207 59 API calls 102139->102140 102141 bc4438 102140->102141 102142 b71207 59 API calls 102141->102142 102143 bc4440 102142->102143 102144 b80044 59 API calls 102143->102144 102145 bc4457 102144->102145 102146 b80044 59 API calls 102145->102146 102147 bc4470 102146->102147 102148 b71609 59 API calls 102147->102148 102149 bc447c 102148->102149 102150 bc448f 102149->102150 102152 b71981 59 API calls 102149->102152 102151 b71609 59 API calls 102150->102151 102153 bc4498 102151->102153 102152->102150 102154 bc44a8 102153->102154 102155 b71981 59 API calls 102153->102155 102156 b71c9c 59 API calls 102154->102156 102155->102154 102157 bc44b4 102156->102157 102158 b717e0 59 API calls 102157->102158 102159 bc44c0 102158->102159 102176 bc4580 59 API calls 102159->102176 102161 bc44cf 102177 bc4580 59 API calls 102161->102177 102163 bc44e2 102164 b71609 59 API calls 102163->102164 102165 bc44ec 102164->102165 102166 bc44f1 102165->102166 102167 bc4503 102165->102167 102168 b71900 59 API calls 102166->102168 102169 b71609 59 API calls 102167->102169 102170 bc44fe 102168->102170 102171 bc450c 102169->102171 102174 b717e0 59 API calls 102170->102174 102172 bc452a 102171->102172 102173 b71900 59 API calls 102171->102173 102175 b717e0 59 API calls 102172->102175 102173->102170 102174->102172 102175->102128 102176->102161 102177->102163 102178->101907 102179->101907 102180->101907 102181->101923 102182->101923 102184 b63b3f 102183->102184 102190 b63b67 102183->102190 102185 b63b4d 102184->102185 102186 b63b31 59 API calls 102184->102186 102187 b63b53 102185->102187 102188 b63b31 59 API calls 102185->102188 102186->102185 102189 b65190 Mailbox 59 API calls 102187->102189 102187->102190 102188->102187 102189->102190 102190->101772 102191->101766 102193 b63c43 102192->102193 102194 b63e11 102192->102194 102195 b71207 59 API calls 102193->102195 102197 b63c54 102193->102197 102194->101787 102196 b63e73 102195->102196 102198 b82ea0 __cinit 67 API calls 102196->102198 102197->101787 102198->102197 102199->101793 102200->100976 102201 b9b6dd 102204 b6ad98 102201->102204 102205 b6add7 mciSendStringW 102204->102205 102206 ba2e93 DestroyWindow 102204->102206 102207 b6adf3 102205->102207 102208 b6afc0 102205->102208 102217 ba2e9f 102206->102217 102210 b6ae01 102207->102210 102207->102217 102208->102207 102209 b6afcf UnregisterHotKey 102208->102209 102209->102208 102238 b6c71f 102210->102238 102212 ba2ee4 102218 ba2ef7 FreeLibrary 102212->102218 102219 ba2f08 102212->102219 102214 ba2ebd FindClose 102214->102217 102215 b6ae16 102215->102219 102224 b6ae24 102215->102224 102217->102212 102217->102214 102244 b742cf 102217->102244 102218->102212 102220 ba2f1c VirtualFree 102219->102220 102227 b6ae91 102219->102227 102220->102219 102221 b6ae80 OleUninitialize 102221->102227 102222 ba2f63 102228 ba2f72 102222->102228 102248 bca0ad CloseHandle 102222->102248 102223 b6ae9c 102225 b6aeac Mailbox 102223->102225 102224->102221 102242 b7fe1c 61 API calls Mailbox 102225->102242 102227->102222 102227->102223 102234 ba2f86 102228->102234 102249 bbd3ae 59 API calls Mailbox 102228->102249 102230 b6aec2 Mailbox 102243 b8045a 59 API calls Mailbox 102230->102243 102239 b6c72e Mailbox 102238->102239 102240 b6ae08 102239->102240 102250 bbde8d 59 API calls 102239->102250 102240->102212 102240->102215 102242->102230 102245 b742d9 102244->102245 102246 b742e8 102244->102246 102245->102217 102246->102245 102247 b742ed CloseHandle 102246->102247 102247->102245 102248->102222 102249->102228 102250->102239 102251 bc9135 102252 bc9142 102251->102252 102254 bc9148 102251->102254 102255 b82eb5 _free 58 API calls 102252->102255 102253 bc9159 102257 bc916b 102253->102257 102258 b82eb5 _free 58 API calls 102253->102258 102254->102253 102256 b82eb5 _free 58 API calls 102254->102256 102255->102254 102256->102253 102258->102257 102259 b9e393 102271 b6373a 102259->102271 102261 b9e3a9 102262 b9e42a 102261->102262 102263 b9e3bf 102261->102263 102265 b6b020 289 API calls 102262->102265 102280 b65376 60 API calls 102263->102280 102270 b9e41e Mailbox 102265->102270 102267 b9e3fe 102267->102270 102281 bc8777 59 API calls Mailbox 102267->102281 102268 b9ef76 Mailbox 102270->102268 102282 bca2fa 89 API calls 4 library calls 102270->102282 102272 b63746 102271->102272 102273 b63758 102271->102273 102276 b6523c 59 API calls 102272->102276 102274 b63787 102273->102274 102275 b6375e 102273->102275 102278 b6523c 59 API calls 102274->102278 102277 b80f16 Mailbox 59 API calls 102275->102277 102279 b63750 102276->102279 102277->102279 102278->102279 102279->102261 102280->102267 102281->102270 102282->102268 102283 b6107d 102288 b72fc5 102283->102288 102285 b6108c 102286 b82ea0 __cinit 67 API calls 102285->102286 102287 b61096 102286->102287 102289 b72fd5 __ftell_nolock 102288->102289 102290 b71207 59 API calls 102289->102290 102291 b7308b 102290->102291 102319 b7fffa 102291->102319 102293 b73094 102326 b807ec 102293->102326 102296 b71900 59 API calls 102297 b730ad 102296->102297 102332 b74c94 102297->102332 102300 b71207 59 API calls 102301 b730c5 102300->102301 102302 b719e1 59 API calls 102301->102302 102303 b730ce RegOpenKeyExW 102302->102303 102304 bb0123 RegQueryValueExW 102303->102304 102308 b730f0 Mailbox 102303->102308 102305 bb0140 102304->102305 102306 bb01b5 RegCloseKey 102304->102306 102307 b80f16 Mailbox 59 API calls 102305->102307 102306->102308 102312 bb01c7 _wcscat Mailbox __NMSG_WRITE 102306->102312 102309 bb0159 102307->102309 102308->102285 102310 b7433f 59 API calls 102309->102310 102311 bb0164 RegQueryValueExW 102310->102311 102313 bb0181 102311->102313 102315 bb019b 102311->102315 102312->102308 102316 b71609 59 API calls 102312->102316 102317 b71a36 59 API calls 102312->102317 102318 b74c94 59 API calls 102312->102318 102314 b71821 59 API calls 102313->102314 102314->102315 102315->102306 102316->102312 102317->102312 102318->102312 102320 b91aa0 __ftell_nolock 102319->102320 102321 b80007 GetModuleFileNameW 102320->102321 102322 b71a36 59 API calls 102321->102322 102323 b8002d 102322->102323 102324 b801af 60 API calls 102323->102324 102325 b80037 Mailbox 102324->102325 102325->102293 102327 b91aa0 __ftell_nolock 102326->102327 102328 b807f9 GetFullPathNameW 102327->102328 102329 b8081b 102328->102329 102330 b71821 59 API calls 102329->102330 102331 b7309f 102330->102331 102331->102296 102333 b74ca2 102332->102333 102337 b74cc4 _memmove 102332->102337 102335 b80f16 Mailbox 59 API calls 102333->102335 102334 b80f16 Mailbox 59 API calls 102336 b730bc 102334->102336 102335->102337 102336->102300 102337->102334 102338 b87db3 102339 b87dbf __freefls@4 102338->102339 102375 b89f68 GetStartupInfoW 102339->102375 102341 b87dc4 102377 b88cdc GetProcessHeap 102341->102377 102343 b87e1c 102344 b87e27 102343->102344 102463 b87f03 58 API calls 3 library calls 102343->102463 102378 b89c46 102344->102378 102347 b87e2d 102348 b87e38 __RTC_Initialize 102347->102348 102464 b87f03 58 API calls 3 library calls 102347->102464 102399 b8d732 102348->102399 102351 b87e47 102352 b87e53 GetCommandLineW 102351->102352 102465 b87f03 58 API calls 3 library calls 102351->102465 102418 b95083 GetEnvironmentStringsW 102352->102418 102356 b87e52 102356->102352 102358 b87e6d 102361 b87e78 102358->102361 102466 b83217 58 API calls 3 library calls 102358->102466 102428 b94eb8 102361->102428 102362 b87e7e 102363 b87e89 102362->102363 102467 b83217 58 API calls 3 library calls 102362->102467 102442 b83251 102363->102442 102366 b87e91 102367 b87e9c __wwincmdln 102366->102367 102468 b83217 58 API calls 3 library calls 102366->102468 102448 b75f8b 102367->102448 102370 b87eb0 102371 b87ebf 102370->102371 102460 b834ba 102370->102460 102469 b83242 58 API calls _doexit 102371->102469 102374 b87ec4 __freefls@4 102376 b89f7e 102375->102376 102376->102341 102377->102343 102470 b832e9 36 API calls 2 library calls 102378->102470 102380 b89c4b 102471 b89e9c InitializeCriticalSectionAndSpinCount __mtinitlocknum 102380->102471 102382 b89c50 102383 b89c54 102382->102383 102473 b89eea TlsAlloc 102382->102473 102472 b89cbc 61 API calls 2 library calls 102383->102472 102386 b89c59 102386->102347 102387 b89c66 102387->102383 102388 b89c71 102387->102388 102474 b88935 102388->102474 102391 b89cb3 102482 b89cbc 61 API calls 2 library calls 102391->102482 102394 b89cb8 102394->102347 102395 b89c92 102395->102391 102396 b89c98 102395->102396 102481 b89b93 58 API calls 4 library calls 102396->102481 102398 b89ca0 GetCurrentThreadId 102398->102347 102400 b8d73e __freefls@4 102399->102400 102401 b89d6b __lock 58 API calls 102400->102401 102402 b8d745 102401->102402 102403 b88935 __calloc_crt 58 API calls 102402->102403 102404 b8d756 102403->102404 102405 b8d7c1 GetStartupInfoW 102404->102405 102406 b8d761 @_EH4_CallFilterFunc@8 __freefls@4 102404->102406 102412 b8d7d6 102405->102412 102415 b8d905 102405->102415 102406->102351 102407 b8d9cd 102496 b8d9dd LeaveCriticalSection _doexit 102407->102496 102409 b88935 __calloc_crt 58 API calls 102409->102412 102410 b8d952 GetStdHandle 102410->102415 102411 b8d965 GetFileType 102411->102415 102412->102409 102414 b8d824 102412->102414 102412->102415 102413 b8d858 GetFileType 102413->102414 102414->102413 102414->102415 102494 b89f8b InitializeCriticalSectionAndSpinCount 102414->102494 102415->102407 102415->102410 102415->102411 102495 b89f8b InitializeCriticalSectionAndSpinCount 102415->102495 102419 b87e63 102418->102419 102420 b95094 102418->102420 102424 b94c7b GetModuleFileNameW 102419->102424 102497 b8897d 58 API calls 2 library calls 102420->102497 102422 b950d0 FreeEnvironmentStringsW 102422->102419 102423 b950ba _memmove 102423->102422 102425 b94caf _wparse_cmdline 102424->102425 102427 b94cef _wparse_cmdline 102425->102427 102498 b8897d 58 API calls 2 library calls 102425->102498 102427->102358 102429 b94ed1 __NMSG_WRITE 102428->102429 102433 b94ec9 102428->102433 102430 b88935 __calloc_crt 58 API calls 102429->102430 102438 b94efa __NMSG_WRITE 102430->102438 102431 b94f51 102432 b82eb5 _free 58 API calls 102431->102432 102432->102433 102433->102362 102434 b88935 __calloc_crt 58 API calls 102434->102438 102435 b94f76 102437 b82eb5 _free 58 API calls 102435->102437 102437->102433 102438->102431 102438->102433 102438->102434 102438->102435 102439 b94f8d 102438->102439 102499 b94767 58 API calls wcstoxl 102438->102499 102500 b88f26 IsProcessorFeaturePresent 102439->102500 102441 b94f99 102441->102362 102444 b8325d __IsNonwritableInCurrentImage 102442->102444 102523 b8a631 102444->102523 102445 b8327b __initterm_e 102446 b82ea0 __cinit 67 API calls 102445->102446 102447 b8329a _doexit __IsNonwritableInCurrentImage 102445->102447 102446->102447 102447->102366 102449 b75fa5 102448->102449 102459 b76044 102448->102459 102450 b75fdf IsThemeActive 102449->102450 102526 b834ce 102450->102526 102454 b7600b 102538 b75f00 SystemParametersInfoW SystemParametersInfoW 102454->102538 102456 b76017 102539 b75240 102456->102539 102458 b7601f SystemParametersInfoW 102458->102459 102459->102370 103521 b8338b 102460->103521 102462 b834c9 102462->102371 102463->102344 102464->102348 102465->102356 102469->102374 102470->102380 102471->102382 102472->102386 102473->102387 102475 b8893c 102474->102475 102477 b88977 102475->102477 102479 b8895a 102475->102479 102483 b95356 102475->102483 102477->102391 102480 b89f46 TlsSetValue 102477->102480 102479->102475 102479->102477 102491 b8a292 Sleep 102479->102491 102480->102395 102481->102398 102482->102394 102484 b95361 102483->102484 102489 b9537c 102483->102489 102485 b9536d 102484->102485 102484->102489 102492 b88c88 58 API calls __getptd_noexit 102485->102492 102487 b9538c HeapAlloc 102488 b95372 102487->102488 102487->102489 102488->102475 102489->102487 102489->102488 102493 b83503 DecodePointer 102489->102493 102491->102479 102492->102488 102493->102489 102494->102414 102495->102415 102496->102406 102497->102423 102498->102427 102499->102438 102501 b88f31 102500->102501 102506 b88db9 102501->102506 102505 b88f4c 102505->102441 102507 b88dd3 _memset __call_reportfault 102506->102507 102508 b88df3 IsDebuggerPresent 102507->102508 102514 b8a2b5 SetUnhandledExceptionFilter UnhandledExceptionFilter 102508->102514 102511 b88eda 102513 b8a2a0 GetCurrentProcess TerminateProcess 102511->102513 102512 b88eb7 __call_reportfault 102515 b8c756 102512->102515 102513->102505 102514->102512 102516 b8c75e 102515->102516 102517 b8c760 IsProcessorFeaturePresent 102515->102517 102516->102511 102519 b95a6a 102517->102519 102522 b95a19 5 API calls 2 library calls 102519->102522 102521 b95b4d 102521->102511 102522->102521 102524 b8a634 EncodePointer 102523->102524 102524->102524 102525 b8a64e 102524->102525 102525->102445 102527 b89d6b __lock 58 API calls 102526->102527 102528 b834d9 DecodePointer EncodePointer 102527->102528 102591 b89ed5 LeaveCriticalSection 102528->102591 102530 b76004 102531 b83536 102530->102531 102532 b8355a 102531->102532 102533 b83540 102531->102533 102532->102454 102533->102532 102592 b88c88 58 API calls __getptd_noexit 102533->102592 102535 b8354a 102593 b88f16 9 API calls wcstoxl 102535->102593 102537 b83555 102537->102454 102538->102456 102540 b7524d __ftell_nolock 102539->102540 102541 b71207 59 API calls 102540->102541 102542 b75258 GetCurrentDirectoryW 102541->102542 102594 b74ec8 102542->102594 102544 b7527e IsDebuggerPresent 102545 bb0aa1 MessageBoxA 102544->102545 102546 b7528c 102544->102546 102547 bb0ab9 102545->102547 102546->102547 102548 b752a0 102546->102548 102702 b7314d 59 API calls Mailbox 102547->102702 102662 b731bf 102548->102662 102551 bb0ac9 102559 bb0adf SetCurrentDirectoryW 102551->102559 102558 b7536c Mailbox 102558->102458 102559->102558 102591->102530 102592->102535 102593->102537 102595 b71207 59 API calls 102594->102595 102596 b74ede 102595->102596 102704 b75420 102596->102704 102598 b74efc 102599 b719e1 59 API calls 102598->102599 102600 b74f10 102599->102600 102601 b71c9c 59 API calls 102600->102601 102602 b74f1b 102601->102602 102603 b6477a 59 API calls 102602->102603 102604 b74f27 102603->102604 102605 b71a36 59 API calls 102604->102605 102606 b74f34 102605->102606 102607 b639be 68 API calls 102606->102607 102608 b74f44 Mailbox 102607->102608 102609 b71a36 59 API calls 102608->102609 102610 b74f68 102609->102610 102611 b639be 68 API calls 102610->102611 102612 b74f77 Mailbox 102611->102612 102613 b71207 59 API calls 102612->102613 102614 b74f94 102613->102614 102718 b755bc 102614->102718 102617 b8305f _W_store_winword 60 API calls 102618 b74fae 102617->102618 102619 bb09d4 102618->102619 102620 b74fb8 102618->102620 102621 b755bc 59 API calls 102619->102621 102622 b8305f _W_store_winword 60 API calls 102620->102622 102623 bb09e8 102621->102623 102624 b74fc3 102622->102624 102626 b755bc 59 API calls 102623->102626 102624->102623 102625 b74fcd 102624->102625 102627 b8305f _W_store_winword 60 API calls 102625->102627 102628 bb0a04 102626->102628 102629 b74fd8 102627->102629 102632 b7fffa 61 API calls 102628->102632 102629->102628 102630 b74fe2 102629->102630 102631 b8305f _W_store_winword 60 API calls 102630->102631 102634 b74fed 102631->102634 102633 bb0a27 102632->102633 102635 b755bc 59 API calls 102633->102635 102636 b74ff7 102634->102636 102637 bb0a50 102634->102637 102638 bb0a33 102635->102638 102639 b7501b 102636->102639 102642 b71c9c 59 API calls 102636->102642 102640 b755bc 59 API calls 102637->102640 102641 b71c9c 59 API calls 102638->102641 102646 b647be 59 API calls 102639->102646 102643 bb0a6e 102640->102643 102644 bb0a41 102641->102644 102645 b7500e 102642->102645 102647 b71c9c 59 API calls 102643->102647 102648 b755bc 59 API calls 102644->102648 102649 b755bc 59 API calls 102645->102649 102650 b7502a 102646->102650 102651 bb0a7c 102647->102651 102648->102637 102649->102639 102652 b64540 59 API calls 102650->102652 102653 b755bc 59 API calls 102651->102653 102654 b75038 102652->102654 102655 bb0a8b 102653->102655 102656 b643d0 59 API calls 102654->102656 102655->102655 102659 b75055 102656->102659 102657 b6477a 59 API calls 102657->102659 102658 b643d0 59 API calls 102658->102659 102659->102657 102659->102658 102660 b755bc 59 API calls 102659->102660 102661 b7509b Mailbox 102659->102661 102660->102659 102661->102544 102663 b731cc __ftell_nolock 102662->102663 102664 b731e5 102663->102664 102666 bb0294 _memset 102663->102666 102665 b801af 60 API calls 102664->102665 102667 b731ee 102665->102667 102668 bb02b0 GetOpenFileNameW 102666->102668 102724 b808f0 102667->102724 102670 bb02ff 102668->102670 102671 b71821 59 API calls 102670->102671 102673 bb0314 102671->102673 102673->102673 102675 b73203 102742 b7278a 102675->102742 102702->102551 102705 b7542d __ftell_nolock 102704->102705 102706 b71821 59 API calls 102705->102706 102709 b75590 Mailbox 102705->102709 102708 b7545f 102706->102708 102707 b71609 59 API calls 102707->102708 102708->102707 102717 b75495 Mailbox 102708->102717 102709->102598 102710 b71609 59 API calls 102710->102717 102711 b75563 102711->102709 102712 b71a36 59 API calls 102711->102712 102713 b75584 102712->102713 102715 b74c94 59 API calls 102713->102715 102714 b71a36 59 API calls 102714->102717 102715->102709 102716 b74c94 59 API calls 102716->102717 102717->102709 102717->102710 102717->102711 102717->102714 102717->102716 102719 b755c6 102718->102719 102720 b755df 102718->102720 102722 b71c9c 59 API calls 102719->102722 102721 b71821 59 API calls 102720->102721 102723 b74fa0 102721->102723 102722->102723 102723->102617 102725 b91aa0 __ftell_nolock 102724->102725 102726 b808fd GetLongPathNameW 102725->102726 102727 b71821 59 API calls 102726->102727 102728 b731f7 102727->102728 102729 b72f3d 102728->102729 102730 b71207 59 API calls 102729->102730 102731 b72f4f 102730->102731 102732 b801af 60 API calls 102731->102732 102733 b72f5a 102732->102733 102734 b72f65 102733->102734 102735 bb00f7 102733->102735 102736 b74c94 59 API calls 102734->102736 102737 b7151f 61 API calls 102735->102737 102741 bb0111 102735->102741 102738 b72f71 102736->102738 102737->102735 102776 b61307 102738->102776 102740 b72f84 Mailbox 102740->102675 102782 b749c2 102742->102782 102777 b61319 102776->102777 102781 b61338 _memmove 102776->102781 102779 b80f16 Mailbox 59 API calls 102777->102779 102778 b80f16 Mailbox 59 API calls 102780 b6134f 102778->102780 102779->102781 102780->102740 102781->102778 103522 b83397 __freefls@4 103521->103522 103523 b89d6b __lock 51 API calls 103522->103523 103524 b8339e 103523->103524 103525 b83457 _doexit 103524->103525 103526 b833cc DecodePointer 103524->103526 103541 b834a5 103525->103541 103526->103525 103528 b833e3 DecodePointer 103526->103528 103534 b833f3 103528->103534 103530 b834b4 __freefls@4 103530->102462 103532 b83400 EncodePointer 103532->103534 103533 b8349c 103535 b83201 __mtinitlocknum 3 API calls 103533->103535 103534->103525 103534->103532 103536 b83410 DecodePointer EncodePointer 103534->103536 103537 b834a5 103535->103537 103539 b83422 DecodePointer DecodePointer 103536->103539 103538 b834b2 103537->103538 103546 b89ed5 LeaveCriticalSection 103537->103546 103538->102462 103539->103534 103542 b834ab 103541->103542 103544 b83485 103541->103544 103547 b89ed5 LeaveCriticalSection 103542->103547 103544->103530 103545 b89ed5 LeaveCriticalSection 103544->103545 103545->103533 103546->103538 103547->103544 103548 b61066 103553 b6aaaa 103548->103553 103550 b6106c 103551 b82ea0 __cinit 67 API calls 103550->103551 103552 b61076 103551->103552 103554 b6aacb 103553->103554 103586 b80216 103554->103586 103558 b6ab12 103559 b71207 59 API calls 103558->103559 103560 b6ab1c 103559->103560 103561 b71207 59 API calls 103560->103561 103562 b6ab26 103561->103562 103563 b71207 59 API calls 103562->103563 103564 b6ab30 103563->103564 103565 b71207 59 API calls 103564->103565 103566 b6ab6e 103565->103566 103567 b71207 59 API calls 103566->103567 103568 b6ac39 103567->103568 103596 b804b3 103568->103596 103572 b6ac6b 103573 b71207 59 API calls 103572->103573 103574 b6ac75 103573->103574 103624 b7fd56 103574->103624 103576 b6acbc 103577 b6accc GetStdHandle 103576->103577 103578 ba2e69 103577->103578 103579 b6ad18 103577->103579 103578->103579 103581 ba2e72 103578->103581 103580 b6ad20 OleInitialize 103579->103580 103580->103550 103631 bc6f60 64 API calls Mailbox 103581->103631 103583 ba2e79 103632 bc762f CreateThread 103583->103632 103585 ba2e85 CloseHandle 103585->103580 103633 b802ef 103586->103633 103589 b802ef 59 API calls 103590 b80258 103589->103590 103591 b71207 59 API calls 103590->103591 103592 b80264 103591->103592 103593 b71821 59 API calls 103592->103593 103594 b6aad1 103593->103594 103595 b806e6 6 API calls 103594->103595 103595->103558 103597 b71207 59 API calls 103596->103597 103598 b804c3 103597->103598 103599 b71207 59 API calls 103598->103599 103600 b804cb 103599->103600 103640 b710c3 103600->103640 103603 b710c3 59 API calls 103604 b804db 103603->103604 103605 b71207 59 API calls 103604->103605 103606 b804e6 103605->103606 103607 b80f16 Mailbox 59 API calls 103606->103607 103608 b6ac43 103607->103608 103609 b7fe77 103608->103609 103610 b7fe85 103609->103610 103611 b71207 59 API calls 103610->103611 103612 b7fe90 103611->103612 103613 b71207 59 API calls 103612->103613 103614 b7fe9b 103613->103614 103615 b71207 59 API calls 103614->103615 103616 b7fea6 103615->103616 103617 b71207 59 API calls 103616->103617 103618 b7feb1 103617->103618 103619 b710c3 59 API calls 103618->103619 103620 b7febc 103619->103620 103621 b80f16 Mailbox 59 API calls 103620->103621 103622 b7fec3 RegisterWindowMessageW 103621->103622 103622->103572 103625 b7fd66 103624->103625 103626 bb5ff1 103624->103626 103627 b80f16 Mailbox 59 API calls 103625->103627 103643 bc9f97 59 API calls 103626->103643 103629 b7fd6e 103627->103629 103629->103576 103630 bb5ffc 103631->103583 103632->103585 103644 bc7615 65 API calls 103632->103644 103634 b71207 59 API calls 103633->103634 103635 b802fa 103634->103635 103636 b71207 59 API calls 103635->103636 103637 b80302 103636->103637 103638 b71207 59 API calls 103637->103638 103639 b8024e 103638->103639 103639->103589 103641 b71207 59 API calls 103640->103641 103642 b710cb 103641->103642 103642->103603 103643->103630 103645 b9db8a 103646 b80f16 Mailbox 59 API calls 103645->103646 103647 b9db91 103646->103647 103648 b80f16 Mailbox 59 API calls 103647->103648 103651 b9dbaa _memmove 103647->103651 103648->103651 103649 b80f16 Mailbox 59 API calls 103650 b9dbcf 103649->103650 103651->103649 103652 b74d83 103653 b74dba 103652->103653 103654 b74e37 103653->103654 103655 b74dd8 103653->103655 103691 b74e35 103653->103691 103657 bb0942 103654->103657 103658 b74e3d 103654->103658 103659 b74de5 103655->103659 103660 b74ead PostQuitMessage 103655->103660 103656 b74e1a DefWindowProcW 103664 b74e28 103656->103664 103663 b6c460 10 API calls 103657->103663 103665 b74e65 SetTimer RegisterWindowMessageW 103658->103665 103666 b74e42 103658->103666 103661 b74df0 103659->103661 103662 bb09b5 103659->103662 103660->103664 103667 b74eb7 103661->103667 103668 b74df8 103661->103668 103707 bc2b3a 97 API calls _memset 103662->103707 103671 bb0969 103663->103671 103665->103664 103669 b74e8e CreatePopupMenu 103665->103669 103672 bb08e5 103666->103672 103673 b74e49 KillTimer 103666->103673 103697 b75b29 103667->103697 103674 bb099a 103668->103674 103675 b74e03 103668->103675 103669->103664 103677 b6c483 289 API calls 103671->103677 103679 bb08ea 103672->103679 103680 bb091e MoveWindow 103672->103680 103681 b75ac3 Shell_NotifyIconW 103673->103681 103674->103656 103706 bb8637 59 API calls Mailbox 103674->103706 103682 b74e0e 103675->103682 103683 b74e9b 103675->103683 103676 bb09c7 103676->103656 103676->103664 103677->103682 103684 bb08ee 103679->103684 103685 bb090d SetFocus 103679->103685 103680->103664 103686 b74e5c 103681->103686 103682->103656 103694 b75ac3 Shell_NotifyIconW 103682->103694 103705 b75bd7 107 API calls _memset 103683->103705 103684->103682 103688 bb08f7 103684->103688 103685->103664 103704 b634e4 DeleteObject DestroyWindow Mailbox 103686->103704 103693 b6c460 10 API calls 103688->103693 103691->103656 103692 b74eab 103692->103664 103693->103664 103695 bb098e 103694->103695 103696 b759d3 94 API calls 103695->103696 103696->103691 103698 b75bc2 103697->103698 103699 b75b40 _memset 103697->103699 103698->103664 103700 b756f8 87 API calls 103699->103700 103703 b75b67 103700->103703 103701 b75bab KillTimer SetTimer 103701->103698 103702 bb0cee Shell_NotifyIconW 103702->103701 103703->103701 103703->103702 103704->103664 103705->103692 103706->103691 103707->103676 103708 b638ce 103709 b638d8 103708->103709 103710 b638f9 103708->103710 103711 b63b31 59 API calls 103709->103711 103716 b9d282 103710->103716 103717 bb6afa 59 API calls 103710->103717 103712 b638e8 103711->103712 103714 b63b31 59 API calls 103712->103714 103715 b638f8 103714->103715 103717->103710 103718 b69a6c 103721 b6829c 103718->103721 103720 b69a78 103722 b682b4 103721->103722 103729 b68308 103721->103729 103723 b653b0 289 API calls 103722->103723 103722->103729 103727 b682eb 103723->103727 103725 ba0e08 103725->103725 103726 b68331 103726->103720 103727->103726 103728 b6523c 59 API calls 103727->103728 103728->103729 103729->103726 103730 bca2fa 89 API calls 4 library calls 103729->103730 103730->103725 103731 b69a88 103734 b686e0 103731->103734 103735 b686fd 103734->103735 103736 ba0f28 103735->103736 103737 ba0edd 103735->103737 103758 b68724 103735->103758 103769 bda898 289 API calls __cinit 103736->103769 103740 ba0ee5 103737->103740 103744 ba0ef2 103737->103744 103737->103758 103738 b65278 59 API calls 103738->103758 103767 bdaeac 289 API calls 103740->103767 103742 b82ea0 __cinit 67 API calls 103742->103758 103759 b6898d 103744->103759 103768 bdb354 289 API calls 3 library calls 103744->103768 103745 b63f42 68 API calls 103745->103758 103746 ba11b9 103746->103746 103748 ba10df 103771 bdac03 89 API calls 103748->103771 103751 b68a17 103752 b639be 68 API calls 103752->103758 103756 b6523c 59 API calls 103756->103758 103757 b63c30 68 API calls 103757->103758 103758->103738 103758->103742 103758->103745 103758->103748 103758->103751 103758->103752 103758->103756 103758->103757 103758->103759 103760 b653b0 289 API calls 103758->103760 103761 b71c9c 59 API calls 103758->103761 103763 b63938 68 API calls 103758->103763 103764 b6855e 289 API calls 103758->103764 103765 b684e2 89 API calls 103758->103765 103766 b6835f 289 API calls 103758->103766 103770 bb718e 59 API calls 103758->103770 103759->103751 103772 bca2fa 89 API calls 4 library calls 103759->103772 103760->103758 103761->103758 103763->103758 103764->103758 103765->103758 103766->103758 103767->103744 103768->103759 103769->103758 103770->103758 103771->103759 103772->103746

                                                              Executed Functions

                                                              Function 00B75240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B7526C
                                                              • IsDebuggerPresent.KERNEL32 ref: 00B7527E
                                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00B752E6
                                                                • Part of subcall function 00B71821: _memmove.LIBCMT ref: 00B7185B
                                                                • Part of subcall function 00B6BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B6BC07
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B75366
                                                              • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00BB0AAE
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00BB0AE6
                                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00C15230), ref: 00BB0B69
                                                              • ShellExecuteW.SHELL32(00000000), ref: 00BB0B70
                                                                • Part of subcall function 00B7514C: GetSysColorBrush.USER32(0000000F), ref: 00B75156
                                                                • Part of subcall function 00B7514C: LoadCursorW.USER32(00000000,00007F00), ref: 00B75165
                                                                • Part of subcall function 00B7514C: LoadIconW.USER32(00000063), ref: 00B7517C
                                                                • Part of subcall function 00B7514C: LoadIconW.USER32(000000A4), ref: 00B7518E
                                                                • Part of subcall function 00B7514C: LoadIconW.USER32(000000A2), ref: 00B751A0
                                                                • Part of subcall function 00B7514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B751C6
                                                                • Part of subcall function 00B7514C: RegisterClassExW.USER32(?), ref: 00B7521C
                                                                • Part of subcall function 00B750DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B75109
                                                                • Part of subcall function 00B750DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B7512A
                                                                • Part of subcall function 00B750DB: ShowWindow.USER32(00000000), ref: 00B7513E
                                                                • Part of subcall function 00B750DB: ShowWindow.USER32(00000000), ref: 00B75147
                                                                • Part of subcall function 00B759D3: _memset.LIBCMT ref: 00B759F9
                                                                • Part of subcall function 00B759D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B75A9E
                                                              Strings
                                                              • AutoIt, xrefs: 00BB0AA3
                                                              • runas, xrefs: 00BB0B64
                                                              • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00BB0AA8
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                              • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                              • API String ID: 529118366-2030392706
                                                              • Opcode ID: 29bfe68c5a18bb911a9d92a94e3f69da74fcd29a48de7da636c3ef2acacd8de5
                                                              • Instruction ID: 20d4e5ca18e4dbbb9531c2d35a12297687c1f537e8b64c3dbe857a09af149379
                                                              • Opcode Fuzzy Hash: 29bfe68c5a18bb911a9d92a94e3f69da74fcd29a48de7da636c3ef2acacd8de5
                                                              • Instruction Fuzzy Hash: 0951F370914249EACB21FBB8DC45EFE7BF8EB05340B1481E5F46AA31A2CAB45946D730
                                                              Function 00BC3B4F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 940 bc3b4f-bc3bb5 call b71207 * 4 call b801af * 2 call bc4def call bc4e59 957 bc3bb7-bc3bbb call b71900 940->957 958 bc3bc0-bc3bca call bc4e59 940->958 957->958 962 bc3bcc-bc3bd0 call b71900 958->962 963 bc3bd5-bc3c13 call b71207 * 2 call b80044 FindFirstFileW 958->963 962->963 971 bc3c19 963->971 972 bc3d21-bc3d28 FindClose 963->972 973 bc3c1f-bc3c21 971->973 974 bc3d2b-bc3d63 call b71cb6 * 6 972->974 973->972 975 bc3c27-bc3c2e 973->975 977 bc3c34-bc3c8c call b71a36 call bc43ce call b71cb6 call b71c9c call b717e0 call b71900 call bc3f97 975->977 978 bc3cf5-bc3d08 FindNextFileW 975->978 1005 bc3cad-bc3cb1 977->1005 1006 bc3c8e-bc3c91 977->1006 978->973 981 bc3d0e-bc3d13 978->981 981->973 1009 bc3cdf-bc3ce5 call bc3d64 1005->1009 1010 bc3cb3-bc3cb6 1005->1010 1007 bc3d18-bc3d1f FindClose 1006->1007 1008 bc3c97-bc3ca9 call b7151f 1006->1008 1007->974 1017 bc3cbb-bc3cc4 MoveFileW 1008->1017 1020 bc3cab DeleteFileW 1008->1020 1015 bc3cea 1009->1015 1013 bc3cb8 1010->1013 1014 bc3cc6-bc3cd6 call bc3d64 1010->1014 1013->1017 1014->1007 1023 bc3cd8-bc3cdd DeleteFileW 1014->1023 1019 bc3ced-bc3cef 1015->1019 1017->1019 1019->1007 1022 bc3cf1 1019->1022 1020->1005 1022->978 1023->1019
                                                              APIs
                                                                • Part of subcall function 00B801AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B72A58,?,00008000), ref: 00B801CF
                                                                • Part of subcall function 00BC4E59: GetFileAttributesW.KERNEL32(?,00BC3A6B), ref: 00BC4E5A
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00BC3C03
                                                              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00BC3CAB
                                                              • MoveFileW.KERNEL32(?,?), ref: 00BC3CBE
                                                              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00BC3CDB
                                                              • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00BC3CFD
                                                              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00BC3D19
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                              • String ID: \*.*
                                                              • API String ID: 4002782344-1173974218
                                                              • Opcode ID: b512bd49fe136af79b7388aed7203ad80a043abd374f2955f6a71f3c406db1b2
                                                              • Instruction ID: 74e51a1e3571d77aed41dcab41729236393daf6d312dfd1406b0e50204f644a9
                                                              • Opcode Fuzzy Hash: b512bd49fe136af79b7388aed7203ad80a043abd374f2955f6a71f3c406db1b2
                                                              • Instruction Fuzzy Hash: 0751503180110D9ACB15FBE8D992EEDB7F9EF10301F6085A9E456B7192EF215F49CB60
                                                              Function 00B75D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1074 b75d13-b75d73 call b71207 GetVersionExW call b71821 1079 b75d79 1074->1079 1080 b75e78-b75e7a 1074->1080 1082 b75d7c-b75d81 1079->1082 1081 bb0f29-bb0f35 1080->1081 1083 bb0f36-bb0f3a 1081->1083 1084 b75d87 1082->1084 1085 b75e7f-b75e80 1082->1085 1087 bb0f3d-bb0f49 1083->1087 1088 bb0f3c 1083->1088 1086 b75d88-b75dbf call b71981 call b7133d 1084->1086 1085->1086 1097 b75dc5-b75dc6 1086->1097 1098 bb1018-bb101b 1086->1098 1087->1083 1089 bb0f4b-bb0f50 1087->1089 1088->1087 1089->1082 1091 bb0f56-bb0f5d 1089->1091 1091->1081 1094 bb0f5f 1091->1094 1096 bb0f64-bb0f6a 1094->1096 1099 b75e00-b75e17 GetCurrentProcess IsWow64Process 1096->1099 1100 bb0f6f-bb0f7a 1097->1100 1101 b75dcc-b75dcf 1097->1101 1102 bb101d 1098->1102 1103 bb1034-bb1038 1098->1103 1108 b75e1c-b75e2d 1099->1108 1109 b75e19 1099->1109 1104 bb0f7c-bb0f82 1100->1104 1105 bb0f97-bb0f99 1100->1105 1101->1099 1106 b75dd1-b75def 1101->1106 1107 bb1020 1102->1107 1110 bb103a-bb1043 1103->1110 1111 bb1023-bb102c 1103->1111 1112 bb0f8c-bb0f92 1104->1112 1113 bb0f84-bb0f87 1104->1113 1115 bb0f9b-bb0fa7 1105->1115 1116 bb0fbc-bb0fbf 1105->1116 1106->1099 1114 b75df1-b75df7 1106->1114 1107->1111 1118 b75e2f-b75e3f call b755f0 1108->1118 1119 b75e98-b75ea2 GetSystemInfo 1108->1119 1109->1108 1110->1107 1117 bb1045-bb1048 1110->1117 1111->1103 1112->1099 1113->1099 1114->1096 1120 b75dfd 1114->1120 1121 bb0fa9-bb0fac 1115->1121 1122 bb0fb1-bb0fb7 1115->1122 1124 bb0fc1-bb0fd0 1116->1124 1125 bb0fe5-bb0fe8 1116->1125 1117->1111 1133 b75e41-b75e4e call b755f0 1118->1133 1134 b75e8c-b75e96 GetSystemInfo 1118->1134 1123 b75e65-b75e75 1119->1123 1120->1099 1121->1099 1122->1099 1127 bb0fda-bb0fe0 1124->1127 1128 bb0fd2-bb0fd5 1124->1128 1125->1099 1130 bb0fee-bb1003 1125->1130 1127->1099 1128->1099 1131 bb100d-bb1013 1130->1131 1132 bb1005-bb1008 1130->1132 1131->1099 1132->1099 1139 b75e85-b75e8a 1133->1139 1140 b75e50-b75e54 GetNativeSystemInfo 1133->1140 1135 b75e56-b75e5a 1134->1135 1135->1123 1137 b75e5c-b75e5f FreeLibrary 1135->1137 1137->1123 1139->1140 1140->1135
                                                              APIs
                                                              • GetVersionExW.KERNEL32(?), ref: 00B75D40
                                                                • Part of subcall function 00B71821: _memmove.LIBCMT ref: 00B7185B
                                                              • GetCurrentProcess.KERNEL32(?,00BF0A18,00000000,00000000,?), ref: 00B75E07
                                                              • IsWow64Process.KERNEL32(00000000), ref: 00B75E0E
                                                              • GetNativeSystemInfo.KERNEL32(00000000), ref: 00B75E54
                                                              • FreeLibrary.KERNEL32(00000000), ref: 00B75E5F
                                                              • GetSystemInfo.KERNEL32(00000000), ref: 00B75E90
                                                              • GetSystemInfo.KERNEL32(00000000), ref: 00B75E9C
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                              • String ID:
                                                              • API String ID: 1986165174-0
                                                              • Opcode ID: 54cdd944626642012fb2345eaa75c16fea7a16bcc80ed7c0a33b5f5fbddbbfc8
                                                              • Instruction ID: f2cee94e6089b95865996e578368c6ef98510f8b283b4b88cd6f444bdd7d3580
                                                              • Opcode Fuzzy Hash: 54cdd944626642012fb2345eaa75c16fea7a16bcc80ed7c0a33b5f5fbddbbfc8
                                                              • Instruction Fuzzy Hash: 4991D331549BC0DEC731DB6884905BBFFE5EF29300B988ADED0DB93A41D670A648C769
                                                              Function 00BC3E72 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1141 bc3e72-bc3eb9 call b71207 * 3 call b801af call bc4e59 1152 bc3ec9-bc3efa call b80044 FindFirstFileW 1141->1152 1153 bc3ebb-bc3ec4 call b71900 1141->1153 1157 bc3efc-bc3efe 1152->1157 1158 bc3f69-bc3f70 FindClose 1152->1158 1153->1152 1157->1158 1159 bc3f00-bc3f05 1157->1159 1160 bc3f74-bc3f96 call b71cb6 * 3 1158->1160 1161 bc3f44-bc3f56 FindNextFileW 1159->1161 1162 bc3f07-bc3f42 call b71c9c call b717e0 call b71900 DeleteFileW 1159->1162 1161->1157 1165 bc3f58-bc3f5e 1161->1165 1162->1161 1176 bc3f60-bc3f67 FindClose 1162->1176 1165->1157 1176->1160
                                                              APIs
                                                                • Part of subcall function 00B801AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B72A58,?,00008000), ref: 00B801CF
                                                                • Part of subcall function 00BC4E59: GetFileAttributesW.KERNEL32(?,00BC3A6B), ref: 00BC4E5A
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00BC3EE9
                                                              • DeleteFileW.KERNEL32(?,?,?,?), ref: 00BC3F39
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00BC3F4A
                                                              • FindClose.KERNEL32(00000000), ref: 00BC3F61
                                                              • FindClose.KERNEL32(00000000), ref: 00BC3F6A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                              • String ID: \*.*
                                                              • API String ID: 2649000838-1173974218
                                                              • Opcode ID: 7db92831b4a7fd36ac5a9e4dafda95ee0b3bad15915e62e2645b472d127e60f1
                                                              • Instruction ID: e131ee696649d16759b6396c1adfa1f590f127ab8d818f4024c8eba4c6fcc714
                                                              • Opcode Fuzzy Hash: 7db92831b4a7fd36ac5a9e4dafda95ee0b3bad15915e62e2645b472d127e60f1
                                                              • Instruction Fuzzy Hash: E6317E710183459BC305FF68C8959AFB7E8BE95700F448E9DF4E5931A2DB20DA09CB72
                                                              Function 00BC3FB5 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00BC3FDA
                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00BC3FE8
                                                              • Process32NextW.KERNEL32(00000000,?), ref: 00BC4008
                                                              • FindCloseChangeNotification.KERNEL32(00000000), ref: 00BC40B2
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                              • String ID:
                                                              • API String ID: 3243318325-0
                                                              • Opcode ID: 7788391b1d020562654bb399855a8b4a6589ef26bb2f2d322dc64e4da92a5e48
                                                              • Instruction ID: 488a56625aaaddb7c71f79a27c92610a36498672a01231be83a21a0d246e9c11
                                                              • Opcode Fuzzy Hash: 7788391b1d020562654bb399855a8b4a6589ef26bb2f2d322dc64e4da92a5e48
                                                              • Instruction Fuzzy Hash: 17318F711083019BD311EF68C891FAEBBE8EF95350F00496DF595871A2EB719A49CB62
                                                              Function 00B6B020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B73740: CharUpperBuffW.USER32(?,00C261DC,00000001,?,00000000,00C261DC,?,00B653A5,?,?,?,?), ref: 00B7375D
                                                              • _memmove.LIBCMT ref: 00B6B68A
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpper_memmove
                                                              • String ID:
                                                              • API String ID: 2819905725-0
                                                              • Opcode ID: 81c4cc9466b6d66840847c39c07a9e0aa7d20ba246920a1210e82fb2eeef0fe6
                                                              • Instruction ID: 91f471a7ee87808e52ca3f28dc6d6053e2b6dcfa00dbc0509faced5b00f1994d
                                                              • Opcode Fuzzy Hash: 81c4cc9466b6d66840847c39c07a9e0aa7d20ba246920a1210e82fb2eeef0fe6
                                                              • Instruction Fuzzy Hash: 30A246716083419FD720DF14C480B2AB7F1FF89704F1489ADE99A8B361DB79E985CB92
                                                              Function 00BC47B7 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNEL32(?,00BAFC06), ref: 00BC47C7
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00BC47D8
                                                              • FindClose.KERNEL32(00000000), ref: 00BC47E8
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: FileFind$AttributesCloseFirst
                                                              • String ID:
                                                              • API String ID: 48322524-0
                                                              • Opcode ID: 868b83a3978c45ccfaf278f5482ffd430415dba8b2c75c763f8bcabcfc127b14
                                                              • Instruction ID: 8cc1d7d60435c1d26f78ed207867b6a2b6fe546c1033fae9aa07a779aeae54eb
                                                              • Opcode Fuzzy Hash: 868b83a3978c45ccfaf278f5482ffd430415dba8b2c75c763f8bcabcfc127b14
                                                              • Instruction Fuzzy Hash: E3E0DF31820611AB92107738EC4D8FA379CDE0633AF500B5AF931C31E0EF709E4196A6
                                                              Function 00B694E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 73db7f71599e9910d5a43c662d07f5aba7b886b1d49464a41ca65414a9b4ee49
                                                              • Instruction ID: 2d9b68c67ed9b3c407f7516b0b1f8899206fb9ed15199ee313fe2468dbce8578
                                                              • Opcode Fuzzy Hash: 73db7f71599e9910d5a43c662d07f5aba7b886b1d49464a41ca65414a9b4ee49
                                                              • Instruction Fuzzy Hash: 0522BE7090421ACFDB24DF58C480ABEB7F8FF09340F1481A9E956AB351E779AD85CB91
                                                              Function 00B80D68 Relevance: 3.1, APIs: 2, Instructions: 94nativethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindCloseChangeNotification.KERNEL32 ref: 00B80E05
                                                              • NtResumeThread.NTDLL ref: 00B80E17
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ChangeCloseFindNotificationResumeThread
                                                              • String ID:
                                                              • API String ID: 177874822-0
                                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                              • Instruction ID: e4dc09655c482e754178fea3ddd993202993bc8453f6d5a125703d829ea8b842
                                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                              • Instruction Fuzzy Hash: A231C274A101099FCB98FE58C480969FBE6FB49381B6486E5E80ACB265D730EDC5CB80
                                                              Function 00B6BC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • timeGetTime.WINMM ref: 00B6BF57
                                                                • Part of subcall function 00B652B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B652E6
                                                              • Sleep.KERNEL32(0000000A,?,?), ref: 00BA35E5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessagePeekSleepTimetime
                                                              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
                                                              • API String ID: 1792118007-922114024
                                                              • Opcode ID: bce14b17a068fd9cc8dd1c85063e7567f0d4d1563b8986b466a93aa2d295962f
                                                              • Instruction ID: e18dd501960302356e3453fda6ae2a4f5bfe8c723151b19f8f588dcae1f32ca0
                                                              • Opcode Fuzzy Hash: bce14b17a068fd9cc8dd1c85063e7567f0d4d1563b8986b466a93aa2d295962f
                                                              • Instruction Fuzzy Hash: A2C2DD70608341DFC724DF24C884BAABBE4FF85704F14899DF48A972A1DB75E985CB92
                                                              Function 00B633E5 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69windowregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00B63444
                                                              • RegisterClassExW.USER32(00000030), ref: 00B6346E
                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B6347F
                                                              • InitCommonControlsEx.COMCTL32(?), ref: 00B6349C
                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B634AC
                                                              • LoadIconW.USER32(000000A9), ref: 00B634C2
                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B634D1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                              • API String ID: 2914291525-1005189915
                                                              • Opcode ID: d3dfde7fabc97bfd521583ac82b9f4673c469835dfbea77ceca0677448138ba1
                                                              • Instruction ID: c0715671bd1de2aaafc30bb25be5d7720c6fd2ccba3b0d15fb10719cd2ac9cb4
                                                              • Opcode Fuzzy Hash: d3dfde7fabc97bfd521583ac82b9f4673c469835dfbea77ceca0677448138ba1
                                                              • Instruction Fuzzy Hash: 9F3109B1960309EFDB50AFA4EC84B9DBBF0FB08310F10455AE590A72A1D7B51941CF51
                                                              Function 00B63411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00B63444
                                                              • RegisterClassExW.USER32(00000030), ref: 00B6346E
                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B6347F
                                                              • InitCommonControlsEx.COMCTL32(?), ref: 00B6349C
                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B634AC
                                                              • LoadIconW.USER32(000000A9), ref: 00B634C2
                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B634D1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                              • API String ID: 2914291525-1005189915
                                                              • Opcode ID: fbfdec7d56c2a2da6e1c27c1f95600c225ec6d3d14429ac4296202e2f3e5369c
                                                              • Instruction ID: d84ed325e52a79d7c4c24683a69b5ae008f559ce4cc29a2e816a4b842de659d4
                                                              • Opcode Fuzzy Hash: fbfdec7d56c2a2da6e1c27c1f95600c225ec6d3d14429ac4296202e2f3e5369c
                                                              • Instruction Fuzzy Hash: FF21E3B1920208EFDB10EFA4EC88BADBBF4FB08700F00415AF610A72A1DBB11545CFA1
                                                              Function 00B72FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00B7FFFA: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00B73094), ref: 00B80018
                                                                • Part of subcall function 00B807EC: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00B7309F), ref: 00B8080E
                                                              • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B730E2
                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BB013A
                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00BB017B
                                                              • RegCloseKey.ADVAPI32(?), ref: 00BB01B9
                                                              • _wcscat.LIBCMT ref: 00BB0212
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                              • API String ID: 2673923337-2727554177
                                                              • Opcode ID: a85be1eadcfdb8af2995ace6fa6c613ed3f61bbd98b10bd2da73fbd7359eba7e
                                                              • Instruction ID: 9f1fcb49d253c09685392f156187d747dc3283e69e243ec1e27894ce47b776e5
                                                              • Opcode Fuzzy Hash: a85be1eadcfdb8af2995ace6fa6c613ed3f61bbd98b10bd2da73fbd7359eba7e
                                                              • Instruction Fuzzy Hash: 93716D71429301DEC724EF29EC81AAFBBE8FF54340B404A6EF559871B1EB709949CB61
                                                              Function 00B7514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00B75156
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00B75165
                                                              • LoadIconW.USER32(00000063), ref: 00B7517C
                                                              • LoadIconW.USER32(000000A4), ref: 00B7518E
                                                              • LoadIconW.USER32(000000A2), ref: 00B751A0
                                                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B751C6
                                                              • RegisterClassExW.USER32(?), ref: 00B7521C
                                                                • Part of subcall function 00B63411: GetSysColorBrush.USER32(0000000F), ref: 00B63444
                                                                • Part of subcall function 00B63411: RegisterClassExW.USER32(00000030), ref: 00B6346E
                                                                • Part of subcall function 00B63411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B6347F
                                                                • Part of subcall function 00B63411: InitCommonControlsEx.COMCTL32(?), ref: 00B6349C
                                                                • Part of subcall function 00B63411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B634AC
                                                                • Part of subcall function 00B63411: LoadIconW.USER32(000000A9), ref: 00B634C2
                                                                • Part of subcall function 00B63411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B634D1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                              • String ID: #$0$AutoIt v3
                                                              • API String ID: 423443420-4155596026
                                                              • Opcode ID: ff0448846543cace180f7a4cae5b0cc58c10e88cb19d615717d619e0269152b2
                                                              • Instruction ID: 2b16e8dce4655a330c9b4cb7db9e31fa368b75af5c0d403340198468e1886111
                                                              • Opcode Fuzzy Hash: ff0448846543cace180f7a4cae5b0cc58c10e88cb19d615717d619e0269152b2
                                                              • Instruction Fuzzy Hash: 7E216B71D20308EFEB21AFA4EC09BADBBF4FB08314F004169E504A76A1D7B65915CFA0
                                                              Function 00BD5BE2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 711 bd5be2-bd5c19 call b64dc0 714 bd5c39-bd5c4b WSAStartup 711->714 715 bd5c1b-bd5c28 call b6502b 711->715 717 bd5c4d-bd5c5d call bb6f18 714->717 718 bd5c62-bd5ca0 call b740cd call b64d37 call b7402a inet_addr gethostbyname 714->718 715->714 724 bd5c2a-bd5c35 call b6502b 715->724 725 bd5dbb-bd5dc3 717->725 732 bd5cb1-bd5cc1 call bb6f18 718->732 733 bd5ca2-bd5caf IcmpCreateFile 718->733 724->714 738 bd5db2-bd5db6 call b71cb6 732->738 733->732 734 bd5cc6-bd5cf7 call b80f16 call b7433f 733->734 743 bd5cf9-bd5d18 IcmpSendEcho 734->743 744 bd5d1a-bd5d2e IcmpSendEcho 734->744 738->725 745 bd5d32-bd5d34 743->745 744->745 746 bd5d67-bd5d69 745->746 747 bd5d36-bd5d3b 745->747 750 bd5d6b-bd5d77 call bb6f18 746->750 748 bd5d3d-bd5d42 747->748 749 bd5d7f-bd5d91 call b64dc0 747->749 752 bd5d79-bd5d7d 748->752 753 bd5d44-bd5d49 748->753 759 bd5d97 749->759 760 bd5d93-bd5d95 749->760 758 bd5d99-bd5dad IcmpCloseHandle WSACleanup call b745ae 750->758 752->750 753->746 756 bd5d4b-bd5d50 753->756 761 bd5d5f-bd5d65 756->761 762 bd5d52-bd5d57 756->762 758->738 759->758 760->758 761->750 762->752 764 bd5d59-bd5d5d 762->764 764->750
                                                              APIs
                                                              • WSAStartup.WS2_32(00000101,?), ref: 00BD5C43
                                                              • inet_addr.WSOCK32(?,?,?), ref: 00BD5C88
                                                              • gethostbyname.WS2_32(?), ref: 00BD5C94
                                                              • IcmpCreateFile.IPHLPAPI ref: 00BD5CA2
                                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00BD5D12
                                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00BD5D28
                                                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00BD5D9D
                                                              • WSACleanup.WSOCK32 ref: 00BD5DA3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                              • String ID: Ping
                                                              • API String ID: 1028309954-2246546115
                                                              • Opcode ID: 90e5c8080c6029ccd916dcf221d0229cffeac20aa9382c86211592c89f617ca6
                                                              • Instruction ID: 0ea13f81438f31f01101c2430cab8c0a9746b20f4f7e327f50b688f9d520c226
                                                              • Opcode Fuzzy Hash: 90e5c8080c6029ccd916dcf221d0229cffeac20aa9382c86211592c89f617ca6
                                                              • Instruction Fuzzy Hash: BE515E316047009FD721AF24DC89F6ABBE5EB48710F0489AAF5669B3A1EB70ED41CB51
                                                              Function 00B74D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 765 b74d83-b74dd1 767 b74dd3-b74dd6 765->767 768 b74e31-b74e33 765->768 770 b74e37 767->770 771 b74dd8-b74ddf 767->771 768->767 769 b74e35 768->769 772 b74e1a-b74e22 DefWindowProcW 769->772 773 bb0942-bb0970 call b6c460 call b6c483 770->773 774 b74e3d-b74e40 770->774 775 b74de5-b74dea 771->775 776 b74ead-b74eb5 PostQuitMessage 771->776 780 b74e28-b74e2e 772->780 809 bb0975-bb097c 773->809 782 b74e65-b74e8c SetTimer RegisterWindowMessageW 774->782 783 b74e42-b74e43 774->783 777 b74df0-b74df2 775->777 778 bb09b5-bb09c9 call bc2b3a 775->778 781 b74e61-b74e63 776->781 784 b74eb7-b74ec1 call b75b29 777->784 785 b74df8-b74dfd 777->785 778->781 801 bb09cf 778->801 781->780 782->781 786 b74e8e-b74e99 CreatePopupMenu 782->786 789 bb08e5-bb08e8 783->789 790 b74e49-b74e5c KillTimer call b75ac3 call b634e4 783->790 803 b74ec6 784->803 791 bb099a-bb09a1 785->791 792 b74e03-b74e08 785->792 786->781 796 bb08ea-bb08ec 789->796 797 bb091e-bb093d MoveWindow 789->797 790->781 791->772 807 bb09a7-bb09b0 call bb8637 791->807 799 b74e0e-b74e14 792->799 800 b74e9b-b74eab call b75bd7 792->800 804 bb08ee-bb08f1 796->804 805 bb090d-bb0919 SetFocus 796->805 797->781 799->772 799->809 800->781 801->772 803->781 804->799 810 bb08f7-bb0908 call b6c460 804->810 805->781 807->772 809->772 815 bb0982-bb0995 call b75ac3 call b759d3 809->815 810->781 815->772
                                                              APIs
                                                              • DefWindowProcW.USER32(?,?,?,?), ref: 00B74E22
                                                              • KillTimer.USER32(?,00000001), ref: 00B74E4C
                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B74E6F
                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B74E7A
                                                              • CreatePopupMenu.USER32 ref: 00B74E8E
                                                              • PostQuitMessage.USER32(00000000), ref: 00B74EAF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                              • String ID: TaskbarCreated
                                                              • API String ID: 129472671-2362178303
                                                              • Opcode ID: e07c8bc29f9fd0432980836758477af38ab4a8fc9ddfe204dd8c0c2813c84b45
                                                              • Instruction ID: d5016b4c3923d7e2c58411050a9d3077dcc6f2c6bfb7bb40a471c96a8ccfb598
                                                              • Opcode Fuzzy Hash: e07c8bc29f9fd0432980836758477af38ab4a8fc9ddfe204dd8c0c2813c84b45
                                                              • Instruction Fuzzy Hash: 29410B71220149ABDF297F28DC89B7E36D5F741312F0041E9F56A936E2CBB4AC119772
                                                              Function 00B6AD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 822 b6ad98-b6add1 823 b6add7-b6aded mciSendStringW 822->823 824 ba2e93-ba2e94 DestroyWindow 822->824 825 b6adf3-b6adfb 823->825 826 b6afc0-b6afcd 823->826 829 ba2e9f-ba2eac 824->829 825->829 830 b6ae01-b6ae10 call b6c71f 825->830 827 b6aff2-b6aff9 826->827 828 b6afcf-b6afea UnregisterHotKey 826->828 827->825 832 b6afff 827->832 828->827 831 b6afec-b6afed call b80cfc 828->831 834 ba2edb-ba2ee2 829->834 835 ba2eae-ba2eb1 829->835 842 b6ae16-b6ae1e 830->842 843 ba2ee9-ba2ef5 830->843 831->827 832->826 834->829 837 ba2ee4 834->837 839 ba2ebd-ba2ec0 FindClose 835->839 840 ba2eb3-ba2ebb call b742cf 835->840 837->843 841 ba2ec6-ba2ed3 839->841 840->841 841->834 846 ba2ed5-ba2ed6 call bca079 841->846 849 b6ae24-b6ae49 call b64dc0 842->849 850 ba2f0d-ba2f1a 842->850 847 ba2eff-ba2f06 843->847 848 ba2ef7-ba2ef9 FreeLibrary 843->848 846->834 847->843 852 ba2f08 847->852 848->847 860 b6ae80-b6ae8b OleUninitialize 849->860 861 b6ae4b 849->861 854 ba2f1c-ba2f39 VirtualFree 850->854 855 ba2f41-ba2f48 850->855 852->850 854->855 858 ba2f3b-ba2f3c call bca0d3 854->858 855->850 856 ba2f4a 855->856 863 ba2f4f-ba2f52 856->863 858->855 860->863 864 b6ae91-b6ae96 860->864 862 b6ae4e-b6ae7e call b7fc8b call b7fd20 861->862 862->860 863->864 866 ba2f58-ba2f5e 863->866 867 ba2f63-ba2f70 call bca0ad 864->867 868 b6ae9c-b6aea6 864->868 866->864 881 ba2f72 867->881 870 b6b001-b6b00e call b809e7 868->870 871 b6aeac-b6af22 call b71cb6 call b7fe1c call b74c0a call b8045a call b71cb6 call b64dc0 call b808b4 call b80a7a * 3 868->871 870->871 882 b6b014 870->882 885 ba2f77-ba2f84 call bbd3ae 871->885 915 b6af28-b6af3b call b613ae 871->915 881->885 882->870 890 ba2f86 885->890 894 ba2f8b-ba2f98 call b8030e 890->894 900 ba2f9a 894->900 903 ba2f9f-ba2fac call bb7019 900->903 909 ba2fae 903->909 912 ba2fb3-ba2fc0 call bca091 909->912 918 ba2fc2 912->918 915->894 920 b6af41-b6af49 915->920 921 ba2fc7-ba2fd4 call bca091 918->921 920->903 922 b6af4f-b6af6d call b71cb6 call b73868 920->922 927 ba2fd6 921->927 922->912 930 b6af73-b6af81 922->930 927->927 930->921 931 b6af87-b6afbf call b71cb6 * 3 call b8027c 930->931
                                                              APIs
                                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B6ADE1
                                                              • OleUninitialize.OLE32(?,00000000), ref: 00B6AE80
                                                              • UnregisterHotKey.USER32(?), ref: 00B6AFD7
                                                              • DestroyWindow.USER32(?), ref: 00BA2E94
                                                              • FreeLibrary.KERNEL32(?), ref: 00BA2EF9
                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BA2F26
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                              • String ID: close all
                                                              • API String ID: 469580280-3243417748
                                                              • Opcode ID: a526df59f8b04d9730567b943358fdf0fcf1d6f5de37dc4aa61b655e41bff0a2
                                                              • Instruction ID: 91a5ebd34b6c29149650a65c035dc5d8541d5563652247888d3db381b1cc7f21
                                                              • Opcode Fuzzy Hash: a526df59f8b04d9730567b943358fdf0fcf1d6f5de37dc4aa61b655e41bff0a2
                                                              • Instruction Fuzzy Hash: DEA15C707052129FCB29EF58C495A69F7E4EF05740F1482EDE80AAB261CB31AD56CF91
                                                              Function 00B756F8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00BB0BDB
                                                                • Part of subcall function 00B71821: _memmove.LIBCMT ref: 00B7185B
                                                              • _memset.LIBCMT ref: 00B75787
                                                              • _wcscpy.LIBCMT ref: 00B757DB
                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B757EB
                                                              • __swprintf.LIBCMT ref: 00BB0C51
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                                                              • String ID: Line %d: $2#2#$AutoIt -
                                                              • API String ID: 230667853-2022516920
                                                              • Opcode ID: 0c035530c90b94d96dc28dc1fc57606115b5a732d140034a571b94d7370f1ddf
                                                              • Instruction ID: 3280b0cd10eb77f8bc5d0b23e8a4dd1c1f0293a0b75fe79dadbceee8d4fe18aa
                                                              • Opcode Fuzzy Hash: 0c035530c90b94d96dc28dc1fc57606115b5a732d140034a571b94d7370f1ddf
                                                              • Instruction Fuzzy Hash: 4B418171018304AAD325FB68DC81BEF77ECAB44354F008A5EF199920A1DF749649C7A2
                                                              Function 00B750DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1177 b750db-b7514b CreateWindowExW * 2 ShowWindow * 2
                                                              APIs
                                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B75109
                                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B7512A
                                                              • ShowWindow.USER32(00000000), ref: 00B7513E
                                                              • ShowWindow.USER32(00000000), ref: 00B75147
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Window$CreateShow
                                                              • String ID: AutoIt v3$edit
                                                              • API String ID: 1584632944-3779509399
                                                              • Opcode ID: 51f9e0d486839f82cf472c8c1ddcebc84ec632d5c5cca2589ae91650050b4223
                                                              • Instruction ID: db5d77f20d2adb4b071bb018c8165789a0b35b8dd78d807b7de07af70c3efc17
                                                              • Opcode Fuzzy Hash: 51f9e0d486839f82cf472c8c1ddcebc84ec632d5c5cca2589ae91650050b4223
                                                              • Instruction Fuzzy Hash: 56F03A71660294FEEA312B276C08F3B2E7DD7C6F10F01006ABA00A35B1C6B51C02CAB0
                                                              Function 00BC9983 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1178 bc9983-bc9a08 call b74a8c call bc9b5e 1183 bc9a0a 1178->1183 1184 bc9a12-bc9a9e call b74ab2 * 4 call b74a8c call b8586c * 2 call b74ab2 1178->1184 1185 bc9a0c-bc9a0d 1183->1185 1202 bc9aa3-bc9ac9 call bc9531 call bc8d7b 1184->1202 1187 bc9b55-bc9b5b 1185->1187 1207 bc9acb-bc9adb call b82eb5 * 2 1202->1207 1208 bc9ae0-bc9ae4 1202->1208 1207->1185 1210 bc9b45-bc9b4b call b82eb5 1208->1210 1211 bc9ae6-bc9b43 call bc8f2e call b82eb5 1208->1211 1220 bc9b4d-bc9b53 1210->1220 1211->1220 1220->1187
                                                              APIs
                                                                • Part of subcall function 00B74A8C: _fseek.LIBCMT ref: 00B74AA4
                                                                • Part of subcall function 00BC9B5E: _wcscmp.LIBCMT ref: 00BC9C4E
                                                                • Part of subcall function 00BC9B5E: _wcscmp.LIBCMT ref: 00BC9C61
                                                              • _free.LIBCMT ref: 00BC9ACC
                                                              • _free.LIBCMT ref: 00BC9AD3
                                                              • _free.LIBCMT ref: 00BC9B3E
                                                                • Part of subcall function 00B82EB5: RtlFreeHeap.NTDLL(00000000,00000000,?,00B89B84,00000000,00B88C8D,00B858F3), ref: 00B82EC9
                                                                • Part of subcall function 00B82EB5: GetLastError.KERNEL32(00000000,?,00B89B84,00000000,00B88C8D,00B858F3), ref: 00B82EDB
                                                              • _free.LIBCMT ref: 00BC9B46
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                              • String ID: >>>AUTOIT SCRIPT<<<
                                                              • API String ID: 1552873950-2806939583
                                                              • Opcode ID: 20fccfcb85c1c948ce41d43a273c7b1dedaaafa116fe90817cb3b360153e1c60
                                                              • Instruction ID: aa3c3e83242e668cd9eba90ac14a622dd7652e7138037af6e0348fb60ac4204b
                                                              • Opcode Fuzzy Hash: 20fccfcb85c1c948ce41d43a273c7b1dedaaafa116fe90817cb3b360153e1c60
                                                              • Instruction Fuzzy Hash: 435128B1D04258ABDF249F64DC85AAEBBB9FF48300F0044EEB619A3251DB715E80CF58
                                                              Function 00B8556D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1222 b8556d-b85586 1223 b85588-b8558d 1222->1223 1224 b855a3 1222->1224 1223->1224 1226 b8558f-b85591 1223->1226 1225 b855a5-b855ab 1224->1225 1227 b855ac-b855b1 1226->1227 1228 b85593-b85598 call b88c88 1226->1228 1229 b855bf-b855c3 1227->1229 1230 b855b3-b855bd 1227->1230 1240 b8559e call b88f16 1228->1240 1233 b855d3-b855d5 1229->1233 1234 b855c5-b855d0 call b82f40 1229->1234 1230->1229 1232 b855e3-b855f2 1230->1232 1238 b855f9 1232->1238 1239 b855f4-b855f7 1232->1239 1233->1228 1237 b855d7-b855e1 1233->1237 1234->1233 1237->1228 1237->1232 1242 b855fe-b85603 1238->1242 1239->1242 1240->1224 1244 b85609-b85610 1242->1244 1245 b856ec-b856ef 1242->1245 1246 b85651-b85653 1244->1246 1247 b85612-b8561a 1244->1247 1245->1225 1249 b856bd-b856be call b90d07 1246->1249 1250 b85655-b85657 1246->1250 1247->1246 1248 b8561c 1247->1248 1251 b8571a 1248->1251 1252 b85622-b85624 1248->1252 1259 b856c3-b856c7 1249->1259 1254 b85659-b85661 1250->1254 1255 b8567b-b85686 1250->1255 1258 b8571e-b85727 1251->1258 1256 b8562b-b85630 1252->1256 1257 b85626-b85628 1252->1257 1260 b85671-b85675 1254->1260 1261 b85663-b8566f 1254->1261 1262 b85688 1255->1262 1263 b8568a-b8568d 1255->1263 1265 b856f4-b856f8 1256->1265 1266 b85636-b8564f call b90e28 1256->1266 1257->1256 1258->1225 1259->1258 1267 b856c9-b856ce 1259->1267 1268 b85677-b85679 1260->1268 1261->1268 1262->1263 1264 b8568f-b8569b call b84836 call b90fbe 1263->1264 1263->1265 1283 b856a0-b856a5 1264->1283 1269 b8570a-b85715 call b88c88 1265->1269 1270 b856fa-b85707 call b82f40 1265->1270 1282 b856b2-b856bb 1266->1282 1267->1265 1273 b856d0-b856e1 1267->1273 1268->1263 1269->1240 1270->1269 1278 b856e4-b856e6 1273->1278 1278->1244 1278->1245 1282->1278 1284 b856ab-b856ae 1283->1284 1285 b8572c-b85730 1283->1285 1284->1251 1286 b856b0 1284->1286 1285->1258 1286->1282
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                              • String ID:
                                                              • API String ID: 1559183368-0
                                                              • Opcode ID: 6144165ff69bcfd719b70aa37aa99b766954ae34ab2424f86f42b6890169cbb7
                                                              • Instruction ID: 94ca67cda6c46d7ba18530e9ec566f02b3da8eee83cde49a55e353c066d4d123
                                                              • Opcode Fuzzy Hash: 6144165ff69bcfd719b70aa37aa99b766954ae34ab2424f86f42b6890169cbb7
                                                              • Instruction Fuzzy Hash: 6651A270A00A05DBDF34AF6988806AE77F6EF50320F6487A9F825962F0E7709D50CB40
                                                              Function 00B652B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B652E6
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B6534A
                                                              • TranslateMessage.USER32(?), ref: 00B65356
                                                              • DispatchMessageW.USER32(?), ref: 00B65360
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Message$Peek$DispatchTranslate
                                                              • String ID:
                                                              • API String ID: 1795658109-0
                                                              • Opcode ID: fc9981e431cbf1ca5a605b5ee3a8b7dd6d66dc5640bd9b976c0d807db7b88c89
                                                              • Instruction ID: 747cee7c10a5d0d1da9651ba74d6423ee1c0a9802d7c8b4f7dd956b68cc376ee
                                                              • Opcode Fuzzy Hash: fc9981e431cbf1ca5a605b5ee3a8b7dd6d66dc5640bd9b976c0d807db7b88c89
                                                              • Instruction Fuzzy Hash: 9331E470504B06DBEF30CB64DC84BBA37E8EB11B44F1401E9E4129B6E1D7B8A89AD735
                                                              Function 00BC566C Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BC5688
                                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00BC5696
                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BC569E
                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00BC56A8
                                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BC56E4
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                                              • String ID:
                                                              • API String ID: 2833360925-0
                                                              • Opcode ID: 52d244b3a92c4151cdb7115b933f2fbd01eafbc27c0a7a1c43b7238f482cc9ab
                                                              • Instruction ID: 6ced14cb1d9a80e627914b7a0082b68c3bbe483d1e297c15748ba9757d9d5b7b
                                                              • Opcode Fuzzy Hash: 52d244b3a92c4151cdb7115b933f2fbd01eafbc27c0a7a1c43b7238f482cc9ab
                                                              • Instruction Fuzzy Hash: EE012171D01A19DBDF10AFE4D848AEDBBB8FB18711F8145A9E501B3151CB70A590C761
                                                              Function 00B61284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00B61275,SwapMouseButtons,00000004,?), ref: 00B612A8
                                                              • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00B61275,SwapMouseButtons,00000004,?), ref: 00B612C9
                                                              • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00B61275,SwapMouseButtons,00000004,?), ref: 00B612EB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID: Control Panel\Mouse
                                                              • API String ID: 3677997916-824357125
                                                              • Opcode ID: 53c2064e59b638ffbcdd1c47fa3ba4900ec00901cec192df7608f6a251845f5d
                                                              • Instruction ID: 90e23ecdec1a23d4febb38e62becb8e63f5b266207b9d5782b0f3f26baba087e
                                                              • Opcode Fuzzy Hash: 53c2064e59b638ffbcdd1c47fa3ba4900ec00901cec192df7608f6a251845f5d
                                                              • Instruction Fuzzy Hash: 13111875510208BFDB20CFA8DC84EAEBBECEF05741F144999E805D7220D6759E4097A4
                                                              Function 00B75B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00B75B58
                                                                • Part of subcall function 00B756F8: _memset.LIBCMT ref: 00B75787
                                                                • Part of subcall function 00B756F8: _wcscpy.LIBCMT ref: 00B757DB
                                                                • Part of subcall function 00B756F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B757EB
                                                              • KillTimer.USER32(?,00000001,?,?), ref: 00B75BAD
                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B75BBC
                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BB0CFC
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                              • String ID:
                                                              • API String ID: 1378193009-0
                                                              • Opcode ID: 3ec6ea5c24ab2c661e8f970188a8127b9fcd7d1371bac349891f46446e126282
                                                              • Instruction ID: 60180a0b7c0a1e6ea1805d8ee52ef2d1530b511650f218df9621601f3088b733
                                                              • Opcode Fuzzy Hash: 3ec6ea5c24ab2c661e8f970188a8127b9fcd7d1371bac349891f46446e126282
                                                              • Instruction Fuzzy Hash: 0821B070914784AFE772AB248895BFBBBECEB01308F0441CDE69E57292C7B42D85CB51
                                                              Function 00B7278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B749C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00B727AF,?,00000001), ref: 00B749F4
                                                              • _free.LIBCMT ref: 00BAFA84
                                                              • _free.LIBCMT ref: 00BAFACB
                                                                • Part of subcall function 00B729BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B72ADF
                                                              Strings
                                                              • Bad directive syntax error, xrefs: 00BAFAB3
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _free$CurrentDirectoryLibraryLoad
                                                              • String ID: Bad directive syntax error
                                                              • API String ID: 2861923089-2118420937
                                                              • Opcode ID: 9c447b4b4af080a66d989d474368bad9386bc61ad459ffb23115c6b38a03287f
                                                              • Instruction ID: 8560f1e243972381777fe721127a2b4a2cea62e5c95671250a1681685408c2cd
                                                              • Opcode Fuzzy Hash: 9c447b4b4af080a66d989d474368bad9386bc61ad459ffb23115c6b38a03287f
                                                              • Instruction Fuzzy Hash: 23914F7191421AAFCF14EFA4CC919FEB7F4FF05310F1484AAE825AB2A1DB349A05CB50
                                                              Function 00BC9B5E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B74AB2: __fread_nolock.LIBCMT ref: 00B74AD0
                                                              • _wcscmp.LIBCMT ref: 00BC9C4E
                                                              • _wcscmp.LIBCMT ref: 00BC9C61
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _wcscmp$__fread_nolock
                                                              • String ID: FILE
                                                              • API String ID: 4029003684-3121273764
                                                              • Opcode ID: e0b99192fec402c6ace0e29d2da74cdf4f64026671d9c26cde9b745336d53d1d
                                                              • Instruction ID: de731633872bd65e4844168f0194d9b585a55046263305dcd4029fb058e21325
                                                              • Opcode Fuzzy Hash: e0b99192fec402c6ace0e29d2da74cdf4f64026671d9c26cde9b745336d53d1d
                                                              • Instruction Fuzzy Hash: 1741F971A40209BAEF21AAA0CC49FDF7BFDEF45710F0040AAF914B7280DB719A44C765
                                                              Function 00B731BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00BB02AB
                                                              • GetOpenFileNameW.COMDLG32(?), ref: 00BB02F5
                                                                • Part of subcall function 00B801AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B72A58,?,00008000), ref: 00B801CF
                                                                • Part of subcall function 00B808F0: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00B8090F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Name$Path$FileFullLongOpen_memset
                                                              • String ID: X
                                                              • API String ID: 3777226403-3081909835
                                                              • Opcode ID: d298a3fb5298c4fb988879a8300122e1dd09999783a62a2a6e7aedcd3b2776bd
                                                              • Instruction ID: 7de8636e0b313b11f52d2ce776c89d2d0eaf816dbbc459481186398728af96b6
                                                              • Opcode Fuzzy Hash: d298a3fb5298c4fb988879a8300122e1dd09999783a62a2a6e7aedcd3b2776bd
                                                              • Instruction Fuzzy Hash: BB219371A102489BDF41EFD8C845BEE7BF99F49710F00809AE418B7251DBF49A89DFA1
                                                              Function 00BDCF8E Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1e8450b1191f35d0a9a2bcafd58685d4a072d92e41e97e1e6b50de9f5caadc87
                                                              • Instruction ID: 6888977685cb99f930e5291035a8ed785d16e1940b63041b1eb045a05c634f50
                                                              • Opcode Fuzzy Hash: 1e8450b1191f35d0a9a2bcafd58685d4a072d92e41e97e1e6b50de9f5caadc87
                                                              • Instruction Fuzzy Hash: 65F115B06087019FC714DF28C484A6AFBE5EF88314F1489AEF8999B351E775E945CF82
                                                              Function 00B71680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID:
                                                              • API String ID: 4104443479-0
                                                              • Opcode ID: 25d8eb78a4a7b5a7ed4dc6346b776ce4dc0247b51107d5097d27ae83fdd10f21
                                                              • Instruction ID: fee287214eddbf654ec50f0672d5c9a9380b04eeabae85b0f05998fb4abc2381
                                                              • Opcode Fuzzy Hash: 25d8eb78a4a7b5a7ed4dc6346b776ce4dc0247b51107d5097d27ae83fdd10f21
                                                              • Instruction Fuzzy Hash: 6C61AEB1A00209EBDF049F29D9816AA7BF4FF44310F55C5A9EC69CF294EB31D960CB61
                                                              Function 00B6AAAA Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B806E6: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B80717
                                                                • Part of subcall function 00B806E6: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B8071F
                                                                • Part of subcall function 00B806E6: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B8072A
                                                                • Part of subcall function 00B806E6: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B80735
                                                                • Part of subcall function 00B806E6: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B8073D
                                                                • Part of subcall function 00B806E6: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B80745
                                                                • Part of subcall function 00B7FE77: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00B6AC6B), ref: 00B7FED2
                                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B6AD08
                                                              • OleInitialize.OLE32(00000000), ref: 00B6AD85
                                                              • CloseHandle.KERNEL32(00000000), ref: 00BA2E86
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                              • String ID:
                                                              • API String ID: 1986988660-0
                                                              • Opcode ID: d9467a4338b46dc6263eca6a79714c3b51be89a8327bca3f1e1293af082d15f9
                                                              • Instruction ID: 7a9b8c56edc9e8ee4851633d14e0a8a73f7d0840d1421de27aa1f8964f3b042d
                                                              • Opcode Fuzzy Hash: d9467a4338b46dc6263eca6a79714c3b51be89a8327bca3f1e1293af082d15f9
                                                              • Instruction Fuzzy Hash: 5781B9B0921280CEC7A4EF39F95472D7AE4FB5870871081BAE099C7A72EB31540ACF34
                                                              Function 00B759D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00B759F9
                                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B75A9E
                                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B75ABB
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: IconNotifyShell_$_memset
                                                              • String ID:
                                                              • API String ID: 1505330794-0
                                                              • Opcode ID: 00617abc3fe61647cda79b0e5247e631d45bf0f366bebaba7749f4570c5176d6
                                                              • Instruction ID: 17f50845b5135fbede78dae2a73b87932965a529fc4c91cfdac5d680026b0cc5
                                                              • Opcode Fuzzy Hash: 00617abc3fe61647cda79b0e5247e631d45bf0f366bebaba7749f4570c5176d6
                                                              • Instruction Fuzzy Hash: A9314FB0515701CFD731DF24D88579BBBF4EB48308F004A6EE5AA97251E7B1A944CB52
                                                              Function 00B8586C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __FF_MSGBANNER.LIBCMT ref: 00B85883
                                                                • Part of subcall function 00B8A2CB: __NMSG_WRITE.LIBCMT ref: 00B8A2F2
                                                                • Part of subcall function 00B8A2CB: __NMSG_WRITE.LIBCMT ref: 00B8A2FC
                                                              • __NMSG_WRITE.LIBCMT ref: 00B8588A
                                                                • Part of subcall function 00B8A328: GetModuleFileNameW.KERNEL32(00000000,00C243BA,00000104,00000004,00000001,00B80F33), ref: 00B8A3BA
                                                                • Part of subcall function 00B8A328: ___crtMessageBoxW.LIBCMT ref: 00B8A468
                                                                • Part of subcall function 00B83201: ___crtCorExitProcess.LIBCMT ref: 00B83207
                                                                • Part of subcall function 00B83201: ExitProcess.KERNEL32 ref: 00B83210
                                                                • Part of subcall function 00B88C88: __getptd_noexit.LIBCMT ref: 00B88C88
                                                              • RtlAllocateHeap.NTDLL(016F0000,00000000,00000001,?,00000004,?,?,00B80F33,?), ref: 00B858AF
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                              • String ID:
                                                              • API String ID: 1372826849-0
                                                              • Opcode ID: b28ea801e21b13f435f8285becfe650c7ae91b080b26ee37097f0bcb28faf41a
                                                              • Instruction ID: b56bd9b36746c3cbb899f334a9cccefa3f625e7b5caf0cee8b951881a8dbb865
                                                              • Opcode Fuzzy Hash: b28ea801e21b13f435f8285becfe650c7ae91b080b26ee37097f0bcb28faf41a
                                                              • Instruction Fuzzy Hash: 7501DE35250B02ABEA353B25AC52B2E22D8DF82B61B6001A7F401AB5B1DE709D41C7A1
                                                              Function 00BC9135 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00BC9143
                                                                • Part of subcall function 00B82EB5: RtlFreeHeap.NTDLL(00000000,00000000,?,00B89B84,00000000,00B88C8D,00B858F3), ref: 00B82EC9
                                                                • Part of subcall function 00B82EB5: GetLastError.KERNEL32(00000000,?,00B89B84,00000000,00B88C8D,00B858F3), ref: 00B82EDB
                                                              • _free.LIBCMT ref: 00BC9154
                                                              • _free.LIBCMT ref: 00BC9166
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 144f5af94d943480d36d389951f06cd61afa83af8249d10b620ede2dc82f263b
                                                              • Instruction ID: c15288cd37bf08dc82d91663b9109246d351db0f78f4e5f69dd9cb5c0e094719
                                                              • Opcode Fuzzy Hash: 144f5af94d943480d36d389951f06cd61afa83af8249d10b620ede2dc82f263b
                                                              • Instruction Fuzzy Hash: CDE012B5A0160253DA2476786949F9313DC9F48752718049DB90AF7242CE34E841C26C
                                                              Function 00B65E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CALL
                                                              • API String ID: 0-4196123274
                                                              • Opcode ID: 65cadc3c814c96048077e0f27c4dbfd6b48bcda55d1991c17e7c486d603ab132
                                                              • Instruction ID: f120fafbf91d2a0ef9814b10a81f322053144bb2bc2abeb6431c69f218916293
                                                              • Opcode Fuzzy Hash: 65cadc3c814c96048077e0f27c4dbfd6b48bcda55d1991c17e7c486d603ab132
                                                              • Instruction Fuzzy Hash: B1323570508711DFDB24EF14C494A6ABBE1FF85304F1489ADE89A9B362D739EC45CB82
                                                              Function 00B748B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID: EA06
                                                              • API String ID: 4104443479-3962188686
                                                              • Opcode ID: 2b2e3b51af08bcb9f55d23c0b0ec6680c633c0cbcc3098c35d402c513bd61927
                                                              • Instruction ID: 52d9d51c96b74da4ca22b84859725ad7d05c90f771e37f3d42c83f2fa06c36e0
                                                              • Opcode Fuzzy Hash: 2b2e3b51af08bcb9f55d23c0b0ec6680c633c0cbcc3098c35d402c513bd61927
                                                              • Instruction Fuzzy Hash: DB41AD31A041589FDF229B6488917BFBFE5CB45301F14C0F4EA9BA7282C7219D44C7A2
                                                              Function 00BDDF01 Relevance: 3.2, APIs: 2, Instructions: 227COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _strcat.LIBCMT ref: 00BDDFD4
                                                                • Part of subcall function 00B64D37: __itow.LIBCMT ref: 00B64D62
                                                                • Part of subcall function 00B64D37: __swprintf.LIBCMT ref: 00B64DAC
                                                              • _wcscpy.LIBCMT ref: 00BDE063
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: __itow__swprintf_strcat_wcscpy
                                                              • String ID:
                                                              • API String ID: 1012013722-0
                                                              • Opcode ID: 76e521c21d5cae5d2f4f4d7b9c1b98caeeb9c644327c32cce611ceb3c52f62f2
                                                              • Instruction ID: df644f246834d6a07c7d091610c9a9898fb5996a05438ae8de0f01dd484e58fc
                                                              • Opcode Fuzzy Hash: 76e521c21d5cae5d2f4f4d7b9c1b98caeeb9c644327c32cce611ceb3c52f62f2
                                                              • Instruction Fuzzy Hash: B5913835B00504DFCB28EF18C5919A9BBE1EF49310B5584AAF81A9F366EB34ED01CB81
                                                              Function 00BC6685 Relevance: 3.2, APIs: 2, Instructions: 216COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memmove.LIBCMT ref: 00BC6759
                                                              • _memmove.LIBCMT ref: 00BC6777
                                                                • Part of subcall function 00BC68E0: _memmove.LIBCMT ref: 00BC696E
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID:
                                                              • API String ID: 4104443479-0
                                                              • Opcode ID: 7f034399ab0d1848d73dddd4d523cdfdefcfd3c223b9f20a2fa260dd8b6723ad
                                                              • Instruction ID: 925ef206d60edbb28ea586dc468b3cfbcd08f428f12c9f30ce8d9d4266af7aaa
                                                              • Opcode Fuzzy Hash: 7f034399ab0d1848d73dddd4d523cdfdefcfd3c223b9f20a2fa260dd8b6723ad
                                                              • Instruction Fuzzy Hash: 8471E4B06006049FDB249F14C885FBA77E5EF84364F28899EECD55B392CB35AC11CBA0
                                                              Function 00BC5FA2 Relevance: 3.1, APIs: 2, Instructions: 142COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharLowerBuffW.USER32(?,?), ref: 00BC5FBB
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: BuffCharLower
                                                              • String ID:
                                                              • API String ID: 2358735015-0
                                                              • Opcode ID: e4a0a1a3837b944ea9f6492cd8805839763f186e8e185161c663fef75428cefa
                                                              • Instruction ID: d8a4b8c0efb9eea46717142a70fd71e0e391da3f269ac6be19afc18c75acbd21
                                                              • Opcode Fuzzy Hash: e4a0a1a3837b944ea9f6492cd8805839763f186e8e185161c663fef75428cefa
                                                              • Instruction Fuzzy Hash: 3B41A7B2500209AFDB25EF68C8C1EAEB7F8EF44350B1085AEE556D7250EB71DE44CB60
                                                              Function 00BC7BDB Relevance: 3.1, APIs: 2, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID:
                                                              • API String ID: 4104443479-0
                                                              • Opcode ID: 66820c550d716b6e2afbf3f17261df7496f18a26cd8ffc3f4518227d304287be
                                                              • Instruction ID: bd5b78f3aa9c3a0dc0afe5ddcc7decf77d25c57f4126787b528e203b657809ab
                                                              • Opcode Fuzzy Hash: 66820c550d716b6e2afbf3f17261df7496f18a26cd8ffc3f4518227d304287be
                                                              • Instruction Fuzzy Hash: A841917154820A9BDB21FFA8D881EBEB7E8EF08340B2484DDE24597292DF759D05CB60
                                                              Function 00B75F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsThemeActive.UXTHEME ref: 00B75FEF
                                                                • Part of subcall function 00B834CE: __lock.LIBCMT ref: 00B834D4
                                                                • Part of subcall function 00B834CE: DecodePointer.KERNEL32(00000001,?,00B76004,00BB8675), ref: 00B834E0
                                                                • Part of subcall function 00B834CE: EncodePointer.KERNEL32(?,?,00B76004,00BB8675), ref: 00B834EB
                                                                • Part of subcall function 00B75F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00B75F18
                                                                • Part of subcall function 00B75F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B75F2D
                                                                • Part of subcall function 00B75240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B7526C
                                                                • Part of subcall function 00B75240: IsDebuggerPresent.KERNEL32 ref: 00B7527E
                                                                • Part of subcall function 00B75240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00B752E6
                                                                • Part of subcall function 00B75240: SetCurrentDirectoryW.KERNEL32(?), ref: 00B75366
                                                              • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00B7602F
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                              • String ID:
                                                              • API String ID: 1438897964-0
                                                              • Opcode ID: 1525380b738e938cdcd0bd67383114a7497f39758730e1da068bd7a58255da14
                                                              • Instruction ID: c6991ddf54d877e2fd1135c592cf522580c1ea979953ba6cdda273f69cd05459
                                                              • Opcode Fuzzy Hash: 1525380b738e938cdcd0bd67383114a7497f39758730e1da068bd7a58255da14
                                                              • Instruction Fuzzy Hash: E4118C719183019BC321EF69EC45A5EFBE8EF85750F00865EF458872B2DBB09A45CB92
                                                              Function 00B80F16 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B8586C: __FF_MSGBANNER.LIBCMT ref: 00B85883
                                                                • Part of subcall function 00B8586C: __NMSG_WRITE.LIBCMT ref: 00B8588A
                                                                • Part of subcall function 00B8586C: RtlAllocateHeap.NTDLL(016F0000,00000000,00000001,?,00000004,?,?,00B80F33,?), ref: 00B858AF
                                                              • std::exception::exception.LIBCMT ref: 00B80F4C
                                                              • __CxxThrowException@8.LIBCMT ref: 00B80F61
                                                                • Part of subcall function 00B886FB: RaiseException.KERNEL32(?,?,?,00C1AE78,?,?,?,?,?,00B80F66,?,00C1AE78,?,00000001), ref: 00B88750
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                              • String ID:
                                                              • API String ID: 3902256705-0
                                                              • Opcode ID: 8ba5044bd1178d376a4383da80371135409b2d2da27e10698dc95e2fde6dd58e
                                                              • Instruction ID: 480daeb877b2675d13b42c9c7968e11e705d22e78a8f69b4e91e0ba933b5521e
                                                              • Opcode Fuzzy Hash: 8ba5044bd1178d376a4383da80371135409b2d2da27e10698dc95e2fde6dd58e
                                                              • Instruction Fuzzy Hash: 84F0813550820E66CB21BA98DC159EE7BE89F01790F5044F6FA14921A1EF718B98C7D5
                                                              Function 00B8574D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: __lock_file_memset
                                                              • String ID:
                                                              • API String ID: 26237723-0
                                                              • Opcode ID: 68977d09b40e1c163083f380fe0c47b734a6dcd34b477d0ef3f5857378058920
                                                              • Instruction ID: 20b61c98ad324978802fda5872348e135f525456520e103fca3fc8e216f7e1c3
                                                              • Opcode Fuzzy Hash: 68977d09b40e1c163083f380fe0c47b734a6dcd34b477d0ef3f5857378058920
                                                              • Instruction Fuzzy Hash: B6017179800608EBCF22BF65CC0159E7BE2FF50320F548295B8245A1B1D7758E51DBA1
                                                              Function 00B854F6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B88C88: __getptd_noexit.LIBCMT ref: 00B88C88
                                                              • __lock_file.LIBCMT ref: 00B8553B
                                                                • Part of subcall function 00B86D6E: __lock.LIBCMT ref: 00B86D91
                                                              • __fclose_nolock.LIBCMT ref: 00B85546
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                              • String ID:
                                                              • API String ID: 2800547568-0
                                                              • Opcode ID: 62770a3dd1dd466b4211c392c03bc57820e6d8d5a441f26f6f706e35b821cd00
                                                              • Instruction ID: b13ab5f87e93db0d91ab98622c043eac8da0c846fe785f548c3ddb8dc7e5f285
                                                              • Opcode Fuzzy Hash: 62770a3dd1dd466b4211c392c03bc57820e6d8d5a441f26f6f706e35b821cd00
                                                              • Instruction Fuzzy Hash: 57F0F031800B059BDB31BB6598027AE67E2AF11331F948289A424AB1E1CF7C8E41DF51
                                                              Function 00B85DB0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __lock_file.LIBCMT ref: 00B85DE4
                                                              • __ftell_nolock.LIBCMT ref: 00B85DEF
                                                                • Part of subcall function 00B88C88: __getptd_noexit.LIBCMT ref: 00B88C88
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                              • String ID:
                                                              • API String ID: 2999321469-0
                                                              • Opcode ID: 66dd16a8532d2c63fb5d0f43e47ccb6d353044d7eff3cfaa3125731b1058dd1f
                                                              • Instruction ID: 522cae2cd13fc7d8214064ff83c18c950a48a079d062b60ec75abc499eb07d53
                                                              • Opcode Fuzzy Hash: 66dd16a8532d2c63fb5d0f43e47ccb6d353044d7eff3cfaa3125731b1058dd1f
                                                              • Instruction Fuzzy Hash: A0F0A032941605ABEB21BB758C427AE76E0AF01331F504295B020AB1E1CF788F42DBA5
                                                              Function 00B75AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00B75AEF
                                                              • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B75B1F
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: IconNotifyShell__memset
                                                              • String ID:
                                                              • API String ID: 928536360-0
                                                              • Opcode ID: 6ff2ae3d557e3e2753e78d39abb23017af14acde790bcf42093d4e3006c29e35
                                                              • Instruction ID: eb4c36d161c8dd8e8d5034e6528728ac8ee855bdc04ce0decb276a199a25348d
                                                              • Opcode Fuzzy Hash: 6ff2ae3d557e3e2753e78d39abb23017af14acde790bcf42093d4e3006c29e35
                                                              • Instruction Fuzzy Hash: 56F0A770914308DFDBA2DF24DC457A977BC970030CF0001E9AA0896396DBB50B89CF61
                                                              Function 00B83201 Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___crtCorExitProcess.LIBCMT ref: 00B83207
                                                                • Part of subcall function 00B831CD: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,00B8320C,00B80F33,?,00B89E1E,000000FF,0000001E,00C1B1A8,00000008,00B89D82,00B80F33,00B80F33), ref: 00B831DC
                                                                • Part of subcall function 00B831CD: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00B831EE
                                                              • ExitProcess.KERNEL32 ref: 00B83210
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                              • String ID:
                                                              • API String ID: 2427264223-0
                                                              • Opcode ID: 4002126ad8b3ca53d279a3d0b1d29a588424a73c6d179eddf2bd5099b96ab8d7
                                                              • Instruction ID: d3d3284fa9b002e794aa593281fe95a3de5c2652e13b7a6be5cd21aff2a52b73
                                                              • Opcode Fuzzy Hash: 4002126ad8b3ca53d279a3d0b1d29a588424a73c6d179eddf2bd5099b96ab8d7
                                                              • Instruction Fuzzy Hash: 74B09230000208BBCB013F12DC0AC583FA9EB04E90B004020F8140A032DFB2AA92DAC4
                                                              Function 00BDC11D Relevance: 1.8, APIs: 1, Instructions: 288COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: LoadString$__swprintf
                                                              • String ID:
                                                              • API String ID: 207118244-0
                                                              • Opcode ID: 4c033a3c49b1ced15098f3cbf5e28dc1c0b4769a80fdd2c5f8effe8f09d4b739
                                                              • Instruction ID: 46c61746f0b461f3622121910747f6a461748f0e463867bb5d9603669e6a81a3
                                                              • Opcode Fuzzy Hash: 4c033a3c49b1ced15098f3cbf5e28dc1c0b4769a80fdd2c5f8effe8f09d4b739
                                                              • Instruction Fuzzy Hash: 8EB13C34A0010AEFCB14EF94D8919FDBBF5FF48710F14819AE915AB391EB31A942CB54
                                                              Function 00B6A820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 590135838fefcfcf06c5251ccc9c0f60b25660bdc376366bbf41b29839c24f96
                                                              • Instruction ID: 5bfd13708ffd678f033992533823e5ecbc4d2f0c607e7798b0fe928858467624
                                                              • Opcode Fuzzy Hash: 590135838fefcfcf06c5251ccc9c0f60b25660bdc376366bbf41b29839c24f96
                                                              • Instruction Fuzzy Hash: 5661CE706046069FDB10EF54C881A7AB7F5EF45310F2481ADE916AB292E779ED80CF92
                                                              Function 00B7343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID:
                                                              • API String ID: 4104443479-0
                                                              • Opcode ID: 01d276a8b2e032cb678cf1d3a9cd523c24e448ac7f76bbbbd98bd32b07517e4d
                                                              • Instruction ID: aca174b0ecda1e494b301991b20b245f0a699f8901da413e364f78037d0d869f
                                                              • Opcode Fuzzy Hash: 01d276a8b2e032cb678cf1d3a9cd523c24e448ac7f76bbbbd98bd32b07517e4d
                                                              • Instruction Fuzzy Hash: 7731A175604602DFC729EF18D490A21F7E0FF08720754C5A9E9AECB761D730E941EB94
                                                              Function 00B9E20F Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ClearVariant
                                                              • String ID:
                                                              • API String ID: 1473721057-0
                                                              • Opcode ID: ea6e390134d8d977795857fc09748157e47cf8dad0b20b59cf54d2ec52950a9d
                                                              • Instruction ID: f355fd0acaa4a15ccfba3e722155f53a3e1405bb4d440cca1ea5e8f35e16cacf
                                                              • Opcode Fuzzy Hash: ea6e390134d8d977795857fc09748157e47cf8dad0b20b59cf54d2ec52950a9d
                                                              • Instruction Fuzzy Hash: 60410474508341DFDB24DF14C494B1ABBE1BF45308F0988ACE99A9B362C375EC49CB92
                                                              Function 00B749C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B74B29: FreeLibrary.KERNEL32(00000000,?), ref: 00B74B63
                                                                • Part of subcall function 00B853AB: __wfsopen.LIBCMT ref: 00B853B6
                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00B727AF,?,00000001), ref: 00B749F4
                                                                • Part of subcall function 00B74ADE: FreeLibrary.KERNEL32(00000000), ref: 00B74B18
                                                                • Part of subcall function 00B748B0: _memmove.LIBCMT ref: 00B748FA
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Library$Free$Load__wfsopen_memmove
                                                              • String ID:
                                                              • API String ID: 1396898556-0
                                                              • Opcode ID: 89ab46fea75505cbe1cf48e4aa2e141104b4e3528ceff581b49b7f014443b554
                                                              • Instruction ID: d22db1c3b424d802e35f06c9f92f2470badef6dbc07b9198b96775d9380ab915
                                                              • Opcode Fuzzy Hash: 89ab46fea75505cbe1cf48e4aa2e141104b4e3528ceff581b49b7f014443b554
                                                              • Instruction Fuzzy Hash: 5111C431650209ABCB14BB70CC46FAE77E9DF80702F10C4ADF559A6191EFB19B01AB94
                                                              Function 00B71BCC Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID:
                                                              • API String ID: 4104443479-0
                                                              • Opcode ID: 87f17ea32b0852605c5d1b8c02b73927e9767c9e39873f6fc8e4dcd9fdc17cd8
                                                              • Instruction ID: 1cae91a1bee4f16abeae78cf99c2456f6f39c98d27427f05b97f5d0e42219374
                                                              • Opcode Fuzzy Hash: 87f17ea32b0852605c5d1b8c02b73927e9767c9e39873f6fc8e4dcd9fdc17cd8
                                                              • Instruction Fuzzy Hash: 331126766046019FC724DF6CE481916B7E9EF48354B20C8AEE99ECB261E732E841CB50
                                                              Function 00B9E2F2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ClearVariant
                                                              • String ID:
                                                              • API String ID: 1473721057-0
                                                              • Opcode ID: a8792a64142b85760345d4f99b9eab90a0537531297be49691cba21c3d0e3127
                                                              • Instruction ID: b2771b9345ebafc88a9065a8d0114fc5cc6ef0f0317d43f9c669c7d0caa329e9
                                                              • Opcode Fuzzy Hash: a8792a64142b85760345d4f99b9eab90a0537531297be49691cba21c3d0e3127
                                                              • Instruction Fuzzy Hash: A62105B4508301DFDB24EF54C494B5ABBE1BF85304F0589ACF99A57322D735E819CB92
                                                              Function 00BBFCDB Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID:
                                                              • API String ID: 4104443479-0
                                                              • Opcode ID: 35c911cd2398f4784c93c0efd88a5e5c70ab84a347dfa3976c7b08d64d2b32f3
                                                              • Instruction ID: ccceb320deb922af2f1cca23b2b3d59ad94afdb369d34e1bc066e59b898aea39
                                                              • Opcode Fuzzy Hash: 35c911cd2398f4784c93c0efd88a5e5c70ab84a347dfa3976c7b08d64d2b32f3
                                                              • Instruction Fuzzy Hash: FC01A472200225ABCB24EF2DDC919BBB7E9EFC5364714847EF90ACB255E631E905C790
                                                              Function 00BC7AEC Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B80F16: std::exception::exception.LIBCMT ref: 00B80F4C
                                                                • Part of subcall function 00B80F16: __CxxThrowException@8.LIBCMT ref: 00B80F61
                                                              • _memset.LIBCMT ref: 00BC7B21
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Exception@8Throw_memsetstd::exception::exception
                                                              • String ID:
                                                              • API String ID: 525207782-0
                                                              • Opcode ID: c34491c4572dc16e51a14d0fcf010cac5864f028c0566f866116d8912fde49fb
                                                              • Instruction ID: 89c6b18665ed2afa1bb818719535dc9478d97dcd1e6f1c257fb89dc853010b4d
                                                              • Opcode Fuzzy Hash: c34491c4572dc16e51a14d0fcf010cac5864f028c0566f866116d8912fde49fb
                                                              • Instruction Fuzzy Hash: 3F01E4742042009FD326EF5CD481F02BBE5AF59310F24C49AF6888B3A2DB72E801CF90
                                                              Function 00B9DB8A Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B80F16: std::exception::exception.LIBCMT ref: 00B80F4C
                                                                • Part of subcall function 00B80F16: __CxxThrowException@8.LIBCMT ref: 00B80F61
                                                              • _memmove.LIBCMT ref: 00B9DBBB
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Exception@8Throw_memmovestd::exception::exception
                                                              • String ID:
                                                              • API String ID: 1602317333-0
                                                              • Opcode ID: 9c4b4b06b97a342b372b4b1ca5fb652688e856bb2ce843847531830677b80c8a
                                                              • Instruction ID: 04939b41361aff20ba14f21f4043759eb7155f21117e4482153ed5e75ffb527d
                                                              • Opcode Fuzzy Hash: 9c4b4b06b97a342b372b4b1ca5fb652688e856bb2ce843847531830677b80c8a
                                                              • Instruction Fuzzy Hash: 88F0F974600101DFE766EF68C981A11BBE1BF19304B2484ACE2898B3A2E733E815CB91
                                                              Function 00B74A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _fseek
                                                              • String ID:
                                                              • API String ID: 2937370855-0
                                                              • Opcode ID: 0a4098fbca966de150df0e901f011b960a22b5df12848eeca8f12985b6aae40b
                                                              • Instruction ID: 95a51aca241b2ee24b0b0d500cd2f4802cd37cc361935eb93f5decaa339c642f
                                                              • Opcode Fuzzy Hash: 0a4098fbca966de150df0e901f011b960a22b5df12848eeca8f12985b6aae40b
                                                              • Instruction Fuzzy Hash: 2CF085B6500208BFCF109F84DC00CEBBBBDEB85320F004198F9045A221D372EA21DBA0
                                                              Function 00B74A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNEL32(?,?,?,00B727AF,?,00000001), ref: 00B74A63
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: 846d77d547260565f04803a15332b7286026a0fa9d73c546ff187a4c87b59b1a
                                                              • Instruction ID: d186bd28b28879fbf7ec0917a1ea3a0b242eaa64b525e0d58511d2b4ca79eb68
                                                              • Opcode Fuzzy Hash: 846d77d547260565f04803a15332b7286026a0fa9d73c546ff187a4c87b59b1a
                                                              • Instruction Fuzzy Hash: A2F0F271145702CFCB349F68E890826BBE0EA14326324D9AEE5AA83620C7319984DB44
                                                              Function 00B74AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: __fread_nolock
                                                              • String ID:
                                                              • API String ID: 2638373210-0
                                                              • Opcode ID: c46de0973e4316ba83ebc5d8e55475f12f35eb36bfefe38a98de0559b640b685
                                                              • Instruction ID: 9eb8906b3089034e3e14b05464d08880d651885ab72f9f5769efbc5ca6c1698a
                                                              • Opcode Fuzzy Hash: c46de0973e4316ba83ebc5d8e55475f12f35eb36bfefe38a98de0559b640b685
                                                              • Instruction Fuzzy Hash: 83F0587240020DFFDF04DF80C941EAABBB9FB04314F208189F8188A211D332DA21EB90
                                                              Function 00B808F0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00B8090F
                                                                • Part of subcall function 00B71821: _memmove.LIBCMT ref: 00B7185B
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: LongNamePath_memmove
                                                              • String ID:
                                                              • API String ID: 2514874351-0
                                                              • Opcode ID: 42303d0a23e64dfed021e986ee83210c71c8c2b57523984cb412599410c64b08
                                                              • Instruction ID: f27b391c3d16e60ab1b0fef887e51b786f51dc0e24b44f09e9ea78185d8fa973
                                                              • Opcode Fuzzy Hash: 42303d0a23e64dfed021e986ee83210c71c8c2b57523984cb412599410c64b08
                                                              • Instruction Fuzzy Hash: C2E08632A011285BC721E69C9C05FEA77DDDB88690F0541F6FC0DD7214D9605D818695
                                                              Function 00BC3D64 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00BC3CEA,?,?,?), ref: 00BC3D7A
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CopyFile
                                                              • String ID:
                                                              • API String ID: 1304948518-0
                                                              • Opcode ID: 1834890542da2fdee7f31783e2dd21802e39fe7f66e77b05fc27d67588b04601
                                                              • Instruction ID: d4cf4ba61d63973aeda70c59c98ad116d1ea3c4d54a027e689801337f96db82d
                                                              • Opcode Fuzzy Hash: 1834890542da2fdee7f31783e2dd21802e39fe7f66e77b05fc27d67588b04601
                                                              • Instruction Fuzzy Hash: 38D0A7315E020CBBEF50DFA0CC06F78B7ACE701706F1002A4B504DA0E0DA72691497A5
                                                              Function 00BC4E59 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNEL32(?,00BC3A6B), ref: 00BC4E5A
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: be039507fa2398bfa35b12efbf653b9fc0dc56210ca240b7d67b35805bc17bf6
                                                              • Instruction ID: 8532295600f6a48e0c7064cbdb48ed8ab4a8d71c37d1e437bc3b6fc3af204501
                                                              • Opcode Fuzzy Hash: be039507fa2398bfa35b12efbf653b9fc0dc56210ca240b7d67b35805bc17bf6
                                                              • Instruction Fuzzy Hash: 82B09224010606459D6C1B789928AE93380A8827AAFDA1BC8E874968F287398E4BE610
                                                              Function 00B853AB Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: __wfsopen
                                                              • String ID:
                                                              • API String ID: 197181222-0
                                                              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                              • Instruction ID: 5abb6f129ff196b0a37c6dada505aecfefeada81e5db9292ac3f4349b28eac38
                                                              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                              • Instruction Fuzzy Hash: 94B0927644020C77CE112A82EC02A493B599B407A8F408060FB0C18172A6B3AA609689
                                                              Function 00B834BA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _doexit.LIBCMT ref: 00B834C4
                                                                • Part of subcall function 00B8338B: __lock.LIBCMT ref: 00B83399
                                                                • Part of subcall function 00B8338B: DecodePointer.KERNEL32(00C1AEF0,0000001C,00B832E4,00B80F33,00000001,00000000,?,00B83232,000000FF,?,00B89D8E,00000011,00B80F33,?,00B89BDC,0000000D), ref: 00B833D8
                                                                • Part of subcall function 00B8338B: DecodePointer.KERNEL32(?,00B83232,000000FF,?,00B89D8E,00000011,00B80F33,?,00B89BDC,0000000D), ref: 00B833E9
                                                                • Part of subcall function 00B8338B: EncodePointer.KERNEL32(00000000,?,00B83232,000000FF,?,00B89D8E,00000011,00B80F33,?,00B89BDC,0000000D), ref: 00B83402
                                                                • Part of subcall function 00B8338B: DecodePointer.KERNEL32(-00000004,?,00B83232,000000FF,?,00B89D8E,00000011,00B80F33,?,00B89BDC,0000000D), ref: 00B83412
                                                                • Part of subcall function 00B8338B: EncodePointer.KERNEL32(00000000,?,00B83232,000000FF,?,00B89D8E,00000011,00B80F33,?,00B89BDC,0000000D), ref: 00B83418
                                                                • Part of subcall function 00B8338B: DecodePointer.KERNEL32(?,00B83232,000000FF,?,00B89D8E,00000011,00B80F33,?,00B89BDC,0000000D), ref: 00B8342E
                                                                • Part of subcall function 00B8338B: DecodePointer.KERNEL32(?,00B83232,000000FF,?,00B89D8E,00000011,00B80F33,?,00B89BDC,0000000D), ref: 00B83439
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Pointer$Decode$Encode$__lock_doexit
                                                              • String ID:
                                                              • API String ID: 2158581194-0
                                                              • Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                              • Instruction ID: 5fefcb441b90a7f08648639286ab3a6af5c01fbb17f3a02ae8c5aa3e647c4099
                                                              • Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                              • Instruction Fuzzy Hash: 6AB0123158430C33DA103541EC03F853B8C4740F54F100060FA0C1C1F1AA93766181CD
                                                              Function 00BCC0DD Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00BC3E72: FindFirstFileW.KERNEL32(?,?), ref: 00BC3EE9
                                                                • Part of subcall function 00BC3E72: DeleteFileW.KERNEL32(?,?,?,?), ref: 00BC3F39
                                                                • Part of subcall function 00BC3E72: FindNextFileW.KERNEL32(00000000,00000010), ref: 00BC3F4A
                                                                • Part of subcall function 00BC3E72: FindClose.KERNEL32(00000000), ref: 00BC3F61
                                                              • GetLastError.KERNEL32 ref: 00BCC0FF
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                              • String ID:
                                                              • API String ID: 2191629493-0
                                                              • Opcode ID: 2b67b8081d4f6f6dc2a22ad2097c1365e15a9959a610940690a5b2fbd400ce73
                                                              • Instruction ID: d2091c639d67a2ef85a5f73220237ac3972279d3d0fa8334b21b2e6b91de784a
                                                              • Opcode Fuzzy Hash: 2b67b8081d4f6f6dc2a22ad2097c1365e15a9959a610940690a5b2fbd400ce73
                                                              • Instruction Fuzzy Hash: E8F08C362106049FCB11EF59D850F6AB7E8EF89760F04C099F90A9B352CB74BC01CB94

                                                              Non-executed Functions

                                                              Function 00BECEDF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B629E2: GetWindowLongW.USER32(?,000000EB), ref: 00B629F3
                                                              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00BECF5A
                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BECFB8
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00BECFF9
                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BED023
                                                              • SendMessageW.USER32 ref: 00BED04C
                                                              • _wcsncpy.LIBCMT ref: 00BED0B8
                                                              • GetKeyState.USER32(00000011), ref: 00BED0D9
                                                              • GetKeyState.USER32(00000009), ref: 00BED0E6
                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BED0FC
                                                              • GetKeyState.USER32(00000010), ref: 00BED106
                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BED12F
                                                              • SendMessageW.USER32 ref: 00BED156
                                                              • SendMessageW.USER32(?,00001030,?,00BEB735), ref: 00BED25A
                                                              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00BED270
                                                              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00BED283
                                                              • SetCapture.USER32(?), ref: 00BED28C
                                                              • ClientToScreen.USER32(?,?), ref: 00BED2F1
                                                              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00BED2FE
                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BED318
                                                              • ReleaseCapture.USER32 ref: 00BED323
                                                              • GetCursorPos.USER32(?), ref: 00BED35D
                                                              • ScreenToClient.USER32(?,?), ref: 00BED36A
                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00BED3C6
                                                              • SendMessageW.USER32 ref: 00BED3F4
                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00BED431
                                                              • SendMessageW.USER32 ref: 00BED460
                                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00BED481
                                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00BED490
                                                              • GetCursorPos.USER32(?), ref: 00BED4B0
                                                              • ScreenToClient.USER32(?,?), ref: 00BED4BD
                                                              • GetParent.USER32(?), ref: 00BED4DD
                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00BED546
                                                              • SendMessageW.USER32 ref: 00BED577
                                                              • ClientToScreen.USER32(?,?), ref: 00BED5D5
                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00BED605
                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00BED62F
                                                              • SendMessageW.USER32 ref: 00BED652
                                                              • ClientToScreen.USER32(?,?), ref: 00BED6A4
                                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00BED6D8
                                                                • Part of subcall function 00B629AB: GetWindowLongW.USER32(?,000000EB), ref: 00B629BC
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00BED774
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                              • String ID: @GUI_DRAGID$F
                                                              • API String ID: 3977979337-4164748364
                                                              • Opcode ID: 23413d0f65238c5f01815101a99c23be4de6db436cf49d7946746bfe68688f2e
                                                              • Instruction ID: 2da2ba52fef1fd875fdfdad849dea91a29cf30b721bbb8dda1dbdf5520ad58b2
                                                              • Opcode Fuzzy Hash: 23413d0f65238c5f01815101a99c23be4de6db436cf49d7946746bfe68688f2e
                                                              • Instruction Fuzzy Hash: BF42AD70204281AFDB21DF25C888FAABFE6FF48710F144999F659872A1C771EC55CB92
                                                              Function 00BB8D11 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00BB917C: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BB91C6
                                                                • Part of subcall function 00BB917C: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BB91F3
                                                                • Part of subcall function 00BB917C: GetLastError.KERNEL32 ref: 00BB9200
                                                              • _memset.LIBCMT ref: 00BB8D54
                                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00BB8DA6
                                                              • CloseHandle.KERNEL32(?), ref: 00BB8DB7
                                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00BB8DCE
                                                              • GetProcessWindowStation.USER32 ref: 00BB8DE7
                                                              • SetProcessWindowStation.USER32(00000000), ref: 00BB8DF1
                                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00BB8E0B
                                                                • Part of subcall function 00BB8BCC: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BB8D0A), ref: 00BB8BE1
                                                                • Part of subcall function 00BB8BCC: CloseHandle.KERNEL32(?,?,00BB8D0A), ref: 00BB8BF3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                              • String ID: $default$winsta0
                                                              • API String ID: 2063423040-1027155976
                                                              • Opcode ID: 0d132a1d8fe3698c82846b8cdede2361d2099a8e8d8cfaeeb3f432312a48cde4
                                                              • Instruction ID: fb1c77507c92324d59b2031c1190db38eddd3590790961227974153b3030fe75
                                                              • Opcode Fuzzy Hash: 0d132a1d8fe3698c82846b8cdede2361d2099a8e8d8cfaeeb3f432312a48cde4
                                                              • Instruction Fuzzy Hash: C8813971910209AFDF11AFA4CC85AFEBBBDEF04304F04459AF915A7261DBB18E54DB60
                                                              Function 00BD4416 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenClipboard.USER32(00BF0980), ref: 00BD4440
                                                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 00BD444E
                                                              • GetClipboardData.USER32(0000000D), ref: 00BD4456
                                                              • CloseClipboard.USER32 ref: 00BD4462
                                                              • GlobalLock.KERNEL32(00000000), ref: 00BD447E
                                                              • CloseClipboard.USER32 ref: 00BD4488
                                                              • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00BD449D
                                                              • IsClipboardFormatAvailable.USER32(00000001), ref: 00BD44AA
                                                              • GetClipboardData.USER32(00000001), ref: 00BD44B2
                                                              • GlobalLock.KERNEL32(00000000), ref: 00BD44BF
                                                              • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00BD44F3
                                                              • CloseClipboard.USER32 ref: 00BD4603
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                              • String ID:
                                                              • API String ID: 3222323430-0
                                                              • Opcode ID: ff549e3d9f20936028a8cc0891d524121fcd8336da1c9dba60dc37142d6beb6b
                                                              • Instruction ID: 4d15adc2413611a40359616988ec8e943f61adae6a0fc334c0b4bd6befa99b2f
                                                              • Opcode Fuzzy Hash: ff549e3d9f20936028a8cc0891d524121fcd8336da1c9dba60dc37142d6beb6b
                                                              • Instruction Fuzzy Hash: 2A518E31244202ABD311FB64EC85F7EB7E8EB94B41F00456AF55AD32A2EF70D945CA62
                                                              Function 00BCCC0C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00BCCC3D
                                                              • FindClose.KERNEL32(00000000), ref: 00BCCC91
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BCCCB6
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BCCCCD
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00BCCCF4
                                                              • __swprintf.LIBCMT ref: 00BCCD40
                                                              • __swprintf.LIBCMT ref: 00BCCD83
                                                                • Part of subcall function 00B71A36: _memmove.LIBCMT ref: 00B71A77
                                                              • __swprintf.LIBCMT ref: 00BCCDD7
                                                                • Part of subcall function 00B837FA: __woutput_l.LIBCMT ref: 00B83853
                                                              • __swprintf.LIBCMT ref: 00BCCE25
                                                                • Part of subcall function 00B837FA: __flsbuf.LIBCMT ref: 00B83875
                                                                • Part of subcall function 00B837FA: __flsbuf.LIBCMT ref: 00B8388D
                                                              • __swprintf.LIBCMT ref: 00BCCE74
                                                              • __swprintf.LIBCMT ref: 00BCCEC3
                                                              • __swprintf.LIBCMT ref: 00BCCF12
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                              • API String ID: 3953360268-2428617273
                                                              • Opcode ID: 9d2227555eb59c15253e7548d5581096296ae878a968a0d7c6095c6aa655f019
                                                              • Instruction ID: d461f977a82aa484327da93e5b35a6a8f5cb7b4717891b53bb76b2b1743605da
                                                              • Opcode Fuzzy Hash: 9d2227555eb59c15253e7548d5581096296ae878a968a0d7c6095c6aa655f019
                                                              • Instruction Fuzzy Hash: 58A13BB1404204ABC710EFA4C986EAFB7ECEF95704F40496DF59987191EB34EE08CB62
                                                              Function 00BCF445 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00BCF466
                                                              • _wcscmp.LIBCMT ref: 00BCF47B
                                                              • _wcscmp.LIBCMT ref: 00BCF492
                                                              • GetFileAttributesW.KERNEL32(?), ref: 00BCF4A4
                                                              • SetFileAttributesW.KERNEL32(?,?), ref: 00BCF4BE
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00BCF4D6
                                                              • FindClose.KERNEL32(00000000), ref: 00BCF4E1
                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00BCF4FD
                                                              • _wcscmp.LIBCMT ref: 00BCF524
                                                              • _wcscmp.LIBCMT ref: 00BCF53B
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00BCF54D
                                                              • SetCurrentDirectoryW.KERNEL32(00C198F8), ref: 00BCF56B
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00BCF575
                                                              • FindClose.KERNEL32(00000000), ref: 00BCF582
                                                              • FindClose.KERNEL32(00000000), ref: 00BCF594
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                              • String ID: *.*
                                                              • API String ID: 1803514871-438819550
                                                              • Opcode ID: 8cbde4cbc3f92c0de2d005112e482144cdc6d0ddb7dca29d5245d1f0c951e164
                                                              • Instruction ID: 8efd7008da3013d1ba8b2079c5596dc04cab2d562069c1e4e288c28e3d7904fb
                                                              • Opcode Fuzzy Hash: 8cbde4cbc3f92c0de2d005112e482144cdc6d0ddb7dca29d5245d1f0c951e164
                                                              • Instruction Fuzzy Hash: E0319F3155021A6ADB24AFA49C49FFE77EDEF19321F1001E9F915E31A1EB34DA84CA60
                                                              Function 00BE0C7F Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BE0D7B
                                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,00BF0980,00000000,?,00000000,?,?), ref: 00BE0DE9
                                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00BE0E31
                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00BE0EBA
                                                              • RegCloseKey.ADVAPI32(?), ref: 00BE11DA
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00BE11E7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Close$ConnectCreateRegistryValue
                                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                              • API String ID: 536824911-966354055
                                                              • Opcode ID: d496c5353a0b757808583dbc1e900da184628129df2a762cd64d5293365ada24
                                                              • Instruction ID: e46a44a14f38a165c6f2fbb3c4d9a86658f837c9d38395a8e5a0549a1d7df8dd
                                                              • Opcode Fuzzy Hash: d496c5353a0b757808583dbc1e900da184628129df2a762cd64d5293365ada24
                                                              • Instruction Fuzzy Hash: D7027B75600A419FC715EF29C881E2AB7E5FF89710F1489ADF85A9B362CB34ED41CB81
                                                              Function 00BCF5A2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00BCF5C3
                                                              • _wcscmp.LIBCMT ref: 00BCF5D8
                                                              • _wcscmp.LIBCMT ref: 00BCF5EF
                                                                • Part of subcall function 00BC46E2: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00BC46FD
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00BCF61E
                                                              • FindClose.KERNEL32(00000000), ref: 00BCF629
                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00BCF645
                                                              • _wcscmp.LIBCMT ref: 00BCF66C
                                                              • _wcscmp.LIBCMT ref: 00BCF683
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00BCF695
                                                              • SetCurrentDirectoryW.KERNEL32(00C198F8), ref: 00BCF6B3
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00BCF6BD
                                                              • FindClose.KERNEL32(00000000), ref: 00BCF6CA
                                                              • FindClose.KERNEL32(00000000), ref: 00BCF6DC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                              • String ID: *.*
                                                              • API String ID: 1824444939-438819550
                                                              • Opcode ID: 363b3e3fe183a13a7fca2adec5dbc8b999cc01be790ef9bcfb4aa28e2a37c404
                                                              • Instruction ID: 6e80aa56a38deeaba64091494ee0ced7414535234d18d9b3fc6b948bd9a96055
                                                              • Opcode Fuzzy Hash: 363b3e3fe183a13a7fca2adec5dbc8b999cc01be790ef9bcfb4aa28e2a37c404
                                                              • Instruction Fuzzy Hash: F631B23250021E6ADB20AFA4DC48EFE77EDDF45324F1001F9E815A31B1EB318E85DA64
                                                              Function 00BCE0CA Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocalTime.KERNEL32(?), ref: 00BCE18C
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00BCE19C
                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00BCE1A8
                                                              • __wsplitpath.LIBCMT ref: 00BCE206
                                                              • _wcscat.LIBCMT ref: 00BCE21E
                                                              • _wcscat.LIBCMT ref: 00BCE230
                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BCE245
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00BCE259
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00BCE28B
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00BCE2AC
                                                              • _wcscpy.LIBCMT ref: 00BCE2B8
                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00BCE2F7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                              • String ID: *.*
                                                              • API String ID: 3566783562-438819550
                                                              • Opcode ID: d6db4c284398174695bd8c8c7efbbb71fc0c4a291d03fc607ed8549583d4e3bf
                                                              • Instruction ID: 0607d48fbaeda6e9fe16ca272c1edd3a2368fda3961bbbf83cfc26b7666422dc
                                                              • Opcode Fuzzy Hash: d6db4c284398174695bd8c8c7efbbb71fc0c4a291d03fc607ed8549583d4e3bf
                                                              • Instruction Fuzzy Hash: 7B6169725046059FC710EF60C885EAEB3E8FF89310F0489AEF99997251DB35E945CB92
                                                              Function 00BB86B0 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00BB8C03: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BB8C1F
                                                                • Part of subcall function 00BB8C03: GetLastError.KERNEL32(?,00BB86E3,?,?,?), ref: 00BB8C29
                                                                • Part of subcall function 00BB8C03: GetProcessHeap.KERNEL32(00000008,?,?,00BB86E3,?,?,?), ref: 00BB8C38
                                                                • Part of subcall function 00BB8C03: HeapAlloc.KERNEL32(00000000,?,00BB86E3,?,?,?), ref: 00BB8C3F
                                                                • Part of subcall function 00BB8C03: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BB8C56
                                                                • Part of subcall function 00BB8CA0: GetProcessHeap.KERNEL32(00000008,00BB86F9,00000000,00000000,?,00BB86F9,?), ref: 00BB8CAC
                                                                • Part of subcall function 00BB8CA0: HeapAlloc.KERNEL32(00000000,?,00BB86F9,?), ref: 00BB8CB3
                                                                • Part of subcall function 00BB8CA0: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00BB86F9,?), ref: 00BB8CC4
                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BB8714
                                                              • _memset.LIBCMT ref: 00BB8729
                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BB8748
                                                              • GetLengthSid.ADVAPI32(?), ref: 00BB8759
                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 00BB8796
                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BB87B2
                                                              • GetLengthSid.ADVAPI32(?), ref: 00BB87CF
                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00BB87DE
                                                              • HeapAlloc.KERNEL32(00000000), ref: 00BB87E5
                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BB8806
                                                              • CopySid.ADVAPI32(00000000), ref: 00BB880D
                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BB883E
                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BB8864
                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BB8878
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                              • String ID:
                                                              • API String ID: 3996160137-0
                                                              • Opcode ID: e9496011bcf28481c5ac5beec918b9423515fccaa6ba6ac8228c4ef73f05eb5a
                                                              • Instruction ID: e803b1a196aed5e79830131c646bd234b4eb74eb78372702b91d7dd519314601
                                                              • Opcode Fuzzy Hash: e9496011bcf28481c5ac5beec918b9423515fccaa6ba6ac8228c4ef73f05eb5a
                                                              • Instruction Fuzzy Hash: 12613671910209AFDF14DFA5DC84AFEBBB9FF04304F0481A9E915A72A1DF719A04CB60
                                                              Function 00BE0802 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00BE1242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BE01D5,?,?), ref: 00BE1259
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BE08D4
                                                                • Part of subcall function 00B64D37: __itow.LIBCMT ref: 00B64D62
                                                                • Part of subcall function 00B64D37: __swprintf.LIBCMT ref: 00B64DAC
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00BE0973
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00BE0A0B
                                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00BE0C4A
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00BE0C57
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 1240663315-0
                                                              • Opcode ID: ad989b864fa15d0a988233f329cef91d760ff347fdae2459349e445e4134efcc
                                                              • Instruction ID: af4dbeca1f93c5efe73542cd73380f09833b9277ab285956f246c1226e1328d9
                                                              • Opcode Fuzzy Hash: ad989b864fa15d0a988233f329cef91d760ff347fdae2459349e445e4134efcc
                                                              • Instruction Fuzzy Hash: C8E16F31214215AFC715EF29C881E2ABBE8FF89314F1489ADF45ADB262DB70ED41CB51
                                                              Function 00BC42AA Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __swprintf.LIBCMT ref: 00BC42BE
                                                              • __swprintf.LIBCMT ref: 00BC42CB
                                                                • Part of subcall function 00B837FA: __woutput_l.LIBCMT ref: 00B83853
                                                              • FindResourceW.KERNEL32(?,?,0000000E), ref: 00BC42F5
                                                              • LoadResource.KERNEL32(?,00000000), ref: 00BC4301
                                                              • LockResource.KERNEL32(00000000), ref: 00BC430E
                                                              • FindResourceW.KERNEL32(?,?,00000003), ref: 00BC432E
                                                              • LoadResource.KERNEL32(?,00000000), ref: 00BC4340
                                                              • SizeofResource.KERNEL32(?,00000000), ref: 00BC434F
                                                              • LockResource.KERNEL32(?), ref: 00BC435B
                                                              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00BC43BC
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                              • String ID:
                                                              • API String ID: 1433390588-0
                                                              • Opcode ID: 1b9e07d8383e0bc1c46e31f635b800bcdd783f1a34b584d30814c547038e94b1
                                                              • Instruction ID: 7f3ad4390f43d4f00e9477537f82737f7071151da8b57fbeee556cd4c9dea804
                                                              • Opcode Fuzzy Hash: 1b9e07d8383e0bc1c46e31f635b800bcdd783f1a34b584d30814c547038e94b1
                                                              • Instruction Fuzzy Hash: 03316D7161124AABCB11AFA09D99FBEBBACEF84301B004569F906D7151DB34DA21CAB4
                                                              Function 00BD4614 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                              • String ID:
                                                              • API String ID: 1737998785-0
                                                              • Opcode ID: 75dea1d3600e74372b2caf11240d9bead65e8d5399292de472af0129d085b0e0
                                                              • Instruction ID: 0b0042636aa881a7c6c3368803af695c11f4e22bfcc38c245f08be5a5cf9371b
                                                              • Opcode Fuzzy Hash: 75dea1d3600e74372b2caf11240d9bead65e8d5399292de472af0129d085b0e0
                                                              • Instruction Fuzzy Hash: E8217C31611610AFDB11AF24EC49B3EB7E8EF45761F018096F9069B2A2DB74AC01CB94
                                                              Function 00BCF8A3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B71A36: _memmove.LIBCMT ref: 00B71A77
                                                              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00BCF8F0
                                                              • FindClose.KERNEL32(00000000), ref: 00BCFA03
                                                                • Part of subcall function 00B652B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B652E6
                                                              • Sleep.KERNEL32(0000000A), ref: 00BCF920
                                                              • _wcscmp.LIBCMT ref: 00BCF934
                                                              • _wcscmp.LIBCMT ref: 00BCF94F
                                                              • FindNextFileW.KERNEL32(?,?), ref: 00BCF9ED
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                                                              • String ID: *.*
                                                              • API String ID: 2185952417-438819550
                                                              • Opcode ID: 587a782167f372895bbb0ef8806c5745eb9d9f346baa3efb714447588b1dd3af
                                                              • Instruction ID: 4c45c54a77a15f66a25c6c518a5ae283f5a7e35d4779b5ed59e4c87b6d58bc6d
                                                              • Opcode Fuzzy Hash: 587a782167f372895bbb0ef8806c5745eb9d9f346baa3efb714447588b1dd3af
                                                              • Instruction Fuzzy Hash: 84413D7194021AABCF14DFA8CC45BFEBBF5EF05314F1445EAE815A32A1EB709A44CB60
                                                              Function 00BC55E5 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00BB917C: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BB91C6
                                                                • Part of subcall function 00BB917C: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BB91F3
                                                                • Part of subcall function 00BB917C: GetLastError.KERNEL32 ref: 00BB9200
                                                              • ExitWindowsEx.USER32(?,00000000), ref: 00BC5621
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                              • String ID: $@$SeShutdownPrivilege
                                                              • API String ID: 2234035333-194228
                                                              • Opcode ID: ec23742b224269c7762a3ed66374c2496f1db04b82a3e60bfa702c9b3a106769
                                                              • Instruction ID: 59c0fcdc46cb1fdbf167a309101a10e8e9b9c32f5bb44c65951d9e1d30c2f895
                                                              • Opcode Fuzzy Hash: ec23742b224269c7762a3ed66374c2496f1db04b82a3e60bfa702c9b3a106769
                                                              • Instruction Fuzzy Hash: A801F2716A46156BF73866689C8AFBA72DCEB04741F9004B8F907E30E2DAE07C80D5A5
                                                              Function 00BD6733 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00BD678C
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00BD679B
                                                              • bind.WSOCK32(00000000,?,00000010), ref: 00BD67B7
                                                              • listen.WSOCK32(00000000,00000005), ref: 00BD67C6
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00BD67E0
                                                              • closesocket.WSOCK32(00000000,00000000), ref: 00BD67F4
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                                              • String ID:
                                                              • API String ID: 1279440585-0
                                                              • Opcode ID: 0af61d32f0e42a2783356f55186e1e13a164094ed60ef8285dd97eeca4385219
                                                              • Instruction ID: 4d35e137f6852d99220cab76e5b07ae77b6be56017e5ce0309fe45913d84c131
                                                              • Opcode Fuzzy Hash: 0af61d32f0e42a2783356f55186e1e13a164094ed60ef8285dd97eeca4385219
                                                              • Instruction Fuzzy Hash: 7121A0706006049FCB10FF68D985A7EB7E9EF44324F1485A9E826A73E2DB74AC01CB91
                                                              Function 00B61663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B629E2: GetWindowLongW.USER32(?,000000EB), ref: 00B629F3
                                                              • DefDlgProcW.USER32(?,?,?,?,?), ref: 00B61DD6
                                                              • GetSysColor.USER32(0000000F), ref: 00B61E2A
                                                              • SetBkColor.GDI32(?,00000000), ref: 00B61E3D
                                                                • Part of subcall function 00B6166C: DefDlgProcW.USER32(?,00000020,?), ref: 00B616B4
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ColorProc$LongWindow
                                                              • String ID:
                                                              • API String ID: 3744519093-0
                                                              • Opcode ID: 916faadf3406c076ec46fb8feee42c0118c1081f8382393a2b1488f0f4c51e2b
                                                              • Instruction ID: b43e40297bc27728437693f11652cdf927f0f6bf55a75b5d164faad12614db16
                                                              • Opcode Fuzzy Hash: 916faadf3406c076ec46fb8feee42c0118c1081f8382393a2b1488f0f4c51e2b
                                                              • Instruction Fuzzy Hash: 58A11574116444BAEA28AB6E9D85E7F39EDDF41301B1C49FAF402D61D2CF2DDD029272
                                                              Function 00BCC16C Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00BCC196
                                                              • _wcscmp.LIBCMT ref: 00BCC1C6
                                                              • _wcscmp.LIBCMT ref: 00BCC1DB
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00BCC1EC
                                                              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00BCC21C
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Find$File_wcscmp$CloseFirstNext
                                                              • String ID:
                                                              • API String ID: 2387731787-0
                                                              • Opcode ID: d6e21a245ad1c3c01df048853e74d31cb9fa9a9472d54332d149d33940bef64a
                                                              • Instruction ID: 41232893844a534e15b97affaecda36d971b3318aa621683499a249c1a3951af
                                                              • Opcode Fuzzy Hash: d6e21a245ad1c3c01df048853e74d31cb9fa9a9472d54332d149d33940bef64a
                                                              • Instruction Fuzzy Hash: 86519275A046029FD714EF68D490EAAB7E8FF59320F10459DF96A8B3A1DB30ED04CB91
                                                              Function 00BD6BF7 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00BD823D: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00BD8268
                                                              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00BD6C4E
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00BD6C77
                                                              • bind.WSOCK32(00000000,?,00000010), ref: 00BD6CB0
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00BD6CBD
                                                              • closesocket.WSOCK32(00000000,00000000), ref: 00BD6CD1
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                              • String ID:
                                                              • API String ID: 99427753-0
                                                              • Opcode ID: baf1ec3cae4329724b1998e6bb1c69924ca644d82cb59107473d9234c1578aef
                                                              • Instruction ID: f31badbdf7ec93081458df14e0ede6b08e0739f27501924114dfbb8079856907
                                                              • Opcode Fuzzy Hash: baf1ec3cae4329724b1998e6bb1c69924ca644d82cb59107473d9234c1578aef
                                                              • Instruction Fuzzy Hash: 9341D475A10A10AFDB11BF649C86F7EB3E8DB05750F0484D8F956AB3D2DB749D008BA1
                                                              Function 00BE577B Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                              • String ID:
                                                              • API String ID: 292994002-0
                                                              • Opcode ID: 0d1b4c0ba13d586db300d05060c818c6c3ae9e6fd9e6754fbfb71b38cf35af18
                                                              • Instruction ID: d6a13c7e56a6b4f28b109f88603073598620d278c98d90ad0ee00ab35e1dc6b5
                                                              • Opcode Fuzzy Hash: 0d1b4c0ba13d586db300d05060c818c6c3ae9e6fd9e6754fbfb71b38cf35af18
                                                              • Instruction Fuzzy Hash: 2E11BF71700A51ABEB316F27DC84A3EBBD9EF85764B4040A9F806D7252CB74EC118AA0
                                                              Function 00BD279E Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00BD2891
                                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00BD28C8
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Internet$AvailableDataFileQueryRead
                                                              • String ID:
                                                              • API String ID: 599397726-0
                                                              • Opcode ID: 5d6eeae0a88a254168844dbcf9b80942179b6f768fea32a9c5f60378400a3c4f
                                                              • Instruction ID: 424dd29644c37aa299b01b4d837d0c85949e4db9ec44c0dbdc2f300071d90557
                                                              • Opcode Fuzzy Hash: 5d6eeae0a88a254168844dbcf9b80942179b6f768fea32a9c5f60378400a3c4f
                                                              • Instruction Fuzzy Hash: BB419271904249BFEB20AB55CC85EBBF7ECEF50714F1040ABF601A7251FA719E41AB64
                                                              Function 00BB917C Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B80F16: std::exception::exception.LIBCMT ref: 00B80F4C
                                                                • Part of subcall function 00B80F16: __CxxThrowException@8.LIBCMT ref: 00B80F61
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BB91C6
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BB91F3
                                                              • GetLastError.KERNEL32 ref: 00BB9200
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                              • String ID:
                                                              • API String ID: 1922334811-0
                                                              • Opcode ID: d18da9e1ca25a8dffdee66db74be1db755ee45f170236f71ccfe683371625a94
                                                              • Instruction ID: 34b89b1eb8d8cb912499798f0fc5a73cfbfe7d2fcd092ba7e81b7a09f38f14bb
                                                              • Opcode Fuzzy Hash: d18da9e1ca25a8dffdee66db74be1db755ee45f170236f71ccfe683371625a94
                                                              • Instruction Fuzzy Hash: A6118FB142420ABFD728EF64DC89D7BBBF8EB44711B20816EE55593261EB70AC40CB64
                                                              Function 00BC40C1 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00BC40DE
                                                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00BC411F
                                                              • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00BC412A
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CloseControlCreateDeviceFileHandle
                                                              • String ID:
                                                              • API String ID: 33631002-0
                                                              • Opcode ID: 406d894a6187ec6ad6c31a66ddf462fd12b01ffed060dd9e9738ec8a2aad023b
                                                              • Instruction ID: 959a3756d3ba58186217b3546b0f693d613e84f99f197097b9c97162676befac
                                                              • Opcode Fuzzy Hash: 406d894a6187ec6ad6c31a66ddf462fd12b01ffed060dd9e9738ec8a2aad023b
                                                              • Instruction Fuzzy Hash: 3E113075E01228BBDB109F959C44FBFBFBCEB49B60F108155F904E7290D6715A018BA1
                                                              Function 00BC4D89 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00BC4DB2
                                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00BC4DC9
                                                              • FreeSid.ADVAPI32(?), ref: 00BC4DD9
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                              • String ID:
                                                              • API String ID: 3429775523-0
                                                              • Opcode ID: 6433bd3ba3a5116fc3b217652d42bf6997d24bed5c9ff07424966ba2f02484dc
                                                              • Instruction ID: a9423ba862748db2ab9bec7edbdcd7b58494b5e4f5785ba0167ab7994a40ea38
                                                              • Opcode Fuzzy Hash: 6433bd3ba3a5116fc3b217652d42bf6997d24bed5c9ff07424966ba2f02484dc
                                                              • Instruction Fuzzy Hash: 85F0EC7595120DBFDB04DFF49D89EBDB7B8EB08211F5044A9A502E3191DA355A448B50
                                                              Function 00BC50A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00BC50DB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: mouse_event
                                                              • String ID: DOWN
                                                              • API String ID: 2434400541-711622031
                                                              • Opcode ID: c4cb52a1e5328df1aeaf75b5b613ccc88cef0b75c60e3b20abbaeffc2d3d1cad
                                                              • Instruction ID: 0009683e417acc8b31f59c170cc90ff6ab4678d26d2c3c61392df5e84c6c00d2
                                                              • Opcode Fuzzy Hash: c4cb52a1e5328df1aeaf75b5b613ccc88cef0b75c60e3b20abbaeffc2d3d1cad
                                                              • Instruction Fuzzy Hash: 2DE0867615CB2178F97421247C06FF603CC8B13B30720029AF804E61E2EDC47CC195A9
                                                              Function 00BC1932 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00BC196D
                                                              • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00BC1980
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: InputSendkeybd_event
                                                              • String ID:
                                                              • API String ID: 3536248340-0
                                                              • Opcode ID: 6eff68e4d26487c4bd26e2bd9225ca03ac03799eeb3f0e4402b2933529ddc200
                                                              • Instruction ID: 090a56686acd25d02f1bc19e53aa286b5a93b53e51343bea9bc39691107bb400
                                                              • Opcode Fuzzy Hash: 6eff68e4d26487c4bd26e2bd9225ca03ac03799eeb3f0e4402b2933529ddc200
                                                              • Instruction Fuzzy Hash: 2EF0497191020DABEB00DF94C845BFEBBB4FF14315F00844AF955AA2A2C7B98616DFA4
                                                              Function 00BCA51A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00BD991A,?,00BF098C,?), ref: 00BCA547
                                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00BD991A,?,00BF098C,?), ref: 00BCA559
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ErrorFormatLastMessage
                                                              • String ID:
                                                              • API String ID: 3479602957-0
                                                              • Opcode ID: 749b8dd3867a77fabe9e8da656b1beec1f14980f06d1b9a6a47e2adc8e065852
                                                              • Instruction ID: 1364f2243be801600b5ad695bf92bc2b88d348279105bee698d7dec21ff72fc0
                                                              • Opcode Fuzzy Hash: 749b8dd3867a77fabe9e8da656b1beec1f14980f06d1b9a6a47e2adc8e065852
                                                              • Instruction Fuzzy Hash: E2F0823551522EABDB20AFA8CC48FEA77ADEF08361F008195B919D7191DA309A40CBA1
                                                              Function 00BB8BCC Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BB8D0A), ref: 00BB8BE1
                                                              • CloseHandle.KERNEL32(?,?,00BB8D0A), ref: 00BB8BF3
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: AdjustCloseHandlePrivilegesToken
                                                              • String ID:
                                                              • API String ID: 81990902-0
                                                              • Opcode ID: 6e5a725176a5408ade5f65c03f209ad595d845058cdbbd6115c2e08937dd118b
                                                              • Instruction ID: b148443981c2ff0c66be8f59c3d2296fa95afa48db995f64f956271b421042e0
                                                              • Opcode Fuzzy Hash: 6e5a725176a5408ade5f65c03f209ad595d845058cdbbd6115c2e08937dd118b
                                                              • Instruction Fuzzy Hash: 38E04672028601AFEB623B20EC09EB37BE9EB04311B108969B59682431CB72AC90DB54
                                                              Function 00B8A2B5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00B88EB7,?,?,?,00000001), ref: 00B8A2BA
                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00B8A2C3
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: 7a3e925654e2b1f3e614ad0ec09f42ae851977a2092a05304ad6d1f15d544bf2
                                                              • Instruction ID: d5d9494dcf77c2932641eea4537b8b799a4a86a51e1fc556bb393c38943c3565
                                                              • Opcode Fuzzy Hash: 7a3e925654e2b1f3e614ad0ec09f42ae851977a2092a05304ad6d1f15d544bf2
                                                              • Instruction Fuzzy Hash: 49B09231074208ABCA403B91EC09BA83F6AEB48B62F404010F60D47072CF625450CA99
                                                              Function 00BD43B9 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • BlockInput.USER32(00000001), ref: 00BD43D4
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: BlockInput
                                                              • String ID:
                                                              • API String ID: 3456056419-0
                                                              • Opcode ID: 74941b7f717093f9906cfdac73499af88fb2e7415bb867db9339c513af9bac1d
                                                              • Instruction ID: 16dc4063cc793968a16b1be5f991607549a84a39279cb447d8f9ab5e93da3a43
                                                              • Opcode Fuzzy Hash: 74941b7f717093f9906cfdac73499af88fb2e7415bb867db9339c513af9bac1d
                                                              • Instruction Fuzzy Hash: B3E01A71210205AFD710AF59E844A9AF7E8AF94760F008466F949D7351DBB4EC518B94
                                                              Function 00BB914C Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00BB8D8A), ref: 00BB916C
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: LogonUser
                                                              • String ID:
                                                              • API String ID: 1244722697-0
                                                              • Opcode ID: 6c682110f6967dd49a8fed67faf29517eb7232bb2769864486762317cc1c3245
                                                              • Instruction ID: d577c2f67a4ec96d7c3b714099ed8321886595d8334f4f995a22a7c1c37e859e
                                                              • Opcode Fuzzy Hash: 6c682110f6967dd49a8fed67faf29517eb7232bb2769864486762317cc1c3245
                                                              • Instruction Fuzzy Hash: 36D09E3226450EABEF019EA4DD05EBE3B69EB04B01F408511FE15D61A1CB75D935EB60
                                                              Function 00BA0652 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetUserNameW.ADVAPI32(?,?), ref: 00BA0664
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: NameUser
                                                              • String ID:
                                                              • API String ID: 2645101109-0
                                                              • Opcode ID: cb4455b20d0931b399258c6bd60b4272cbd062477cde8be6425a00cdeee0a211
                                                              • Instruction ID: 79dde280e59de2ee854f9e1d625ca7661086a48326749b5b496ca46df7573696
                                                              • Opcode Fuzzy Hash: cb4455b20d0931b399258c6bd60b4272cbd062477cde8be6425a00cdeee0a211
                                                              • Instruction Fuzzy Hash: E1C04CF181111DDBCB05DFA0D988EFE77BCAB04314F100066A111F3110DB749B44CA71
                                                              Function 00B8A284 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00B8A28A
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: a02d1c9648c634f0d8008c414fa60671cfa0ce37a3a8aba9369c9fa2ce69c91a
                                                              • Instruction ID: 364956526499832c014843472e9689b8035c6d5c5f424536a199064ab2a323b7
                                                              • Opcode Fuzzy Hash: a02d1c9648c634f0d8008c414fa60671cfa0ce37a3a8aba9369c9fa2ce69c91a
                                                              • Instruction Fuzzy Hash: 60A0023106410CA78A012B55EC054557F6DD6456557404051F50D46532DB7255519595
                                                              Function 00BD7CB8 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteObject.GDI32(00000000), ref: 00BD7D0D
                                                              • DeleteObject.GDI32(00000000), ref: 00BD7D1F
                                                              • DestroyWindow.USER32 ref: 00BD7D2D
                                                              • GetDesktopWindow.USER32 ref: 00BD7D47
                                                              • GetWindowRect.USER32(00000000), ref: 00BD7D4E
                                                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00BD7E8F
                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00BD7E9F
                                                              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BD7EE7
                                                              • GetClientRect.USER32(00000000,?), ref: 00BD7EF3
                                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00BD7F2D
                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BD7F4F
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BD7F62
                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BD7F6D
                                                              • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BD7F76
                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BD7F85
                                                              • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BD7F8E
                                                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BD7F95
                                                              • GlobalFree.KERNEL32(00000000), ref: 00BD7FA0
                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BD7FB2
                                                              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00BF3C7C,00000000), ref: 00BD7FC8
                                                              • GlobalFree.KERNEL32(00000000), ref: 00BD7FD8
                                                              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00BD7FFE
                                                              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00BD801D
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BD803F
                                                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BD822C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                              • String ID: $AutoIt v3$DISPLAY$static
                                                              • API String ID: 2211948467-2373415609
                                                              • Opcode ID: 0b5fb2e7189914f454acbf0cfad073f24c6f0fdce3a94f72f12f53beea16705b
                                                              • Instruction ID: dcee7a3676fda16e51d488edfbfead0554008aae013632c4e63d10ea3e91266c
                                                              • Opcode Fuzzy Hash: 0b5fb2e7189914f454acbf0cfad073f24c6f0fdce3a94f72f12f53beea16705b
                                                              • Instruction Fuzzy Hash: 63025971910519EFDB14EF64CC89EAEBBF9FB48310F108199F915AB2A1DB74AD01CB60
                                                              Function 00BE3971 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?,00BF0980), ref: 00BE3A2D
                                                              • IsWindowVisible.USER32(?), ref: 00BE3A51
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpperVisibleWindow
                                                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                              • API String ID: 4105515805-45149045
                                                              • Opcode ID: 517b67978f64f156d91e55ec22ec75493c661a666e122f48ee6bf4a379c03de2
                                                              • Instruction ID: b46f92634093a51418f43ee5d806cbc97f16537d1ba6b3a57c235580074b7049
                                                              • Opcode Fuzzy Hash: 517b67978f64f156d91e55ec22ec75493c661a666e122f48ee6bf4a379c03de2
                                                              • Instruction Fuzzy Hash: 3BD1DF302146009BCB04FF11C856ABE77E5EF85790F0445E8B8865B2E3CB71DE4ACB92
                                                              Function 00BEA9C7 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetTextColor.GDI32(?,00000000), ref: 00BEAA1D
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00BEAA4E
                                                              • GetSysColor.USER32(0000000F), ref: 00BEAA5A
                                                              • SetBkColor.GDI32(?,000000FF), ref: 00BEAA74
                                                              • SelectObject.GDI32(?,00000000), ref: 00BEAA83
                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 00BEAAAE
                                                              • GetSysColor.USER32(00000010), ref: 00BEAAB6
                                                              • CreateSolidBrush.GDI32(00000000), ref: 00BEAABD
                                                              • FrameRect.USER32(?,?,00000000), ref: 00BEAACC
                                                              • DeleteObject.GDI32(00000000), ref: 00BEAAD3
                                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 00BEAB1E
                                                              • FillRect.USER32(?,?,00000000), ref: 00BEAB50
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00BEAB7B
                                                                • Part of subcall function 00BEACB7: GetSysColor.USER32(00000012), ref: 00BEACF0
                                                                • Part of subcall function 00BEACB7: SetTextColor.GDI32(?,?), ref: 00BEACF4
                                                                • Part of subcall function 00BEACB7: GetSysColorBrush.USER32(0000000F), ref: 00BEAD0A
                                                                • Part of subcall function 00BEACB7: GetSysColor.USER32(0000000F), ref: 00BEAD15
                                                                • Part of subcall function 00BEACB7: GetSysColor.USER32(00000011), ref: 00BEAD32
                                                                • Part of subcall function 00BEACB7: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BEAD40
                                                                • Part of subcall function 00BEACB7: SelectObject.GDI32(?,00000000), ref: 00BEAD51
                                                                • Part of subcall function 00BEACB7: SetBkColor.GDI32(?,00000000), ref: 00BEAD5A
                                                                • Part of subcall function 00BEACB7: SelectObject.GDI32(?,?), ref: 00BEAD67
                                                                • Part of subcall function 00BEACB7: InflateRect.USER32(?,000000FF,000000FF), ref: 00BEAD86
                                                                • Part of subcall function 00BEACB7: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BEAD9D
                                                                • Part of subcall function 00BEACB7: GetWindowLongW.USER32(00000000,000000F0), ref: 00BEADB2
                                                                • Part of subcall function 00BEACB7: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BEADDA
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                              • String ID:
                                                              • API String ID: 3521893082-0
                                                              • Opcode ID: ec478e7dbedc278c4c483fdcc195360a4d0ea9e7085c4dc2b6c1a44f3cf8156f
                                                              • Instruction ID: 40492547c36fd7d8b525c940152addfb1367764dc1967f3230be9cc70ced4c4c
                                                              • Opcode Fuzzy Hash: ec478e7dbedc278c4c483fdcc195360a4d0ea9e7085c4dc2b6c1a44f3cf8156f
                                                              • Instruction Fuzzy Hash: 88916B72018301AFC711AF64DC48A6B7BE9FF89321F105A19F962A71B2DB71E944CF52
                                                              Function 00B62FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32(?,?,?), ref: 00B63072
                                                              • DeleteObject.GDI32(00000000), ref: 00B630B8
                                                              • DeleteObject.GDI32(00000000), ref: 00B630C3
                                                              • DestroyIcon.USER32(00000000,?,?,?), ref: 00B630CE
                                                              • DestroyWindow.USER32(00000000,?,?,?), ref: 00B630D9
                                                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 00B9C6AC
                                                              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B9C6E5
                                                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B9CB0E
                                                                • Part of subcall function 00B61F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B62412,?,00000000,?,?,?,?,00B61AA7,00000000,?), ref: 00B61F76
                                                              • SendMessageW.USER32(?,00001053), ref: 00B9CB4B
                                                              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B9CB62
                                                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B9CB78
                                                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B9CB83
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                              • String ID: 0
                                                              • API String ID: 464785882-4108050209
                                                              • Opcode ID: 84b3029ad50bbbe939a81d3ddf62110ec48084d417bed1345e51a65859b64276
                                                              • Instruction ID: 3b2c176b9476239e727cc3b4c2222755a78d5ba2626b97c45d90a5f696f49952
                                                              • Opcode Fuzzy Hash: 84b3029ad50bbbe939a81d3ddf62110ec48084d417bed1345e51a65859b64276
                                                              • Instruction Fuzzy Hash: 9D127930604201EFDB25DF24C888BA9BBE5FF48710F1485B9E999DB262CB35ED45CB91
                                                              Function 00B727FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                                                              • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                              • API String ID: 2660009612-1645009161
                                                              • Opcode ID: e3f293a35dc7799e5f8b81096549c21c8fd57b0b9f86b961bbb49cf9042faa34
                                                              • Instruction ID: 0be16e5643e4ef18fa337043ac75798aaac3c8b08aed923fadd4065ab4ed11b9
                                                              • Opcode Fuzzy Hash: e3f293a35dc7799e5f8b81096549c21c8fd57b0b9f86b961bbb49cf9042faa34
                                                              • Instruction Fuzzy Hash: 60A19430A0420ABBCB14BF50CC92EBE77F4EF45B40F0480E9F929672A2DB719A05D761
                                                              Function 00BD795A Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32(00000000), ref: 00BD798D
                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00BD7A4C
                                                              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00BD7A8A
                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00BD7A9C
                                                              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00BD7AE2
                                                              • GetClientRect.USER32(00000000,?), ref: 00BD7AEE
                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00BD7B32
                                                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00BD7B41
                                                              • GetStockObject.GDI32(00000011), ref: 00BD7B51
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00BD7B55
                                                              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00BD7B65
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BD7B6E
                                                              • DeleteDC.GDI32(00000000), ref: 00BD7B77
                                                              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00BD7BA3
                                                              • SendMessageW.USER32(00000030,00000000,00000001), ref: 00BD7BBA
                                                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00BD7BF5
                                                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00BD7C09
                                                              • SendMessageW.USER32(00000404,00000001,00000000), ref: 00BD7C1A
                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00BD7C4A
                                                              • GetStockObject.GDI32(00000011), ref: 00BD7C55
                                                              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00BD7C60
                                                              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00BD7C6A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                              • API String ID: 2910397461-517079104
                                                              • Opcode ID: 61777c894c3867a24371ba280f72e459a460298725a82685659285a59742de97
                                                              • Instruction ID: 069de473534babebba70988e358732874dc0fcc300566bdaa7c5fe6fc19597e5
                                                              • Opcode Fuzzy Hash: 61777c894c3867a24371ba280f72e459a460298725a82685659285a59742de97
                                                              • Instruction Fuzzy Hash: A7A1A471A50209BFEB14DBA4DC4AFBE7BB9EB44710F108154FA15A72E1DB74AD01CB60
                                                              Function 00BCB1C0 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 00BCB1CE
                                                              • GetDriveTypeW.KERNEL32(?,00BF2C4C,?,\\.\,00BF0980), ref: 00BCB2AB
                                                              • SetErrorMode.KERNEL32(00000000,00BF2C4C,?,\\.\,00BF0980), ref: 00BCB409
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$DriveType
                                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                              • API String ID: 2907320926-4222207086
                                                              • Opcode ID: d5c6b54014dae46233aafdf9a23dc3e363b17a2c2f0e4b0059672a9d9c9cdf03
                                                              • Instruction ID: 979eed64e69413e9dd7b039b96ba98609c073dbc711da49937a12bc9c55f674d
                                                              • Opcode Fuzzy Hash: d5c6b54014dae46233aafdf9a23dc3e363b17a2c2f0e4b0059672a9d9c9cdf03
                                                              • Instruction Fuzzy Hash: A051C430654245EB8B10EB24D9E3EFD77E1EF85700F2080EEE406AB291D7B09D95EB55
                                                              Function 00BEACB7 Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSysColor.USER32(00000012), ref: 00BEACF0
                                                              • SetTextColor.GDI32(?,?), ref: 00BEACF4
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00BEAD0A
                                                              • GetSysColor.USER32(0000000F), ref: 00BEAD15
                                                              • CreateSolidBrush.GDI32(?), ref: 00BEAD1A
                                                              • GetSysColor.USER32(00000011), ref: 00BEAD32
                                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BEAD40
                                                              • SelectObject.GDI32(?,00000000), ref: 00BEAD51
                                                              • SetBkColor.GDI32(?,00000000), ref: 00BEAD5A
                                                              • SelectObject.GDI32(?,?), ref: 00BEAD67
                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 00BEAD86
                                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BEAD9D
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00BEADB2
                                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BEADDA
                                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00BEAE01
                                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 00BEAE1F
                                                              • DrawFocusRect.USER32(?,?), ref: 00BEAE2A
                                                              • GetSysColor.USER32(00000011), ref: 00BEAE38
                                                              • SetTextColor.GDI32(?,00000000), ref: 00BEAE40
                                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00BEAE54
                                                              • SelectObject.GDI32(?,00BEA9E7), ref: 00BEAE6B
                                                              • DeleteObject.GDI32(?), ref: 00BEAE76
                                                              • SelectObject.GDI32(?,?), ref: 00BEAE7C
                                                              • DeleteObject.GDI32(?), ref: 00BEAE81
                                                              • SetTextColor.GDI32(?,?), ref: 00BEAE87
                                                              • SetBkColor.GDI32(?,?), ref: 00BEAE91
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                              • String ID:
                                                              • API String ID: 1996641542-0
                                                              • Opcode ID: 4ab29024e6e2bad0af1d5ecef46fd896631d7a09d30d2c858bbf37872fd8bc53
                                                              • Instruction ID: 6a55ee0f7a2c2012602eed826fc749a86f55f3b6b2b20074ed26435d1c30bc4b
                                                              • Opcode Fuzzy Hash: 4ab29024e6e2bad0af1d5ecef46fd896631d7a09d30d2c858bbf37872fd8bc53
                                                              • Instruction Fuzzy Hash: 10514271910208BFDF11AFA5DC48EAE7BB9FF08320F118555F915AB2A2DB719A40DF90
                                                              Function 00BE8DC2 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00BE8EAE
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BE8EBF
                                                              • CharNextW.USER32(0000014E), ref: 00BE8EEE
                                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00BE8F2F
                                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00BE8F45
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BE8F56
                                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00BE8F73
                                                              • SetWindowTextW.USER32(?,0000014E), ref: 00BE8FC5
                                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00BE8FDB
                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00BE900C
                                                              • _memset.LIBCMT ref: 00BE9031
                                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00BE907A
                                                              • _memset.LIBCMT ref: 00BE90D9
                                                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00BE9103
                                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00BE915B
                                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 00BE9208
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00BE922A
                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BE9274
                                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BE92A1
                                                              • DrawMenuBar.USER32(?), ref: 00BE92B0
                                                              • SetWindowTextW.USER32(?,0000014E), ref: 00BE92D8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                              • String ID: 0
                                                              • API String ID: 1073566785-4108050209
                                                              • Opcode ID: 179b2245dea75b4240a94275b9f7dd27d92f97a0c0fd99aae019f351ef31d52f
                                                              • Instruction ID: 3aca1f19d497c17a1be4fbd9dedf5288758f3dc4059f0b962301f99997f80703
                                                              • Opcode Fuzzy Hash: 179b2245dea75b4240a94275b9f7dd27d92f97a0c0fd99aae019f351ef31d52f
                                                              • Instruction Fuzzy Hash: 2BE15D74900258AFDF209F56DC84EEE7BF9EF05710F108195FA19AB2A1DB708A85DF60
                                                              Function 00BE4C94 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCursorPos.USER32(?), ref: 00BE4DCF
                                                              • GetDesktopWindow.USER32 ref: 00BE4DE4
                                                              • GetWindowRect.USER32(00000000), ref: 00BE4DEB
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00BE4E4D
                                                              • DestroyWindow.USER32(?), ref: 00BE4E79
                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00BE4EA2
                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BE4EC0
                                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00BE4EE6
                                                              • SendMessageW.USER32(?,00000421,?,?), ref: 00BE4EFB
                                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00BE4F0E
                                                              • IsWindowVisible.USER32(?), ref: 00BE4F2E
                                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00BE4F49
                                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00BE4F5D
                                                              • GetWindowRect.USER32(?,?), ref: 00BE4F75
                                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 00BE4F9B
                                                              • GetMonitorInfoW.USER32(00000000,?), ref: 00BE4FB5
                                                              • CopyRect.USER32(?,?), ref: 00BE4FCC
                                                              • SendMessageW.USER32(?,00000412,00000000), ref: 00BE5037
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                              • String ID: ($0$tooltips_class32
                                                              • API String ID: 698492251-4156429822
                                                              • Opcode ID: 769962e26a2ce7212bd791b0c9d1c1a16ef86af87aa3f442555d4123a20f9468
                                                              • Instruction ID: 43cb5d621cb516bf3d6f48c343fa1dd534e7704f6555422aa5c7977f7e51c0b4
                                                              • Opcode Fuzzy Hash: 769962e26a2ce7212bd791b0c9d1c1a16ef86af87aa3f442555d4123a20f9468
                                                              • Instruction Fuzzy Hash: BAB19C71604781AFDB14DF25C884B6ABBE4FF84710F008A5CF5999B2A2DB75EC05CB92
                                                              Function 00BC47F7 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00BC4809
                                                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00BC482F
                                                              • _wcscpy.LIBCMT ref: 00BC485D
                                                              • _wcscmp.LIBCMT ref: 00BC4868
                                                              • _wcscat.LIBCMT ref: 00BC487E
                                                              • _wcsstr.LIBCMT ref: 00BC4889
                                                              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00BC48A5
                                                              • _wcscat.LIBCMT ref: 00BC48EE
                                                              • _wcscat.LIBCMT ref: 00BC48F5
                                                              • _wcsncpy.LIBCMT ref: 00BC4920
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                              • API String ID: 699586101-1459072770
                                                              • Opcode ID: deee7ee1e04a11a8447d100f73e7dd0be13cd3e7f1c06501e2e7b9548f1212d5
                                                              • Instruction ID: 772995e016f759355528dd64bce1dc68faa6036bb93821a82744c8cbc08ec656
                                                              • Opcode Fuzzy Hash: deee7ee1e04a11a8447d100f73e7dd0be13cd3e7f1c06501e2e7b9548f1212d5
                                                              • Instruction Fuzzy Hash: 8541F272A042147AEB15BB648C43FBF7BECDF45710F0040EAFA04A71A2EB749A01D7A5
                                                              Function 00B62BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B62C8C
                                                              • GetSystemMetrics.USER32(00000007), ref: 00B62C94
                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B62CBF
                                                              • GetSystemMetrics.USER32(00000008), ref: 00B62CC7
                                                              • GetSystemMetrics.USER32(00000004), ref: 00B62CEC
                                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B62D09
                                                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B62D19
                                                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B62D4C
                                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B62D60
                                                              • GetClientRect.USER32(00000000,000000FF), ref: 00B62D7E
                                                              • GetStockObject.GDI32(00000011), ref: 00B62D9A
                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00B62DA5
                                                                • Part of subcall function 00B62714: GetCursorPos.USER32(?), ref: 00B62727
                                                                • Part of subcall function 00B62714: ScreenToClient.USER32(00C267B0,?), ref: 00B62744
                                                                • Part of subcall function 00B62714: GetAsyncKeyState.USER32(00000001), ref: 00B62769
                                                                • Part of subcall function 00B62714: GetAsyncKeyState.USER32(00000002), ref: 00B62777
                                                              • SetTimer.USER32(00000000,00000000,00000028,00B61473), ref: 00B62DCC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                              • String ID: AutoIt v3 GUI
                                                              • API String ID: 1458621304-248962490
                                                              • Opcode ID: 6420f7c9c8760af3be6744615fa0cc665344a9d81fac39cdf067f5a5cf16e0b6
                                                              • Instruction ID: 367c78c7f42e27d665557243e08091faf1d1327b70b03b015f16ffbc3a0b51f9
                                                              • Opcode Fuzzy Hash: 6420f7c9c8760af3be6744615fa0cc665344a9d81fac39cdf067f5a5cf16e0b6
                                                              • Instruction Fuzzy Hash: 80B14E71A1020AAFEF14DFA8DC85BAD7BF4FB08714F104169FA15A72A0DB74A851CF64
                                                              Function 00B80354 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B71821: _memmove.LIBCMT ref: 00B7185B
                                                              • GetForegroundWindow.USER32(00BF0980,?,?,?,?,?), ref: 00B8040E
                                                              • IsWindow.USER32(?), ref: 00BB64A0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Window$Foreground_memmove
                                                              • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                              • API String ID: 3828923867-1919597938
                                                              • Opcode ID: 8ae619547f41d58bfdadd29ef5c86e59003f3e1a58ca640db60820657323dd1e
                                                              • Instruction ID: 8fbdc9e070c9da01b7c4421b76ce088868f2c88db3d8eac6b38d3fa10e152dde
                                                              • Opcode Fuzzy Hash: 8ae619547f41d58bfdadd29ef5c86e59003f3e1a58ca640db60820657323dd1e
                                                              • Instruction Fuzzy Hash: 58D1C5701046029BCB08FF24C4919FABBE5FF54344F508A99F46A436A2DBB4ED99CF91
                                                              Function 00BE41E7 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?), ref: 00BE4274
                                                              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00BE4334
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: BuffCharMessageSendUpper
                                                              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                              • API String ID: 3974292440-719923060
                                                              • Opcode ID: 9b604ecad96942499e5ba0c48aede6fae39acc30ba208cdf6e72f5df5c2c3b04
                                                              • Instruction ID: 742003619b758dd62bdadc4a17d06afdba17a6c80acc26a72082529ae1c1c1fe
                                                              • Opcode Fuzzy Hash: 9b604ecad96942499e5ba0c48aede6fae39acc30ba208cdf6e72f5df5c2c3b04
                                                              • Instruction Fuzzy Hash: 77A14D702146419BCB14FF25C892A7AB3E5FF85354F1089E8B8669B3D2DB74EC09CB51
                                                              Function 00BBAF1D Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClassNameW.USER32(?,?,00000100), ref: 00BBAF5E
                                                              • __swprintf.LIBCMT ref: 00BBAFFF
                                                              • _wcscmp.LIBCMT ref: 00BBB012
                                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00BBB067
                                                              • _wcscmp.LIBCMT ref: 00BBB0A3
                                                              • GetClassNameW.USER32(?,?,00000400), ref: 00BBB0DA
                                                              • GetDlgCtrlID.USER32(?), ref: 00BBB12C
                                                              • GetWindowRect.USER32(?,?), ref: 00BBB162
                                                              • GetParent.USER32(?), ref: 00BBB180
                                                              • ScreenToClient.USER32(00000000), ref: 00BBB187
                                                              • GetClassNameW.USER32(?,?,00000100), ref: 00BBB201
                                                              • _wcscmp.LIBCMT ref: 00BBB215
                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 00BBB23B
                                                              • _wcscmp.LIBCMT ref: 00BBB24F
                                                                • Part of subcall function 00B8378E: _iswctype.LIBCMT ref: 00B83796
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                              • String ID: %s%u
                                                              • API String ID: 3744389584-679674701
                                                              • Opcode ID: c956ddd40c20d3c1ecd92a2f0ad24423f641bcedb5b0766790060d5fb1f13228
                                                              • Instruction ID: 14e64eb547625a18e27328478529d23c6eac9ebe7d0f3e667122c2b9354227cc
                                                              • Opcode Fuzzy Hash: c956ddd40c20d3c1ecd92a2f0ad24423f641bcedb5b0766790060d5fb1f13228
                                                              • Instruction Fuzzy Hash: ABA1AB71204206AFD718EF64C884FFABBE8FF44350F008669E9A9D2191DBB0E955CB91
                                                              Function 00BBB850 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 00BBB894
                                                              • _wcscmp.LIBCMT ref: 00BBB8A5
                                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 00BBB8CD
                                                              • CharUpperBuffW.USER32(?,00000000), ref: 00BBB8EA
                                                              • _wcscmp.LIBCMT ref: 00BBB908
                                                              • _wcsstr.LIBCMT ref: 00BBB919
                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 00BBB951
                                                              • _wcscmp.LIBCMT ref: 00BBB961
                                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 00BBB988
                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 00BBB9D1
                                                              • _wcscmp.LIBCMT ref: 00BBB9E1
                                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 00BBBA09
                                                              • GetWindowRect.USER32(00000004,?), ref: 00BBBA72
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                              • String ID: @$ThumbnailClass
                                                              • API String ID: 1788623398-1539354611
                                                              • Opcode ID: ff6c4eee3482712da0a4c92e8b7a60713dc547955e17e9324131ba1c61752c56
                                                              • Instruction ID: 38735b5c5cdb2c6d31353c08f96392ebff16c2b645a1e37ae11760579f7a09a0
                                                              • Opcode Fuzzy Hash: ff6c4eee3482712da0a4c92e8b7a60713dc547955e17e9324131ba1c61752c56
                                                              • Instruction Fuzzy Hash: 4B818E71408205AFDB15DF14C881FFA7BE8EF84714F0484A9ED898A0A6EBB0DD49CB61
                                                              Function 00BBB699 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: __wcsnicmp
                                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                              • API String ID: 1038674560-1810252412
                                                              • Opcode ID: f123a9769af90c5f3b08d30e579e64e85cbfa4073c748bd9165e043bb362686f
                                                              • Instruction ID: d75904528f1ce2a0545c4b99cdb2842d5933f2061d99b5836e8d40d331a908c9
                                                              • Opcode Fuzzy Hash: f123a9769af90c5f3b08d30e579e64e85cbfa4073c748bd9165e043bb362686f
                                                              • Instruction Fuzzy Hash: E8318F31A48205ABDA14FAA9CC83EFD73E4AF11B50F2045B6F416710E6EFE15E48E661
                                                              Function 00BBC97A Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadIconW.USER32(00000063), ref: 00BBC98D
                                                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00BBC99F
                                                              • SetWindowTextW.USER32(?,?), ref: 00BBC9B6
                                                              • GetDlgItem.USER32(?,000003EA), ref: 00BBC9CB
                                                              • SetWindowTextW.USER32(00000000,?), ref: 00BBC9D1
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00BBC9E1
                                                              • SetWindowTextW.USER32(00000000,?), ref: 00BBC9E7
                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00BBCA08
                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00BBCA22
                                                              • GetWindowRect.USER32(?,?), ref: 00BBCA2B
                                                              • SetWindowTextW.USER32(?,?), ref: 00BBCA96
                                                              • GetDesktopWindow.USER32 ref: 00BBCA9C
                                                              • GetWindowRect.USER32(00000000), ref: 00BBCAA3
                                                              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00BBCAEF
                                                              • GetClientRect.USER32(?,?), ref: 00BBCAFC
                                                              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00BBCB21
                                                              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00BBCB4C
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                              • String ID:
                                                              • API String ID: 3869813825-0
                                                              • Opcode ID: fb050a0ae7d33c9ceda2a5faa75678dc4d082405a75d9a7787a6ec1a3ef5d625
                                                              • Instruction ID: 198e4db24123aa3b061157c047a5be355c76db90aef2fd3055f5b3a4f4dc4816
                                                              • Opcode Fuzzy Hash: fb050a0ae7d33c9ceda2a5faa75678dc4d082405a75d9a7787a6ec1a3ef5d625
                                                              • Instruction Fuzzy Hash: 84515D31900709AFDB20EFA8CD85BBEBBF5FF44705F004569E586A35A1CBB4A914CB50
                                                              Function 00BD54AD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 00BD54C3
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00BD54CE
                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 00BD54D9
                                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 00BD54E4
                                                              • LoadCursorW.USER32(00000000,00007F01), ref: 00BD54EF
                                                              • LoadCursorW.USER32(00000000,00007F81), ref: 00BD54FA
                                                              • LoadCursorW.USER32(00000000,00007F88), ref: 00BD5505
                                                              • LoadCursorW.USER32(00000000,00007F80), ref: 00BD5510
                                                              • LoadCursorW.USER32(00000000,00007F86), ref: 00BD551B
                                                              • LoadCursorW.USER32(00000000,00007F83), ref: 00BD5526
                                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00BD5531
                                                              • LoadCursorW.USER32(00000000,00007F82), ref: 00BD553C
                                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00BD5547
                                                              • LoadCursorW.USER32(00000000,00007F04), ref: 00BD5552
                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 00BD555D
                                                              • LoadCursorW.USER32(00000000,00007F89), ref: 00BD5568
                                                              • GetCursorInfo.USER32(?), ref: 00BD5578
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Cursor$Load$Info
                                                              • String ID:
                                                              • API String ID: 2577412497-0
                                                              • Opcode ID: c4aabc11c950e40a613fc0b841b34e6286a82383dfcc3b372899bf2673710625
                                                              • Instruction ID: 795bcf126056a68f20ede50d882be2dd113a70d8f8865330f379b7562f749fb7
                                                              • Opcode Fuzzy Hash: c4aabc11c950e40a613fc0b841b34e6286a82383dfcc3b372899bf2673710625
                                                              • Instruction Fuzzy Hash: AF3116B0D0831A6ADB209FB69C8996EFFE9FF04754F50456BA50CE7280DA78A5008F91
                                                              Function 00BEA5A6 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00BEA646
                                                              • DestroyWindow.USER32(00000000,?), ref: 00BEA6C0
                                                                • Part of subcall function 00B71821: _memmove.LIBCMT ref: 00B7185B
                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00BEA73A
                                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00BEA75C
                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BEA76F
                                                              • DestroyWindow.USER32(00000000), ref: 00BEA791
                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B60000,00000000), ref: 00BEA7C8
                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BEA7E1
                                                              • GetDesktopWindow.USER32 ref: 00BEA7FA
                                                              • GetWindowRect.USER32(00000000), ref: 00BEA801
                                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BEA819
                                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00BEA831
                                                                • Part of subcall function 00B629AB: GetWindowLongW.USER32(?,000000EB), ref: 00B629BC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                              • String ID: 0$tooltips_class32
                                                              • API String ID: 1297703922-3619404913
                                                              • Opcode ID: 48015f5b51999cef2622d62d5057f64090249d33e736c0c2a26cc8bb3cd10011
                                                              • Instruction ID: ecd39895179fbd4aced9848c2375b5da321bb67861577195939cb7648c1671e1
                                                              • Opcode Fuzzy Hash: 48015f5b51999cef2622d62d5057f64090249d33e736c0c2a26cc8bb3cd10011
                                                              • Instruction Fuzzy Hash: 3A71AC70150385AFE721EF29CC49F6A7BE9FB88304F04495DF985872A1DB70E916CB62
                                                              Function 00BECA21 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B629E2: GetWindowLongW.USER32(?,000000EB), ref: 00B629F3
                                                              • DragQueryPoint.SHELL32(?,?), ref: 00BECA4A
                                                                • Part of subcall function 00BEAF24: ClientToScreen.USER32(?,?), ref: 00BEAF4D
                                                                • Part of subcall function 00BEAF24: GetWindowRect.USER32(?,?), ref: 00BEAFC3
                                                                • Part of subcall function 00BEAF24: PtInRect.USER32(?,?,00BEC437), ref: 00BEAFD3
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00BECAB3
                                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00BECABE
                                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00BECAE1
                                                              • _wcscat.LIBCMT ref: 00BECB11
                                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00BECB28
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00BECB41
                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 00BECB58
                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 00BECB7A
                                                              • DragFinish.SHELL32(?), ref: 00BECB81
                                                              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00BECC74
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                              • API String ID: 169749273-3440237614
                                                              • Opcode ID: 51b6e4e7c3950a31f8a22d8e8661db347505d9a8c8b0c2856c5bcec33241bc6e
                                                              • Instruction ID: 2bd629646fb3ba116de8b622bc4e1e09cd979f35df3068ff8799d7af26c2b510
                                                              • Opcode Fuzzy Hash: 51b6e4e7c3950a31f8a22d8e8661db347505d9a8c8b0c2856c5bcec33241bc6e
                                                              • Instruction Fuzzy Hash: F1617A71108340AFC711EF64DC85EAFBBE8EF89750F000A6DF595932A1DB719A49CB62
                                                              Function 00BC8142 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(00000000), ref: 00BC8187
                                                              • VariantCopy.OLEAUT32(00000000,?), ref: 00BC8190
                                                              • VariantClear.OLEAUT32(00000000), ref: 00BC819C
                                                              • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00BC828A
                                                              • __swprintf.LIBCMT ref: 00BC82BA
                                                              • VarR8FromDec.OLEAUT32(?,?), ref: 00BC82E6
                                                              • VariantInit.OLEAUT32(?), ref: 00BC8397
                                                              • SysFreeString.OLEAUT32(?), ref: 00BC842B
                                                              • VariantClear.OLEAUT32(?), ref: 00BC8485
                                                              • VariantClear.OLEAUT32(?), ref: 00BC8494
                                                              • VariantInit.OLEAUT32(00000000), ref: 00BC84D2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                              • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                              • API String ID: 3730832054-3931177956
                                                              • Opcode ID: cab6b37fa4b00fc3ed16eb2f519d9352b02c1315d1c9ce2f621cdd4cc1783d51
                                                              • Instruction ID: 6d5af5e2638bdc6b918a39ce9ce15e491f9c786f7998311de14f155d3c295005
                                                              • Opcode Fuzzy Hash: cab6b37fa4b00fc3ed16eb2f519d9352b02c1315d1c9ce2f621cdd4cc1783d51
                                                              • Instruction Fuzzy Hash: A2D1EE70A00516EBDB20AF65C884FB9B7F4FF09740F1885E9E515AB2A1DF30AC45DBA1
                                                              Function 00BE4797 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?), ref: 00BE4829
                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BE4874
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: BuffCharMessageSendUpper
                                                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                              • API String ID: 3974292440-4258414348
                                                              • Opcode ID: ac028ef58e36d8e659be452c5847fd26958ec7ed88810fdb7218a8a0b684fc98
                                                              • Instruction ID: 5388730dae3bcf6f80d079eb502c09f5b4c84af967badd4b8bbf47480a3bd6ef
                                                              • Opcode Fuzzy Hash: ac028ef58e36d8e659be452c5847fd26958ec7ed88810fdb7218a8a0b684fc98
                                                              • Instruction Fuzzy Hash: 18918D746046419FCB04FF11C451AAAB7E5EF85354F0089E8F8A65B3A3CB74ED4ACB82
                                                              Function 00BEBBEB Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00BEBCA1
                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00BE95AF), ref: 00BEBCFD
                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BEBD36
                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00BEBD79
                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BEBDB0
                                                              • FreeLibrary.KERNEL32(?), ref: 00BEBDBC
                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BEBDCC
                                                              • DestroyIcon.USER32(?,?,?,?,?,00BE95AF), ref: 00BEBDDB
                                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00BEBDF8
                                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00BEBE04
                                                                • Part of subcall function 00B8305F: __wcsicmp_l.LIBCMT ref: 00B830E8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                              • String ID: .dll$.exe$.icl
                                                              • API String ID: 1212759294-1154884017
                                                              • Opcode ID: 573adbfc08af30cc50a1bf5fefc89f78ac7e7fb712b338dd070ef5510b29bf70
                                                              • Instruction ID: b277b5ef98745a7183d61bb73552806304c9fe639a2cf0e8f1441c4578eda19a
                                                              • Opcode Fuzzy Hash: 573adbfc08af30cc50a1bf5fefc89f78ac7e7fb712b338dd070ef5510b29bf70
                                                              • Instruction Fuzzy Hash: 5A61DE71500255BAEB14EB65CC81FBF77E8EB08710F1082A5F915D61E1DBB4AE90DBA0
                                                              Function 00BCA0E8 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00BCA12F
                                                                • Part of subcall function 00B71A36: _memmove.LIBCMT ref: 00B71A77
                                                              • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00BCA150
                                                              • __swprintf.LIBCMT ref: 00BCA1A9
                                                              • __swprintf.LIBCMT ref: 00BCA1C2
                                                              • _wprintf.LIBCMT ref: 00BCA269
                                                              • _wprintf.LIBCMT ref: 00BCA287
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: LoadString__swprintf_wprintf$_memmove
                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                              • API String ID: 311963372-3080491070
                                                              • Opcode ID: 076ac27a7b4db390ca294fce69666c4b2f7088891949b5336f5d5310fad2cbb6
                                                              • Instruction ID: 3da1268dc53b07e134b817f4dbac70e758b781202b53188441746507b437ac0b
                                                              • Opcode Fuzzy Hash: 076ac27a7b4db390ca294fce69666c4b2f7088891949b5336f5d5310fad2cbb6
                                                              • Instruction Fuzzy Hash: E0518F71900119AACF25EBE8CD52EEEB7F9EF04340F1045A5F519B20A2DA312F99DB61
                                                              Function 00BCA802 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B64D37: __itow.LIBCMT ref: 00B64D62
                                                                • Part of subcall function 00B64D37: __swprintf.LIBCMT ref: 00B64DAC
                                                              • CharLowerBuffW.USER32(?,?), ref: 00BCA87B
                                                              • GetDriveTypeW.KERNEL32 ref: 00BCA8C8
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BCA910
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BCA947
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BCA975
                                                                • Part of subcall function 00B71821: _memmove.LIBCMT ref: 00B7185B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                              • API String ID: 2698844021-4113822522
                                                              • Opcode ID: f9a62ef27d6ec55d4ba2147336358c6fa4cdc09c9a16c7eaaea907965c030b23
                                                              • Instruction ID: bfb289d075def4795a5b47613af98e4f697c5fb561b0ee93dafc5521b4ce70b0
                                                              • Opcode Fuzzy Hash: f9a62ef27d6ec55d4ba2147336358c6fa4cdc09c9a16c7eaaea907965c030b23
                                                              • Instruction Fuzzy Hash: 1C515EB15047059FC700EF24C891D6AB7E8FF85758F5089ACF89997261DB31AD09CB92
                                                              Function 00BCA69F Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BCA6BF
                                                              • __swprintf.LIBCMT ref: 00BCA6E1
                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00BCA71E
                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00BCA743
                                                              • _memset.LIBCMT ref: 00BCA762
                                                              • _wcsncpy.LIBCMT ref: 00BCA79E
                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00BCA7D3
                                                              • CloseHandle.KERNEL32(00000000), ref: 00BCA7DE
                                                              • RemoveDirectoryW.KERNEL32(?), ref: 00BCA7E7
                                                              • CloseHandle.KERNEL32(00000000), ref: 00BCA7F1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                              • String ID: :$\$\??\%s
                                                              • API String ID: 2733774712-3457252023
                                                              • Opcode ID: 1150c71fcd406405a4de9f01bc77085719cdadf8ba8d91cb94ec0a932325d93f
                                                              • Instruction ID: 8ab079e495b837fa39a8920eda411d320c3d78f60e6a7b1006e3c7257930a4f8
                                                              • Opcode Fuzzy Hash: 1150c71fcd406405a4de9f01bc77085719cdadf8ba8d91cb94ec0a932325d93f
                                                              • Instruction Fuzzy Hash: D931707150010AABDB20AFA0DC49FBB37B8EF89704F1040AAF909D3161EA709A84CB25
                                                              Function 00BEC5CF Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B629E2: GetWindowLongW.USER32(?,000000EB), ref: 00B629F3
                                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BEC61F
                                                              • GetFocus.USER32 ref: 00BEC62F
                                                              • GetDlgCtrlID.USER32(00000000), ref: 00BEC63A
                                                              • _memset.LIBCMT ref: 00BEC765
                                                              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00BEC790
                                                              • GetMenuItemCount.USER32(?), ref: 00BEC7B0
                                                              • GetMenuItemID.USER32(?,00000000), ref: 00BEC7C3
                                                              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00BEC7F7
                                                              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00BEC83F
                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BEC877
                                                              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00BEC8AC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                              • String ID: 0
                                                              • API String ID: 1296962147-4108050209
                                                              • Opcode ID: 0859ee12b0eddb1ae0267a515d166612c4c49d27049921c3af8a3d38c7713f1f
                                                              • Instruction ID: da079351d673e495f49d6ddd3c83cd1a56a79408a38c00f062d8e075c728744d
                                                              • Opcode Fuzzy Hash: 0859ee12b0eddb1ae0267a515d166612c4c49d27049921c3af8a3d38c7713f1f
                                                              • Instruction Fuzzy Hash: 1C818D70608381AFD724DF15D984A7BBBE4FB88314F0049AEF995972A1D770DC06CBA2
                                                              Function 00BB88AD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00BB8C03: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BB8C1F
                                                                • Part of subcall function 00BB8C03: GetLastError.KERNEL32(?,00BB86E3,?,?,?), ref: 00BB8C29
                                                                • Part of subcall function 00BB8C03: GetProcessHeap.KERNEL32(00000008,?,?,00BB86E3,?,?,?), ref: 00BB8C38
                                                                • Part of subcall function 00BB8C03: HeapAlloc.KERNEL32(00000000,?,00BB86E3,?,?,?), ref: 00BB8C3F
                                                                • Part of subcall function 00BB8C03: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BB8C56
                                                                • Part of subcall function 00BB8CA0: GetProcessHeap.KERNEL32(00000008,00BB86F9,00000000,00000000,?,00BB86F9,?), ref: 00BB8CAC
                                                                • Part of subcall function 00BB8CA0: HeapAlloc.KERNEL32(00000000,?,00BB86F9,?), ref: 00BB8CB3
                                                                • Part of subcall function 00BB8CA0: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00BB86F9,?), ref: 00BB8CC4
                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BB8911
                                                              • _memset.LIBCMT ref: 00BB8926
                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BB8945
                                                              • GetLengthSid.ADVAPI32(?), ref: 00BB8956
                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 00BB8993
                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BB89AF
                                                              • GetLengthSid.ADVAPI32(?), ref: 00BB89CC
                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00BB89DB
                                                              • HeapAlloc.KERNEL32(00000000), ref: 00BB89E2
                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BB8A03
                                                              • CopySid.ADVAPI32(00000000), ref: 00BB8A0A
                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BB8A3B
                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BB8A61
                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BB8A75
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                              • String ID:
                                                              • API String ID: 3996160137-0
                                                              • Opcode ID: df57e323e0387e6cde47455e64fafb865e5fd57a90aeefcd2182432bb80d5393
                                                              • Instruction ID: b9cae5cd31d54fee1b5648dcc2116b1422168dff2cae4520383d50f81dde3f95
                                                              • Opcode Fuzzy Hash: df57e323e0387e6cde47455e64fafb865e5fd57a90aeefcd2182432bb80d5393
                                                              • Instruction Fuzzy Hash: 7C6119B5900209AFDF10DFA5DC45AFEBBB9FF04300F0481AAE915A72A1DF759A15CB60
                                                              Function 00BD77C9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 00BD783E
                                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00BD784A
                                                              • CreateCompatibleDC.GDI32(?), ref: 00BD7856
                                                              • SelectObject.GDI32(00000000,?), ref: 00BD7863
                                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00BD78B7
                                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00BD78F3
                                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00BD7917
                                                              • SelectObject.GDI32(00000006,?), ref: 00BD791F
                                                              • DeleteObject.GDI32(?), ref: 00BD7928
                                                              • DeleteDC.GDI32(00000006), ref: 00BD792F
                                                              • ReleaseDC.USER32(00000000,?), ref: 00BD793A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                              • String ID: (
                                                              • API String ID: 2598888154-3887548279
                                                              • Opcode ID: 86239e8e92c467dbb706352257f57fb54cf2ef92e88639a3c5389bd25ffcffff
                                                              • Instruction ID: 5c3e31230834a74bc7ea35392ccbb60788a87726dc6ffadbcb1381746b7feb49
                                                              • Opcode Fuzzy Hash: 86239e8e92c467dbb706352257f57fb54cf2ef92e88639a3c5389bd25ffcffff
                                                              • Instruction Fuzzy Hash: BC514C71944209AFCB15DFA9CC89EAEBBF9EF48310F14845EF959A7321DB31A940CB50
                                                              Function 00BCA2FA Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00BCA341
                                                                • Part of subcall function 00B71A36: _memmove.LIBCMT ref: 00B71A77
                                                              • LoadStringW.USER32(?,?,00000FFF,?), ref: 00BCA363
                                                              • __swprintf.LIBCMT ref: 00BCA3BC
                                                              • __swprintf.LIBCMT ref: 00BCA3D5
                                                              • _wprintf.LIBCMT ref: 00BCA48B
                                                              • _wprintf.LIBCMT ref: 00BCA4A9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: LoadString__swprintf_wprintf$_memmove
                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                              • API String ID: 311963372-2391861430
                                                              • Opcode ID: a690a46ffade8361c1bd13f337831c1fd6e2b50c616a36f83764a0a380a59455
                                                              • Instruction ID: 605a393e7e48ff9583841870e9d581102e8407576b3b848a5e0d53b832fb7e26
                                                              • Opcode Fuzzy Hash: a690a46ffade8361c1bd13f337831c1fd6e2b50c616a36f83764a0a380a59455
                                                              • Instruction Fuzzy Hash: C451AE7180010DAACF15EBE8CD96FEEB7B9EF04300F1085A5F519A21A2DB312F59DB61
                                                              Function 00BC957D Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00BC9387: __time64.LIBCMT ref: 00BC9391
                                                                • Part of subcall function 00B74A8C: _fseek.LIBCMT ref: 00B74AA4
                                                              • __wsplitpath.LIBCMT ref: 00BC965C
                                                                • Part of subcall function 00B8424E: __wsplitpath_helper.LIBCMT ref: 00B8428E
                                                              • _wcscpy.LIBCMT ref: 00BC966F
                                                              • _wcscat.LIBCMT ref: 00BC9682
                                                              • __wsplitpath.LIBCMT ref: 00BC96A7
                                                              • _wcscat.LIBCMT ref: 00BC96BD
                                                              • _wcscat.LIBCMT ref: 00BC96D0
                                                                • Part of subcall function 00BC93CD: _memmove.LIBCMT ref: 00BC9406
                                                                • Part of subcall function 00BC93CD: _memmove.LIBCMT ref: 00BC9415
                                                              • _wcscmp.LIBCMT ref: 00BC9617
                                                                • Part of subcall function 00BC9B5E: _wcscmp.LIBCMT ref: 00BC9C4E
                                                                • Part of subcall function 00BC9B5E: _wcscmp.LIBCMT ref: 00BC9C61
                                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00BC987A
                                                              • _wcsncpy.LIBCMT ref: 00BC98ED
                                                              • DeleteFileW.KERNEL32(?,?), ref: 00BC9923
                                                              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00BC9939
                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BC994A
                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BC995C
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                              • String ID:
                                                              • API String ID: 1500180987-0
                                                              • Opcode ID: 6490b9cc84659472ae2448703ae66b6b3d05e55b3b6e71f9b8f0cab548af8f75
                                                              • Instruction ID: e445c9558464e85bd730b82d7a161fec4fde6c6d4035372aec1833bb622c22d5
                                                              • Opcode Fuzzy Hash: 6490b9cc84659472ae2448703ae66b6b3d05e55b3b6e71f9b8f0cab548af8f75
                                                              • Instruction Fuzzy Hash: 87C1E7B1900229AADF21DF95CC89EDEB7F9EF55310F0040EAE609E7151EB709A84CF65
                                                              Function 00B75BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00B75BF1
                                                              • GetMenuItemCount.USER32(00C26890), ref: 00BB0DFB
                                                              • GetMenuItemCount.USER32(00C26890), ref: 00BB0EAB
                                                              • GetCursorPos.USER32(?), ref: 00BB0EEF
                                                              • SetForegroundWindow.USER32(00000000), ref: 00BB0EF8
                                                              • TrackPopupMenuEx.USER32(00C26890,00000000,?,00000000,00000000,00000000), ref: 00BB0F0B
                                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00BB0F17
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                              • String ID:
                                                              • API String ID: 2751501086-0
                                                              • Opcode ID: 172bc8d5f88d06a0045bc78b6c3d9401ec56c3fdc53d9affe7edbf29e23f6c0b
                                                              • Instruction ID: 233a86fd6165156b48af7975636a49c2b3d57aac0133560105c1cd911021ba3f
                                                              • Opcode Fuzzy Hash: 172bc8d5f88d06a0045bc78b6c3d9401ec56c3fdc53d9affe7edbf29e23f6c0b
                                                              • Instruction Fuzzy Hash: 33719370650609BBEB21AB64DC85FFABFA4FF04754F104296F528661E1CBF1A850DB90
                                                              Function 00BB81DD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B71821: _memmove.LIBCMT ref: 00B7185B
                                                              • _memset.LIBCMT ref: 00BB826C
                                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00BB82A1
                                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00BB82BD
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00BB82D9
                                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00BB8303
                                                              • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00BB832B
                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BB8336
                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BB833B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                              • API String ID: 1411258926-22481851
                                                              • Opcode ID: ebeb4db6bf149403d372cb11a264784ca51db58ff2ef363c313f8242b372219e
                                                              • Instruction ID: df5f0ae5d1554cbbaba9ba6cdff6ab9701a63cdb8ca4bf14fc442ee58ec8decf
                                                              • Opcode Fuzzy Hash: ebeb4db6bf149403d372cb11a264784ca51db58ff2ef363c313f8242b372219e
                                                              • Instruction Fuzzy Hash: 9E410872C1022DABCF15EBA8DC959FDB7B8FF04740B0085A9F915A7161DE709E45CBA0
                                                              Function 00BE1242 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BE01D5,?,?), ref: 00BE1259
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpper
                                                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                              • API String ID: 3964851224-909552448
                                                              • Opcode ID: fdc40614902a56ebc0648771ac3e6fc73bf4a67365a587f87cbb8d420824bb2b
                                                              • Instruction ID: d79322fca3e6741241a43cdfe5c9279e34bc0277e557726c9cd20c000d590f66
                                                              • Opcode Fuzzy Hash: fdc40614902a56ebc0648771ac3e6fc73bf4a67365a587f87cbb8d420824bb2b
                                                              • Instruction Fuzzy Hash: C841B2701112869BCF04FF18D851AFE33A4FF52350F604994FC660B6A2DB749D59CB61
                                                              Function 00BC56EF Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B71821: _memmove.LIBCMT ref: 00B7185B
                                                                • Part of subcall function 00B7153B: _memmove.LIBCMT ref: 00B715C4
                                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00BC5758
                                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00BC576E
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BC577F
                                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00BC5791
                                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00BC57A2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: SendString$_memmove
                                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                              • API String ID: 2279737902-1007645807
                                                              • Opcode ID: 10ac8cd90a176173e7429422358f972e29139ea3c08b0875d088f58b1145c75e
                                                              • Instruction ID: 6e200171ea1ed99ea2aac355d254c0ce49d2868543fb38e0789d936a953b6b4c
                                                              • Opcode Fuzzy Hash: 10ac8cd90a176173e7429422358f972e29139ea3c08b0875d088f58b1145c75e
                                                              • Instruction Fuzzy Hash: 9F118670A5011979D720B669DC59DFF7BBCEFD2B40F0048AAB415A20D1DE701D85C5B1
                                                              Function 00BC4A79 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                              • String ID: 0.0.0.0
                                                              • API String ID: 208665112-3771769585
                                                              • Opcode ID: b050f05768f4716cd5477266e1323123a9e937e36f29997ef32ff63ba5966954
                                                              • Instruction ID: de2eabc63be455638b95445d9c5eecdd12873be31554f292e6e3d9bfd54fe94d
                                                              • Opcode Fuzzy Hash: b050f05768f4716cd5477266e1323123a9e937e36f29997ef32ff63ba5966954
                                                              • Instruction Fuzzy Hash: C411C032914108ABCB60BBA09C4AFEA77FCDF40710F0441E9F545970A2EF709A85CBA5
                                                              Function 00BC539D Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • timeGetTime.WINMM ref: 00BC53A2
                                                                • Part of subcall function 00B8074E: timeGetTime.WINMM(?,00000002,00B6C22C), ref: 00B80752
                                                              • Sleep.KERNEL32(0000000A), ref: 00BC53CE
                                                              • EnumThreadWindows.USER32(?,Function_00065350,00000000), ref: 00BC53F2
                                                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00BC5414
                                                              • SetActiveWindow.USER32 ref: 00BC5433
                                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00BC5441
                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00BC5460
                                                              • Sleep.KERNEL32(000000FA), ref: 00BC546B
                                                              • IsWindow.USER32 ref: 00BC5477
                                                              • EndDialog.USER32(00000000), ref: 00BC5488
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                              • String ID: BUTTON
                                                              • API String ID: 1194449130-3405671355
                                                              • Opcode ID: 7ae61795956c428785656c4b19d54f0c27ec779d32adef47880c1121f1e2ed60
                                                              • Instruction ID: 4f590817fd8d6b1b8168867bc0351c3ecb7664180a7c474d58533ee8b940f3e3
                                                              • Opcode Fuzzy Hash: 7ae61795956c428785656c4b19d54f0c27ec779d32adef47880c1121f1e2ed60
                                                              • Instruction Fuzzy Hash: 27219570224605AFE7206B24DDC9F397BE9EB84746F0015A8F10287572CBB16DD1DB36
                                                              Function 00BCDA3D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B64D37: __itow.LIBCMT ref: 00B64D62
                                                                • Part of subcall function 00B64D37: __swprintf.LIBCMT ref: 00B64DAC
                                                              • CoInitialize.OLE32(00000000), ref: 00BCDA9A
                                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00BCDB2D
                                                              • SHGetDesktopFolder.SHELL32(?), ref: 00BCDB41
                                                              • CoCreateInstance.OLE32(00BF3D4C,00000000,00000001,00C19BEC,?), ref: 00BCDB8D
                                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00BCDBFC
                                                              • CoTaskMemFree.OLE32(?,?), ref: 00BCDC54
                                                              • _memset.LIBCMT ref: 00BCDC91
                                                              • SHBrowseForFolderW.SHELL32(?), ref: 00BCDCCD
                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00BCDCF0
                                                              • CoTaskMemFree.OLE32(00000000), ref: 00BCDCF7
                                                              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00BCDD2E
                                                              • CoUninitialize.OLE32(00000001,00000000), ref: 00BCDD30
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                              • String ID:
                                                              • API String ID: 1246142700-0
                                                              • Opcode ID: 67bbbb10a515caf8e6ed1ce7f8e8fa8f025443cab89a89197bb41115db510da7
                                                              • Instruction ID: f451f0c9dd6ad5f238bd535622d203f0a5eea3311b836da2da4ac7d31dc04184
                                                              • Opcode Fuzzy Hash: 67bbbb10a515caf8e6ed1ce7f8e8fa8f025443cab89a89197bb41115db510da7
                                                              • Instruction Fuzzy Hash: 20B1ED75A00109AFDB14DFA4C884EAEBBF9FF48314B1484A9F909DB261DB30ED45CB50
                                                              Function 00BC0687 Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?), ref: 00BC0702
                                                              • SetKeyboardState.USER32(?), ref: 00BC076D
                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00BC078D
                                                              • GetKeyState.USER32(000000A0), ref: 00BC07A4
                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00BC07D3
                                                              • GetKeyState.USER32(000000A1), ref: 00BC07E4
                                                              • GetAsyncKeyState.USER32(00000011), ref: 00BC0810
                                                              • GetKeyState.USER32(00000011), ref: 00BC081E
                                                              • GetAsyncKeyState.USER32(00000012), ref: 00BC0847
                                                              • GetKeyState.USER32(00000012), ref: 00BC0855
                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00BC087E
                                                              • GetKeyState.USER32(0000005B), ref: 00BC088C
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: State$Async$Keyboard
                                                              • String ID:
                                                              • API String ID: 541375521-0
                                                              • Opcode ID: c716a42871483770fcce0bd2b10815039f623cbe2dd030511d05152e543ca20e
                                                              • Instruction ID: 325aeb33967f883ad4597e14b3cfe4ae1e2a6f015aa088132d4f7b9ce59365c1
                                                              • Opcode Fuzzy Hash: c716a42871483770fcce0bd2b10815039f623cbe2dd030511d05152e543ca20e
                                                              • Instruction Fuzzy Hash: 4151CB20A1478869FB35FBB48455FAABFF4DF11340F0845DE99C25B1C3DA64AA4CCBA1
                                                              Function 00BBCBE3 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,00000001), ref: 00BBCBFF
                                                              • GetWindowRect.USER32(00000000,?), ref: 00BBCC11
                                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00BBCC6F
                                                              • GetDlgItem.USER32(?,00000002), ref: 00BBCC7A
                                                              • GetWindowRect.USER32(00000000,?), ref: 00BBCC8C
                                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00BBCCE0
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00BBCCEE
                                                              • GetWindowRect.USER32(00000000,?), ref: 00BBCCFF
                                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00BBCD42
                                                              • GetDlgItem.USER32(?,000003EA), ref: 00BBCD50
                                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00BBCD6D
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00BBCD7A
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Window$ItemMoveRect$Invalidate
                                                              • String ID:
                                                              • API String ID: 3096461208-0
                                                              • Opcode ID: cd280a963fa4df18a048bce5855443f426ddd369db7cbf647ab6b8eac1be2c9d
                                                              • Instruction ID: c609d8642abcbc09bfe4d74a0ad8b0d49dfd861043d715d1d41e33d2ae98f138
                                                              • Opcode Fuzzy Hash: cd280a963fa4df18a048bce5855443f426ddd369db7cbf647ab6b8eac1be2c9d
                                                              • Instruction Fuzzy Hash: B3513E71B10205BFDB18DF68DD89ABEBBB6EB88710F148169F515D7291DBB0AD00CB50
                                                              Function 00B623F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B61F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B62412,?,00000000,?,?,?,?,00B61AA7,00000000,?), ref: 00B61F76
                                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00B624AF
                                                              • KillTimer.USER32(-00000001,?,?,?,?,00B61AA7,00000000,?,?,00B61EBE,?,?), ref: 00B6254A
                                                              • DestroyAcceleratorTable.USER32(00000000), ref: 00B9BF17
                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B61AA7,00000000,?,?,00B61EBE,?,?), ref: 00B9BF48
                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B61AA7,00000000,?,?,00B61EBE,?,?), ref: 00B9BF5F
                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B61AA7,00000000,?,?,00B61EBE,?,?), ref: 00B9BF7B
                                                              • DeleteObject.GDI32(00000000), ref: 00B9BF8D
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                              • String ID:
                                                              • API String ID: 641708696-0
                                                              • Opcode ID: 69637667abe27a6652501fada05d001b60ac744175d63831c224bcc13caed935
                                                              • Instruction ID: b93c3334929a57536f0b89c80ddc2ad5456ba3ed80a026b460a6d9d033574dcd
                                                              • Opcode Fuzzy Hash: 69637667abe27a6652501fada05d001b60ac744175d63831c224bcc13caed935
                                                              • Instruction Fuzzy Hash: 6B618C31520A11DFEB35AF18ED89B3977F1FB40316F1085A8E54257AB0CB79A891DFA0
                                                              Function 00B62581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B629AB: GetWindowLongW.USER32(?,000000EB), ref: 00B629BC
                                                              • GetSysColor.USER32(0000000F), ref: 00B625AF
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ColorLongWindow
                                                              • String ID:
                                                              • API String ID: 259745315-0
                                                              • Opcode ID: cc756cb37bcc03030785e2b73c71ef5c2f7f121f3ada4f860dae942ff38cb343
                                                              • Instruction ID: dcc5c3e2387f7e636db392119e89f9f4682a4b8b226b25ec9e737dac9c710b6e
                                                              • Opcode Fuzzy Hash: cc756cb37bcc03030785e2b73c71ef5c2f7f121f3ada4f860dae942ff38cb343
                                                              • Instruction Fuzzy Hash: 6E41C331100950AFEF256F28DC88BB93BA5EB16335F1942A5FD659B1F2CB348D41DB21
                                                              Function 00B729BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B80AB6: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00B72A3E,?,00008000), ref: 00B80AD2
                                                                • Part of subcall function 00B801AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B72A58,?,00008000), ref: 00B801CF
                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B72ADF
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B72C2C
                                                                • Part of subcall function 00B73EBE: _wcscpy.LIBCMT ref: 00B73EF6
                                                                • Part of subcall function 00B8379F: _iswctype.LIBCMT ref: 00B837A7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                              • API String ID: 537147316-3738523708
                                                              • Opcode ID: cebd7110ae6a2957f57ea4d44f14288fa6b25473d724b65e9511fb6c32bd2ac7
                                                              • Instruction ID: fdf807bbb9ac67e026e2d52297c9ec2b97195def3892d20106eae8881480ba22
                                                              • Opcode Fuzzy Hash: cebd7110ae6a2957f57ea4d44f14288fa6b25473d724b65e9511fb6c32bd2ac7
                                                              • Instruction Fuzzy Hash: 2002A37010C3419FC725EF24C891AAFBBE5EF95354F0089ADF4A9972A2DB30D949CB52
                                                              Function 00BCAD57 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharLowerBuffW.USER32(?,?,00BF0980), ref: 00BCADBB
                                                              • GetDriveTypeW.KERNEL32(00000061,00C19970,00000061), ref: 00BCAE85
                                                              • _wcscpy.LIBCMT ref: 00BCAEAF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: BuffCharDriveLowerType_wcscpy
                                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                              • API String ID: 2820617543-1000479233
                                                              • Opcode ID: 1a36c1ab9f0cc93bc9cb0a1f5c79ced15948b5f576ed8060e25820d53d8a7cda
                                                              • Instruction ID: d281fe753edeea83a5333a17c20d5c16a8545f840485455edd2fd93de505a6b5
                                                              • Opcode Fuzzy Hash: 1a36c1ab9f0cc93bc9cb0a1f5c79ced15948b5f576ed8060e25820d53d8a7cda
                                                              • Instruction Fuzzy Hash: 8251C0701083059BC714EF14C892FAEB7E9EF81704F5048ADF5AA972A2DB709D09CB93
                                                              Function 00B64D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: __i64tow__itow__swprintf
                                                              • String ID: %.15g$0x%p$False$True
                                                              • API String ID: 421087845-2263619337
                                                              • Opcode ID: 86d535a4b40b60625eb5aa06be5e46c592104d1e353ce456ca9bf3c4d8605e5f
                                                              • Instruction ID: 2b5072e7eda8bc291a96804edd76187ceed4ffc43b137bddda17cc922ed2b136
                                                              • Opcode Fuzzy Hash: 86d535a4b40b60625eb5aa06be5e46c592104d1e353ce456ca9bf3c4d8605e5f
                                                              • Instruction Fuzzy Hash: 4E41D471914605AEDF24EF78C882E7A73E8EF45710F2044FEE549D72A1EA359D41CB10
                                                              Function 00BE753F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00BE7557
                                                              • CreateMenu.USER32 ref: 00BE7572
                                                              • SetMenu.USER32(?,00000000), ref: 00BE7581
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BE760E
                                                              • IsMenu.USER32(?), ref: 00BE7624
                                                              • CreatePopupMenu.USER32 ref: 00BE762E
                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BE765B
                                                              • DrawMenuBar.USER32 ref: 00BE7663
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                              • String ID: 0$F
                                                              • API String ID: 176399719-3044882817
                                                              • Opcode ID: 861c4985bf46d82fc5ec901800847beb1a6115d4b1a17492c8a8aea59eaee2f6
                                                              • Instruction ID: 3c8448a987639167338ec8d49cc6cdc5962a6b89d6ee1d5a1894a48da7491da6
                                                              • Opcode Fuzzy Hash: 861c4985bf46d82fc5ec901800847beb1a6115d4b1a17492c8a8aea59eaee2f6
                                                              • Instruction Fuzzy Hash: 754179B4A00249EFDB20DF69D884BAA7BF5FF58344F1401A9F945A7361DB70A920CF90
                                                              Function 00BE78A8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00BE794B
                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00BE7952
                                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00BE7965
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00BE796D
                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00BE7978
                                                              • DeleteDC.GDI32(00000000), ref: 00BE7981
                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00BE798B
                                                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00BE799F
                                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00BE79AB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                              • String ID: static
                                                              • API String ID: 2559357485-2160076837
                                                              • Opcode ID: ff480027938b890be54bbf932772942ca7197c7526185bf1e3835556e1a48e37
                                                              • Instruction ID: dcd6ebc57b3ab52c3dec6401b9ada965df16ef16e4a8a4def0257bb6eda6f9b0
                                                              • Opcode Fuzzy Hash: ff480027938b890be54bbf932772942ca7197c7526185bf1e3835556e1a48e37
                                                              • Instruction Fuzzy Hash: C0318B36114219BBDF11AF65DC09FEB3BA9FF09320F100254FA55A71A2CB31D821DBA4
                                                              Function 00B86F60 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00B86F9B
                                                                • Part of subcall function 00B88C88: __getptd_noexit.LIBCMT ref: 00B88C88
                                                              • __gmtime64_s.LIBCMT ref: 00B87034
                                                              • __gmtime64_s.LIBCMT ref: 00B8706A
                                                              • __gmtime64_s.LIBCMT ref: 00B87087
                                                              • __allrem.LIBCMT ref: 00B870DD
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B870F9
                                                              • __allrem.LIBCMT ref: 00B87110
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B8712E
                                                              • __allrem.LIBCMT ref: 00B87145
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B87163
                                                              • __invoke_watson.LIBCMT ref: 00B871D4
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                              • String ID:
                                                              • API String ID: 384356119-0
                                                              • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                              • Instruction ID: a31bc8945837c36b645bda446648e5adeeafcd2ff7aba7cb3b02ad7a05e203c5
                                                              • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                              • Instruction Fuzzy Hash: 9471D771A40716ABDB14FE79DC82B5AB3E8EF10728F2442B9F514E7691EB70D940C790
                                                              Function 00BC2B3A Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00BC2B55
                                                              • GetMenuItemInfoW.USER32(00C26890,000000FF,00000000,00000030), ref: 00BC2BB6
                                                              • SetMenuItemInfoW.USER32(00C26890,00000004,00000000,00000030), ref: 00BC2BEC
                                                              • Sleep.KERNEL32(000001F4), ref: 00BC2BFE
                                                              • GetMenuItemCount.USER32(?), ref: 00BC2C42
                                                              • GetMenuItemID.USER32(?,00000000), ref: 00BC2C5E
                                                              • GetMenuItemID.USER32(?,-00000001), ref: 00BC2C88
                                                              • GetMenuItemID.USER32(?,?), ref: 00BC2CCD
                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BC2D13
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BC2D27
                                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BC2D48
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                              • String ID:
                                                              • API String ID: 4176008265-0
                                                              • Opcode ID: 235de8b11b298a91db9fa0f72a068c9a31581b8e3562253a23c45ecd3aa23292
                                                              • Instruction ID: 14ba46464f12b6baf62c28324f8e76228e44bf66b8463baf08fb38fd5b5900df
                                                              • Opcode Fuzzy Hash: 235de8b11b298a91db9fa0f72a068c9a31581b8e3562253a23c45ecd3aa23292
                                                              • Instruction Fuzzy Hash: 7C616BB0910249AFDB21DF64DC88FBE7BF8EB51304F1440ADE842A7261DB71AD45DB60
                                                              Function 00BE7310 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00BE7392
                                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00BE7395
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00BE73B9
                                                              • _memset.LIBCMT ref: 00BE73CA
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BE73DC
                                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00BE7454
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$LongWindow_memset
                                                              • String ID:
                                                              • API String ID: 830647256-0
                                                              • Opcode ID: 187cbb9941af7f997f01b5cbb0af2b55007b93b0a48120d8a7c7c9bb56cf2f30
                                                              • Instruction ID: 6901dc3a2f4d2672d84ffd948f0b8261f9e7fae7f7e8c23bfb365098c3afae20
                                                              • Opcode Fuzzy Hash: 187cbb9941af7f997f01b5cbb0af2b55007b93b0a48120d8a7c7c9bb56cf2f30
                                                              • Instruction Fuzzy Hash: C8616C75940248AFDB20DFA4DC81EEE77F8EF09714F100199FA14A72A1CB70AD42DBA0
                                                              Function 00BB7599 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00BB75C0
                                                              • SafeArrayAllocData.OLEAUT32(?), ref: 00BB7619
                                                              • VariantInit.OLEAUT32(?), ref: 00BB762B
                                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00BB764B
                                                              • VariantCopy.OLEAUT32(?,?), ref: 00BB769E
                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00BB76B2
                                                              • VariantClear.OLEAUT32(?), ref: 00BB76C7
                                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 00BB76D4
                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BB76DD
                                                              • VariantClear.OLEAUT32(?), ref: 00BB76EF
                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BB76FA
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                              • String ID:
                                                              • API String ID: 2706829360-0
                                                              • Opcode ID: 50b1503c7e2b130df4ad78e5f64a9cb8f55a60af7b377a729b3ae413575ad671
                                                              • Instruction ID: d05ef87d5e71b59fc911d493912863089009236c209eb49e1317be3c0b4309e1
                                                              • Opcode Fuzzy Hash: 50b1503c7e2b130df4ad78e5f64a9cb8f55a60af7b377a729b3ae413575ad671
                                                              • Instruction Fuzzy Hash: 67411B35A102199FCB05EFA8D8849FDBBF9EF48354F0080A9E955A7261CB74A945CB90
                                                              Function 00BC0374 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?), ref: 00BC039C
                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00BC041D
                                                              • GetKeyState.USER32(000000A0), ref: 00BC0438
                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00BC0452
                                                              • GetKeyState.USER32(000000A1), ref: 00BC0467
                                                              • GetAsyncKeyState.USER32(00000011), ref: 00BC047F
                                                              • GetKeyState.USER32(00000011), ref: 00BC0491
                                                              • GetAsyncKeyState.USER32(00000012), ref: 00BC04A9
                                                              • GetKeyState.USER32(00000012), ref: 00BC04BB
                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00BC04D3
                                                              • GetKeyState.USER32(0000005B), ref: 00BC04E5
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: State$Async$Keyboard
                                                              • String ID:
                                                              • API String ID: 541375521-0
                                                              • Opcode ID: 0c8667329a899ac8691f3f9a5addf55b7edb1d51bc26bca872553fc9dc5bcc1e
                                                              • Instruction ID: eb1207f100470e111379b17d0a1151663713a4af921064e7d0865386e0bcfe42
                                                              • Opcode Fuzzy Hash: 0c8667329a899ac8691f3f9a5addf55b7edb1d51bc26bca872553fc9dc5bcc1e
                                                              • Instruction Fuzzy Hash: 4341C9205647C9EAFF34A7648844BB6BEF0EB15344F0440DDDAC5872C2EBE459C8CBA2
                                                              Function 00BD886D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B64D37: __itow.LIBCMT ref: 00B64D62
                                                                • Part of subcall function 00B64D37: __swprintf.LIBCMT ref: 00B64DAC
                                                              • CoInitialize.OLE32 ref: 00BD88B5
                                                              • CoUninitialize.OLE32 ref: 00BD88C0
                                                              • CoCreateInstance.OLE32(?,00000000,00000017,00BF3BBC,?), ref: 00BD8920
                                                              • IIDFromString.OLE32(?,?), ref: 00BD8993
                                                              • VariantInit.OLEAUT32(?), ref: 00BD8A2D
                                                              • VariantClear.OLEAUT32(?), ref: 00BD8A8E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                              • API String ID: 834269672-1287834457
                                                              • Opcode ID: 201fa2ceab2581238b8feffa7b838ca4601130d86e4c5692252c64e326b6e6ff
                                                              • Instruction ID: 238886e7539e0876a23ab387e232f4bf61b0bca9891a97a252636a2d9cb4b01b
                                                              • Opcode Fuzzy Hash: 201fa2ceab2581238b8feffa7b838ca4601130d86e4c5692252c64e326b6e6ff
                                                              • Instruction Fuzzy Hash: 0461AD70608701AFD711EF14C898B6AF7E4EF85715F00489AF9859B3A1EB74ED48CB92
                                                              Function 00BCB973 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 00BCB980
                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00BCB9F6
                                                              • GetLastError.KERNEL32 ref: 00BCBA00
                                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 00BCBA6D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Error$Mode$DiskFreeLastSpace
                                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                              • API String ID: 4194297153-14809454
                                                              • Opcode ID: b2ad6726e029d26f894d002851aaacf063f49659d02327a8344cb458061777c2
                                                              • Instruction ID: 9179d06ec0839ce56ea38a7db5c41d7101f6642974b86e6bd0997a1b47472020
                                                              • Opcode Fuzzy Hash: b2ad6726e029d26f894d002851aaacf063f49659d02327a8344cb458061777c2
                                                              • Instruction Fuzzy Hash: DC318135A00205AFCB10EB68D896FBDB7F4EB45300F1080AAF946D7291DF719941CB51
                                                              Function 00BB992A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B71A36: _memmove.LIBCMT ref: 00B71A77
                                                                • Part of subcall function 00BBB57D: GetClassNameW.USER32(?,?,000000FF), ref: 00BBB5A0
                                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00BB99AF
                                                              • GetDlgCtrlID.USER32 ref: 00BB99BA
                                                              • GetParent.USER32 ref: 00BB99D6
                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00BB99D9
                                                              • GetDlgCtrlID.USER32(?), ref: 00BB99E2
                                                              • GetParent.USER32(?), ref: 00BB99FE
                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00BB9A01
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 1536045017-1403004172
                                                              • Opcode ID: 9524ddbd0b772c04af91212cc283447d246d731015d6af086685ed94ba9067cc
                                                              • Instruction ID: a70ebd3bb219cd515da0e476787f77f2d5820967790469b7d6ad51f7fde04751
                                                              • Opcode Fuzzy Hash: 9524ddbd0b772c04af91212cc283447d246d731015d6af086685ed94ba9067cc
                                                              • Instruction Fuzzy Hash: 7D21B070A00204BFDF14ABA4CC95EFEBBF9EF95300F104195F961972E2DBB54825DA20
                                                              Function 00BB9A15 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B71A36: _memmove.LIBCMT ref: 00B71A77
                                                                • Part of subcall function 00BBB57D: GetClassNameW.USER32(?,?,000000FF), ref: 00BBB5A0
                                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00BB9A98
                                                              • GetDlgCtrlID.USER32 ref: 00BB9AA3
                                                              • GetParent.USER32 ref: 00BB9ABF
                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00BB9AC2
                                                              • GetDlgCtrlID.USER32(?), ref: 00BB9ACB
                                                              • GetParent.USER32(?), ref: 00BB9AE7
                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00BB9AEA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 1536045017-1403004172
                                                              • Opcode ID: afc72a06c2bad655881553da42b23fafb2f74e7fb5dd170ef3cea9ffc1770316
                                                              • Instruction ID: d5fc56c5eda084298c3527e7c18d35a5cea9f3f8a08167b4f06068b7ca5b9463
                                                              • Opcode Fuzzy Hash: afc72a06c2bad655881553da42b23fafb2f74e7fb5dd170ef3cea9ffc1770316
                                                              • Instruction Fuzzy Hash: 7A21C170A00108BFDB10ABA4CC95EFEBBF9EF55300F004191F961972A2DBB54855DA20
                                                              Function 00BB9AFE Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32 ref: 00BB9B0A
                                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00BB9B1F
                                                              • _wcscmp.LIBCMT ref: 00BB9B31
                                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00BB9BAC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameParentSend_wcscmp
                                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                              • API String ID: 1704125052-3381328864
                                                              • Opcode ID: ef5e809d3a76c111686f1ed47da793861425edd2d31a96d921c13ecae1764862
                                                              • Instruction ID: 90bcc5b31d803df83e7a0c80b83f8644856bd0898ff82fc3cc94efc012c1d0cc
                                                              • Opcode Fuzzy Hash: ef5e809d3a76c111686f1ed47da793861425edd2d31a96d921c13ecae1764862
                                                              • Instruction Fuzzy Hash: 9E11C476648306FAE6243620EC06EF633DCDB15B20F2001A6FA04B50E2EEE2A8519615
                                                              Function 00BD8D5D Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 00BD8D89
                                                              • CoInitialize.OLE32(00000000), ref: 00BD8DB6
                                                              • CoUninitialize.OLE32 ref: 00BD8DC0
                                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 00BD8EC0
                                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 00BD8FED
                                                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00BF3BDC), ref: 00BD9021
                                                              • CoGetObject.OLE32(?,00000000,00BF3BDC,?), ref: 00BD9044
                                                              • SetErrorMode.KERNEL32(00000000), ref: 00BD9057
                                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00BD90D7
                                                              • VariantClear.OLEAUT32(?), ref: 00BD90E7
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                              • String ID:
                                                              • API String ID: 2395222682-0
                                                              • Opcode ID: 390bdd94462916a134fdd898bb8754026af28ac5a56e27616dcd47e3b563db46
                                                              • Instruction ID: 15d0474faf5f3341efdcfcfbd77b83eb08f99c7d62d4e579db54f52f869bdebf
                                                              • Opcode Fuzzy Hash: 390bdd94462916a134fdd898bb8754026af28ac5a56e27616dcd47e3b563db46
                                                              • Instruction Fuzzy Hash: A8C10571608305AFD700EF64C88496AB7E9FF89748F00499EF5899B361EB71ED05CB92
                                                              Function 00BC1839 Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentThreadId.KERNEL32 ref: 00BC185B
                                                              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00BC08D3,?,00000001), ref: 00BC186F
                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 00BC1876
                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BC08D3,?,00000001), ref: 00BC1885
                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC1897
                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BC08D3,?,00000001), ref: 00BC18B0
                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BC08D3,?,00000001), ref: 00BC18C2
                                                              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00BC08D3,?,00000001), ref: 00BC1907
                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00BC08D3,?,00000001), ref: 00BC191C
                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00BC08D3,?,00000001), ref: 00BC1927
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                              • String ID:
                                                              • API String ID: 2156557900-0
                                                              • Opcode ID: bd08534705e1ec4d49a05c52522e537248badcf32085cd6eb5286d76cd2325d2
                                                              • Instruction ID: 06016d150a2cf6960b6fcd63b508d422248b60406e503fdcd973eedb4986aac5
                                                              • Opcode Fuzzy Hash: bd08534705e1ec4d49a05c52522e537248badcf32085cd6eb5286d76cd2325d2
                                                              • Instruction Fuzzy Hash: 5B31D171518204BBEB21AB58DD88F7D37EDEB46312F104599F800E72A2DBB49D41CB10
                                                              Function 00B9C013 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSysColor.USER32(00000008), ref: 00B6260D
                                                              • SetTextColor.GDI32(?,000000FF), ref: 00B62617
                                                              • SetBkMode.GDI32(?,00000001), ref: 00B6262C
                                                              • GetStockObject.GDI32(00000005), ref: 00B62634
                                                              • GetClientRect.USER32(?), ref: 00B9C02C
                                                              • SendMessageW.USER32(?,00001328,00000000,?), ref: 00B9C043
                                                              • GetWindowDC.USER32(?), ref: 00B9C04F
                                                              • GetPixel.GDI32(00000000,?,?), ref: 00B9C05E
                                                              • ReleaseDC.USER32(?,00000000), ref: 00B9C070
                                                              • GetSysColor.USER32(00000005), ref: 00B9C08E
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                              • String ID:
                                                              • API String ID: 3430376129-0
                                                              • Opcode ID: ff200ea65ea85938e345d1f7c99ed56c948c843c5b81c79817e6593fcd6b0c63
                                                              • Instruction ID: ee974705b39b802dec83032095f0a546f5fa13a1aaeddd5f9c0997bf25848e3f
                                                              • Opcode Fuzzy Hash: ff200ea65ea85938e345d1f7c99ed56c948c843c5b81c79817e6593fcd6b0c63
                                                              • Instruction Fuzzy Hash: 89113A31510605BFEB616F64EC49BB97BA1EB18321F104261FA26A60F2CF720A51EF11
                                                              Function 00BBAB4C Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EnumChildWindows.USER32(?,00BBAF1D), ref: 00BBAE5B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ChildEnumWindows
                                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                              • API String ID: 3555792229-1603158881
                                                              • Opcode ID: bdcb0a0cb7ec60e41e03f4be10fb2a0a190c2d4fbeb88c98a6e6b64c42d0cbbc
                                                              • Instruction ID: e5d98241e0274e931f898ed5820e2cc338ff48d10db834110d652597c0423b1b
                                                              • Opcode Fuzzy Hash: bdcb0a0cb7ec60e41e03f4be10fb2a0a190c2d4fbeb88c98a6e6b64c42d0cbbc
                                                              • Instruction Fuzzy Hash: 6F919470A00505ABCB18EF64C481BFEFBF9FF44300F5085A9D45AA7251DFB0A999DBA1
                                                              Function 00B631F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowLongW.USER32(?,000000EB), ref: 00B6327E
                                                                • Part of subcall function 00B6218F: GetClientRect.USER32(?,?), ref: 00B621B8
                                                                • Part of subcall function 00B6218F: GetWindowRect.USER32(?,?), ref: 00B621F9
                                                                • Part of subcall function 00B6218F: ScreenToClient.USER32(?,?), ref: 00B62221
                                                              • GetDC.USER32 ref: 00B9CFA3
                                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B9CFB6
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00B9CFC4
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00B9CFD9
                                                              • ReleaseDC.USER32(?,00000000), ref: 00B9CFE1
                                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B9D06C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                              • String ID: U
                                                              • API String ID: 4009187628-3372436214
                                                              • Opcode ID: 17eca415582e8485db5ec8926551fe4297cacfbd0ae6a059fcd8569e8ac5aa52
                                                              • Instruction ID: d2f053f81b78dd7a19932e2ec9b4f499bf2320b9c7e8fe0d8960586d186e1eff
                                                              • Opcode Fuzzy Hash: 17eca415582e8485db5ec8926551fe4297cacfbd0ae6a059fcd8569e8ac5aa52
                                                              • Instruction Fuzzy Hash: B071BB30500209EFCF219F64C8A4ABA7BF6FF49360F1442F9ED559B1A6C7358946DB60
                                                              Function 00BEC3AF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B629E2: GetWindowLongW.USER32(?,000000EB), ref: 00B629F3
                                                                • Part of subcall function 00B62714: GetCursorPos.USER32(?), ref: 00B62727
                                                                • Part of subcall function 00B62714: ScreenToClient.USER32(00C267B0,?), ref: 00B62744
                                                                • Part of subcall function 00B62714: GetAsyncKeyState.USER32(00000001), ref: 00B62769
                                                                • Part of subcall function 00B62714: GetAsyncKeyState.USER32(00000002), ref: 00B62777
                                                              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00BEC417
                                                              • ImageList_EndDrag.COMCTL32 ref: 00BEC41D
                                                              • ReleaseCapture.USER32 ref: 00BEC423
                                                              • SetWindowTextW.USER32(?,00000000), ref: 00BEC4CD
                                                              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00BEC4E0
                                                              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00BEC5C2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                              • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                              • API String ID: 1924731296-2107944366
                                                              • Opcode ID: 72e1ecf4f8740cb1947c4ad1a4fefbb8b44ade75a7c1ddce86accaba61ecd3f0
                                                              • Instruction ID: 4cfdb5ed50e2b308fe944178969299c217d72958211d34608b366ada74441221
                                                              • Opcode Fuzzy Hash: 72e1ecf4f8740cb1947c4ad1a4fefbb8b44ade75a7c1ddce86accaba61ecd3f0
                                                              • Instruction Fuzzy Hash: C851AB70204345AFDB14EF24CC96F6A7BE5EF94310F00896DF595972E2CB70A945CB62
                                                              Function 00BD90F8 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00BF0980), ref: 00BD91DA
                                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00BF0980), ref: 00BD920E
                                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00BD9388
                                                              • SysFreeString.OLEAUT32(?), ref: 00BD93B2
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                              • String ID:
                                                              • API String ID: 560350794-0
                                                              • Opcode ID: e9d5a7ed1b7efa6a931c42a8f07f61fbfb2d342d20fc24f78ab80298409f519f
                                                              • Instruction ID: cc2a33cc0019df34f6a69f2f798b2830b0533b5dbce27c4aa4dcc272d688cbb2
                                                              • Opcode Fuzzy Hash: e9d5a7ed1b7efa6a931c42a8f07f61fbfb2d342d20fc24f78ab80298409f519f
                                                              • Instruction Fuzzy Hash: 89F11C71A00209EFDF14DF94C884EAEB7B9FF49314F148199F915AB291EB31AE45CB50
                                                              Function 00BDFB45 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00BDFB66
                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BDFCF9
                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BDFD1D
                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BDFD5D
                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BDFD7F
                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BDFEFB
                                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00BDFF2D
                                                              • CloseHandle.KERNEL32(?), ref: 00BDFF5C
                                                              • CloseHandle.KERNEL32(?), ref: 00BDFFD3
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                              • String ID:
                                                              • API String ID: 4090791747-0
                                                              • Opcode ID: dd421b1d6cf4333870c804d6f5dee9697450d1577dfa7b4fbf13ce0964d038c3
                                                              • Instruction ID: 2e4d6d761ba87053164d96bbb5afa5907ba9b11d320f3c0b7606f0debbfa3b59
                                                              • Opcode Fuzzy Hash: dd421b1d6cf4333870c804d6f5dee9697450d1577dfa7b4fbf13ce0964d038c3
                                                              • Instruction Fuzzy Hash: 8CE1A3316087029FC715EF24C491A6ABBE1EF85350F1485AEF89A9B3A2DB31DC45CB52
                                                              Function 00BC50E9 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00BC4A30: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BC39F7,?), ref: 00BC4A4D
                                                                • Part of subcall function 00BC4A30: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BC39F7,?), ref: 00BC4A66
                                                                • Part of subcall function 00BC4E59: GetFileAttributesW.KERNEL32(?,00BC3A6B), ref: 00BC4E5A
                                                              • lstrcmpiW.KERNEL32(?,?), ref: 00BC5168
                                                              • _wcscmp.LIBCMT ref: 00BC5182
                                                              • MoveFileW.KERNEL32(?,?), ref: 00BC519D
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                              • String ID:
                                                              • API String ID: 793581249-0
                                                              • Opcode ID: e6e00234948066638a30b679de3bf62cf6f3021473976c97a1bb4ab22559ceed
                                                              • Instruction ID: a712339152ba48df3aafc6864a04cd0dc169cd95d64ebb8435937a995a82fb2f
                                                              • Opcode Fuzzy Hash: e6e00234948066638a30b679de3bf62cf6f3021473976c97a1bb4ab22559ceed
                                                              • Instruction Fuzzy Hash: 915130B24087855BC724EBA4D881EDB77ECEF84340F00496EB589D3151EF74A6888766
                                                              Function 00BE8A32 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00BE8AEC
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: InvalidateRect
                                                              • String ID:
                                                              • API String ID: 634782764-0
                                                              • Opcode ID: 5186147bb0a5b36052917243e845c52b6fce67f8cc85497e5b846dbddcf3bd4c
                                                              • Instruction ID: 321e7295ffbbdae567684f61453585574c3041d87f9b5e7a3455deb9735091a3
                                                              • Opcode Fuzzy Hash: 5186147bb0a5b36052917243e845c52b6fce67f8cc85497e5b846dbddcf3bd4c
                                                              • Instruction Fuzzy Hash: 2B51D170501A84BEEF209F2ACCC5BA93BE4EF05310F2055A6F518E72E1CF72A980CB50
                                                              Function 00B62F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00B9C568
                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B9C58A
                                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B9C5A2
                                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00B9C5C0
                                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B9C5E1
                                                              • DestroyIcon.USER32(00000000), ref: 00B9C5F0
                                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B9C60D
                                                              • DestroyIcon.USER32(?), ref: 00B9C61C
                                                                • Part of subcall function 00BEA89C: DeleteObject.GDI32(00000000), ref: 00BEA8D5
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                              • String ID:
                                                              • API String ID: 2819616528-0
                                                              • Opcode ID: b4704919c3cbd2c43af93f5defc10d248c97d4994b073b0279e9458337102c49
                                                              • Instruction ID: a7dfea011c789d6c4eb3e68c609a15dac164b6c3e03c720dde45d269a0078133
                                                              • Opcode Fuzzy Hash: b4704919c3cbd2c43af93f5defc10d248c97d4994b073b0279e9458337102c49
                                                              • Instruction Fuzzy Hash: 38516970610609EFEB24DF24CC85BAA7BF5EB58310F1045A8F946A72E0DB74ED90DB60
                                                              Function 00BBA009 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00BBB310: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BBB330
                                                                • Part of subcall function 00BBB310: GetCurrentThreadId.KERNEL32 ref: 00BBB337
                                                                • Part of subcall function 00BBB310: AttachThreadInput.USER32(00000000,?,00BBA01E,?,00000001), ref: 00BBB33E
                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00BBA029
                                                              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00BBA046
                                                              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00BBA049
                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00BBA052
                                                              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00BBA070
                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00BBA073
                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00BBA07C
                                                              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00BBA093
                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00BBA096
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                              • String ID:
                                                              • API String ID: 2014098862-0
                                                              • Opcode ID: 843aac40831f2f919ff62e6d0b894e8e3542e139f5719f0b69cd2c50f260c4a3
                                                              • Instruction ID: 1c318843b6611ce6b3590bf34c075bc3652e2a60f39905d29e9718e14d089497
                                                              • Opcode Fuzzy Hash: 843aac40831f2f919ff62e6d0b894e8e3542e139f5719f0b69cd2c50f260c4a3
                                                              • Instruction Fuzzy Hash: 2911E171920218BFF7107B608C8AFBA7B6DEB4C750F500419F340AB0A1CEF25C50DAA4
                                                              Function 00BB92BC Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00BB8F3D,00000B00,?,?), ref: 00BB92C5
                                                              • HeapAlloc.KERNEL32(00000000,?,00BB8F3D,00000B00,?,?), ref: 00BB92CC
                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BB8F3D,00000B00,?,?), ref: 00BB92E1
                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,00BB8F3D,00000B00,?,?), ref: 00BB92E9
                                                              • DuplicateHandle.KERNEL32(00000000,?,00BB8F3D,00000B00,?,?), ref: 00BB92EC
                                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00BB8F3D,00000B00,?,?), ref: 00BB92FC
                                                              • GetCurrentProcess.KERNEL32(00BB8F3D,00000000,?,00BB8F3D,00000B00,?,?), ref: 00BB9304
                                                              • DuplicateHandle.KERNEL32(00000000,?,00BB8F3D,00000B00,?,?), ref: 00BB9307
                                                              • CreateThread.KERNEL32(00000000,00000000,00BB932D,00000000,00000000,00000000), ref: 00BB9321
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                              • String ID:
                                                              • API String ID: 1957940570-0
                                                              • Opcode ID: 273597e699a6d753db2c09eb2e90ca404bb46d66661f4ca29ce9db2e63fed807
                                                              • Instruction ID: ecc40a00df420a2536135a148b50c13f778b931f6a7e09685d058ce0dcab97ef
                                                              • Opcode Fuzzy Hash: 273597e699a6d753db2c09eb2e90ca404bb46d66661f4ca29ce9db2e63fed807
                                                              • Instruction Fuzzy Hash: 0901B6B5250308BFE710ABA5DC4DF6B7BACEB88711F408411FA05EB2A2CA709914CB30
                                                              Function 00BD95C5 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearInit$_memset
                                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                              • API String ID: 2862541840-625585964
                                                              • Opcode ID: 63dba6da1226d9a5c6141a53e5d5840ab41ce9ddcb4f81ea5aaf56b7d0683850
                                                              • Instruction ID: 498977d655946c6aed895be2eb27cbcba1a847f875114ec76554fea63d8d762b
                                                              • Opcode Fuzzy Hash: 63dba6da1226d9a5c6141a53e5d5840ab41ce9ddcb4f81ea5aaf56b7d0683850
                                                              • Instruction Fuzzy Hash: 91916F71A00219ABDF24DFA5C884FAEBBF8EF45714F10819AF515AB251E7709944CFA0
                                                              Function 00BD9C0F Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00BB7B0B: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BB7A45,80070057,?,?,?,00BB7E56), ref: 00BB7B28
                                                                • Part of subcall function 00BB7B0B: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BB7A45,80070057,?,?), ref: 00BB7B43
                                                                • Part of subcall function 00BB7B0B: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BB7A45,80070057,?,?), ref: 00BB7B51
                                                                • Part of subcall function 00BB7B0B: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BB7A45,80070057,?), ref: 00BB7B61
                                                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00BD9CB8
                                                              • _memset.LIBCMT ref: 00BD9CC5
                                                              • _memset.LIBCMT ref: 00BD9E08
                                                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00BD9E34
                                                              • CoTaskMemFree.OLE32(?), ref: 00BD9E3F
                                                              Strings
                                                              • NULL Pointer assignment, xrefs: 00BD9E8D
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                              • String ID: NULL Pointer assignment
                                                              • API String ID: 1300414916-2785691316
                                                              • Opcode ID: 6e55ccb3dfc166797dc8541983ccdf6c0ad6175ae27b185bc9a2acbdd8f13026
                                                              • Instruction ID: 4925a74e0fe54c7242beb979990a1135a39a46725670a8968b698fc2954430a3
                                                              • Opcode Fuzzy Hash: 6e55ccb3dfc166797dc8541983ccdf6c0ad6175ae27b185bc9a2acbdd8f13026
                                                              • Instruction Fuzzy Hash: 34911971D00219EBDB10DFA5D885EEEBBF9EF08310F1081AAF519A7251EB715A44CFA0
                                                              Function 00BE716D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00BE7211
                                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00BE7225
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00BE723F
                                                              • _wcscat.LIBCMT ref: 00BE729A
                                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00BE72B1
                                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00BE72DF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window_wcscat
                                                              • String ID: SysListView32
                                                              • API String ID: 307300125-78025650
                                                              • Opcode ID: 8060c4b9c09470c206a4c514a2a8c42f02582543577b4332a9094671ae107775
                                                              • Instruction ID: 02e2f31a7946c85a75f7d353479d0909ae555d17f80f9922728b2a3820c1ff72
                                                              • Opcode Fuzzy Hash: 8060c4b9c09470c206a4c514a2a8c42f02582543577b4332a9094671ae107775
                                                              • Instruction Fuzzy Hash: 1E41B230944348AFEB21DF65CC85FEA77E9EF08354F1004AAF585A7192DB719D848B50
                                                              Function 00BDEDE4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00BC3FB5: CreateToolhelp32Snapshot.KERNEL32 ref: 00BC3FDA
                                                                • Part of subcall function 00BC3FB5: Process32FirstW.KERNEL32(00000000,?), ref: 00BC3FE8
                                                                • Part of subcall function 00BC3FB5: FindCloseChangeNotification.KERNEL32(00000000), ref: 00BC40B2
                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BDEE55
                                                              • GetLastError.KERNEL32 ref: 00BDEE68
                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BDEE97
                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00BDEF14
                                                              • GetLastError.KERNEL32(00000000), ref: 00BDEF1F
                                                              • CloseHandle.KERNEL32(00000000), ref: 00BDEF54
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
                                                              • String ID: SeDebugPrivilege
                                                              • API String ID: 1701285019-2896544425
                                                              • Opcode ID: d747a62bd1055a98ee8f171f5ab67507908385c92e0c3999c749af56cca173af
                                                              • Instruction ID: e7c4e2c09d4736b1bad57b19d4afd56f44fc64586610ddaad2f451f02a9b673c
                                                              • Opcode Fuzzy Hash: d747a62bd1055a98ee8f171f5ab67507908385c92e0c3999c749af56cca173af
                                                              • Instruction Fuzzy Hash: 7B4185712002019FDB11EF24D895B7EB7E5AF44710F04849AF9165F292DBB9AC04CB95
                                                              Function 00BC334A Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadIconW.USER32(00000000,00007F03), ref: 00BC33E9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: IconLoad
                                                              • String ID: blank$info$question$stop$warning
                                                              • API String ID: 2457776203-404129466
                                                              • Opcode ID: 37be6ba087c24b8c18a7889398a31901d24be1c1d74a358ec14e5a82e126e87c
                                                              • Instruction ID: bf618c699abc6f0a4ab4441aff0fb20b44f928f5afb36d854b498977c5faed7a
                                                              • Opcode Fuzzy Hash: 37be6ba087c24b8c18a7889398a31901d24be1c1d74a358ec14e5a82e126e87c
                                                              • Instruction Fuzzy Hash: 5F115B31748346BAE7055A549C82EAA77DCDF15F20B5080EEF900B62C3DAB59F809269
                                                              Function 00BC4655 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00BC466F
                                                              • LoadStringW.USER32(00000000), ref: 00BC4676
                                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00BC468C
                                                              • LoadStringW.USER32(00000000), ref: 00BC4693
                                                              • _wprintf.LIBCMT ref: 00BC46B9
                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00BC46D7
                                                              Strings
                                                              • %s (%d) : ==> %s: %s %s, xrefs: 00BC46B4
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadModuleString$Message_wprintf
                                                              • String ID: %s (%d) : ==> %s: %s %s
                                                              • API String ID: 3648134473-3128320259
                                                              • Opcode ID: 4636c5674510ece1b7f2ab4af350a02419ee268e8e42d6f8c754607994d758b0
                                                              • Instruction ID: 3523a1249c89c592ce1118e961428b1569f91e2bf4799d3355a9b2cc16b1abed
                                                              • Opcode Fuzzy Hash: 4636c5674510ece1b7f2ab4af350a02419ee268e8e42d6f8c754607994d758b0
                                                              • Instruction Fuzzy Hash: FB016DF29502087FE711BBA49D89EF777ACEB08700F4005E5BB49E3052EA749E848B71
                                                              Function 00BED861 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B629E2: GetWindowLongW.USER32(?,000000EB), ref: 00B629F3
                                                              • GetSystemMetrics.USER32(0000000F), ref: 00BED89F
                                                              • GetSystemMetrics.USER32(0000000F), ref: 00BED8BF
                                                              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00BEDAFA
                                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00BEDB18
                                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00BEDB39
                                                              • ShowWindow.USER32(00000003,00000000), ref: 00BEDB58
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00BEDB7D
                                                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00BEDBA0
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                              • String ID:
                                                              • API String ID: 1211466189-0
                                                              • Opcode ID: a6d9c5c9cca954ed9e3ab2cde085a5707b08bbe39920ca632d97d53c1ec8a1e0
                                                              • Instruction ID: 5183429ac321c7d7667229f72fa3a470a25ab98d392e39eb66ea697cbe92dc66
                                                              • Opcode Fuzzy Hash: a6d9c5c9cca954ed9e3ab2cde085a5707b08bbe39920ca632d97d53c1ec8a1e0
                                                              • Instruction Fuzzy Hash: 03B1A731600255AFCF14CF6AC9857BD7BF1FF08710F0981A9ED489B296E7B1AA50CB60
                                                              Function 00BE0139 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B71A36: _memmove.LIBCMT ref: 00B71A77
                                                                • Part of subcall function 00BE1242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BE01D5,?,?), ref: 00BE1259
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BE0216
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: BuffCharConnectRegistryUpper_memmove
                                                              • String ID:
                                                              • API String ID: 3479070676-0
                                                              • Opcode ID: c5af8b7082838a5f98cf0a841eff1e3005fb984865f05f7852f582c5fac387ae
                                                              • Instruction ID: df28d8cb4eed2103f1b16733959a9ff109c64def9e7b82ae9073050156dbfe66
                                                              • Opcode Fuzzy Hash: c5af8b7082838a5f98cf0a841eff1e3005fb984865f05f7852f582c5fac387ae
                                                              • Instruction Fuzzy Hash: DFA1AB702042059FCB11EF69C881B6EB7F5EF84314F14889DF9969B2A2DB74ED85CB42
                                                              Function 00B62E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B9C438,00000004,00000000,00000000,00000000), ref: 00B62E9F
                                                              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00B9C438,00000004,00000000,00000000,00000000,000000FF), ref: 00B62EE7
                                                              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00B9C438,00000004,00000000,00000000,00000000), ref: 00B9C48B
                                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B9C438,00000004,00000000,00000000,00000000), ref: 00B9C4F7
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ShowWindow
                                                              • String ID:
                                                              • API String ID: 1268545403-0
                                                              • Opcode ID: db617fe8b95570c635c16905891a9023c463c7f1f9c8f8c188ab27fd0161d777
                                                              • Instruction ID: 20a527fbc6510c9e38993aec6af0976492747c1783f28697e286841bb0766507
                                                              • Opcode Fuzzy Hash: db617fe8b95570c635c16905891a9023c463c7f1f9c8f8c188ab27fd0161d777
                                                              • Instruction Fuzzy Hash: 5041DB34714E809AEB359B28C9D877A7FD1EB81301F6484FDE44747BA1CB7AA841DB21
                                                              Function 00BC74EE Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 00BC7505
                                                                • Part of subcall function 00B80F16: std::exception::exception.LIBCMT ref: 00B80F4C
                                                                • Part of subcall function 00B80F16: __CxxThrowException@8.LIBCMT ref: 00B80F61
                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00BC753C
                                                              • EnterCriticalSection.KERNEL32(?), ref: 00BC7558
                                                              • _memmove.LIBCMT ref: 00BC75A6
                                                              • _memmove.LIBCMT ref: 00BC75C3
                                                              • LeaveCriticalSection.KERNEL32(?), ref: 00BC75D2
                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00BC75E7
                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00BC7606
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                              • String ID:
                                                              • API String ID: 256516436-0
                                                              • Opcode ID: 44ecaff4f04ee48352ffe879e8d18928355eabfe34073bbc09efab2cdcf60834
                                                              • Instruction ID: f9c01678fc9e06ecd97ad0ef1c467c6f458d2346d4d504ed7ddc1811be842122
                                                              • Opcode Fuzzy Hash: 44ecaff4f04ee48352ffe879e8d18928355eabfe34073bbc09efab2cdcf60834
                                                              • Instruction Fuzzy Hash: 50316F71914205ABCB50FF64DC85EAEB7B8FF45710F1480A9F904EB266DB30DA14DBA0
                                                              Function 00BE65C0 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteObject.GDI32(00000000), ref: 00BE65D8
                                                              • GetDC.USER32(00000000), ref: 00BE65E0
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BE65EB
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00BE65F7
                                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00BE6633
                                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BE6644
                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00BE9417,?,?,000000FF,00000000,?,000000FF,?), ref: 00BE667E
                                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00BE669E
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                              • String ID:
                                                              • API String ID: 3864802216-0
                                                              • Opcode ID: 32559576ec53c2536425d1a7b127933ebedd3b4f36c01809d1f1f44742b656e2
                                                              • Instruction ID: d9f39ff493da90a8f5daaa5287f76acda519eca2857d725e92201cd97703352a
                                                              • Opcode Fuzzy Hash: 32559576ec53c2536425d1a7b127933ebedd3b4f36c01809d1f1f44742b656e2
                                                              • Instruction Fuzzy Hash: D7316B721112147FEF119F158C8AFEA3FA9EF59751F044051FE08DB2A2CB759851CBA4
                                                              Function 00BBC52B Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _memcmp
                                                              • String ID:
                                                              • API String ID: 2931989736-0
                                                              • Opcode ID: 9739c94be37430e40345fd4259e7c9bfa2dadad8f51598ed0fa390733c7927c2
                                                              • Instruction ID: 0d35dc846dd2a93111cdf2423504b785ccf3dc5a37856d6dfa6e3231548c3f9c
                                                              • Opcode Fuzzy Hash: 9739c94be37430e40345fd4259e7c9bfa2dadad8f51598ed0fa390733c7927c2
                                                              • Instruction Fuzzy Hash: AC219561A012097B9624F5199D83FFB3BDCEE60784B0440E6FE06E7256E790EE16C2A5
                                                              Function 00BCEFD3 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B64D37: __itow.LIBCMT ref: 00B64D62
                                                                • Part of subcall function 00B64D37: __swprintf.LIBCMT ref: 00B64DAC
                                                                • Part of subcall function 00B7436A: _wcscpy.LIBCMT ref: 00B7438D
                                                              • _wcstok.LIBCMT ref: 00BCF144
                                                              • _wcscpy.LIBCMT ref: 00BCF1D3
                                                              • _memset.LIBCMT ref: 00BCF206
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                              • String ID: X
                                                              • API String ID: 774024439-3081909835
                                                              • Opcode ID: 6cf2dfaecc068af8062c41bf85d3d0f37bad614d34117f39672093715c439ea5
                                                              • Instruction ID: 1c12870be690394de486a7797f25b570be80e7dc2727df3c631707d951613e04
                                                              • Opcode Fuzzy Hash: 6cf2dfaecc068af8062c41bf85d3d0f37bad614d34117f39672093715c439ea5
                                                              • Instruction Fuzzy Hash: 88C182715043419FC724EF68C841E6AB7E5FF85350F1489ADF8999B2A2DB30EC45CB92
                                                              Function 00BD6FB3 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00BD70B0
                                                              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00BD70D1
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00BD70E4
                                                              • htons.WSOCK32(?,?,?,00000000,?), ref: 00BD719A
                                                              • inet_ntoa.WSOCK32(?), ref: 00BD7157
                                                                • Part of subcall function 00BBB2CD: _strlen.LIBCMT ref: 00BBB2D7
                                                                • Part of subcall function 00BBB2CD: _memmove.LIBCMT ref: 00BBB2F9
                                                              • _strlen.LIBCMT ref: 00BD71F4
                                                              • _memmove.LIBCMT ref: 00BD725D
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                              • String ID:
                                                              • API String ID: 3619996494-0
                                                              • Opcode ID: 479f0ae75c190815acfb56a6a5f7b0aebe59bc1e8cdb676bb908ca3bb4b689df
                                                              • Instruction ID: 3e503b629ec602ff57a964b1ed6baf1209e3e491a84dadfb9017644f521637e4
                                                              • Opcode Fuzzy Hash: 479f0ae75c190815acfb56a6a5f7b0aebe59bc1e8cdb676bb908ca3bb4b689df
                                                              • Instruction Fuzzy Hash: E581C071108600ABC320EB64DC91EABF7E8EF85714F10899EF5559B2A2EF70ED05CB91
                                                              Function 00B61800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 185a39071e37e2fd3709c8384e33236928fddb894d2c1e1ec29de3db25146683
                                                              • Instruction ID: d5cfa7ed46d0bf65759e7eb577dbc38ae918ececc0e5d06f90813ec032d96375
                                                              • Opcode Fuzzy Hash: 185a39071e37e2fd3709c8384e33236928fddb894d2c1e1ec29de3db25146683
                                                              • Instruction Fuzzy Hash: 4C716D30900109EFCB05DF98CC89EBEBBB9FF86315F188599F915AB251C7349A51DBA0
                                                              Function 00BEB73E Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindow.USER32(017053E8), ref: 00BEB7D8
                                                              • IsWindowEnabled.USER32(017053E8), ref: 00BEB7E4
                                                              • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00BEB8C8
                                                              • SendMessageW.USER32(017053E8,000000B0,?,?), ref: 00BEB8FF
                                                              • IsDlgButtonChecked.USER32(?,?), ref: 00BEB93C
                                                              • GetWindowLongW.USER32(017053E8,000000EC), ref: 00BEB95E
                                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00BEB976
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                              • String ID:
                                                              • API String ID: 4072528602-0
                                                              • Opcode ID: dadba6b6cb03b087b55e8a7ea9797d5a7b6632c700e3dced5123a6ffdbd8b9c1
                                                              • Instruction ID: 411a317458d9af3e7eddb66c4b95d541c0ab3b4a1ef715ee2d5151bf411fe328
                                                              • Opcode Fuzzy Hash: dadba6b6cb03b087b55e8a7ea9797d5a7b6632c700e3dced5123a6ffdbd8b9c1
                                                              • Instruction Fuzzy Hash: 0B717A74A01284AFEB219F66C8D4FBB7BF9EF49300F1444A9E955973A2C731AC50CB20
                                                              Function 00BDF8CF Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00BDF8F9
                                                              • _memset.LIBCMT ref: 00BDF9C2
                                                              • ShellExecuteExW.SHELL32(?), ref: 00BDFA07
                                                                • Part of subcall function 00B64D37: __itow.LIBCMT ref: 00B64D62
                                                                • Part of subcall function 00B64D37: __swprintf.LIBCMT ref: 00B64DAC
                                                                • Part of subcall function 00B7436A: _wcscpy.LIBCMT ref: 00B7438D
                                                              • GetProcessId.KERNEL32(00000000), ref: 00BDFA7E
                                                              • CloseHandle.KERNEL32(00000000), ref: 00BDFAAD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                              • String ID: @
                                                              • API String ID: 3522835683-2766056989
                                                              • Opcode ID: ea3032c9834a97c944b82f3ec4507da5ae3e2419aa2b0f5b8a4be4c244c61518
                                                              • Instruction ID: f2654d3c7b857ee59ff6dcb5192151daffee986918a65e95adf337f91fe1e121
                                                              • Opcode Fuzzy Hash: ea3032c9834a97c944b82f3ec4507da5ae3e2419aa2b0f5b8a4be4c244c61518
                                                              • Instruction Fuzzy Hash: EF619E75A00A1ADFCB15EF94C4809AEF7F5FF49310F1080AAE85AAB351DB34AD41CB94
                                                              Function 00BC15B8 Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32(?), ref: 00BC15F7
                                                              • GetKeyboardState.USER32(?), ref: 00BC160C
                                                              • SetKeyboardState.USER32(?), ref: 00BC166D
                                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00BC169B
                                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 00BC16BA
                                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00BC1700
                                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00BC1723
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessagePost$KeyboardState$Parent
                                                              • String ID:
                                                              • API String ID: 87235514-0
                                                              • Opcode ID: f29e637e7d957da9d77d82814271885dac99d2012e4f46b649e7c93b408987fb
                                                              • Instruction ID: a879516e2848c9a8109285dd4a5fd4d60af7a5c264e2e7f83f72f04532175d84
                                                              • Opcode Fuzzy Hash: f29e637e7d957da9d77d82814271885dac99d2012e4f46b649e7c93b408987fb
                                                              • Instruction Fuzzy Hash: 1051C1A06047D13EFB3686288C55FB67EE99B07304F0C89CEE1D5668D3C6E8AC94D751
                                                              Function 00BC13D1 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32(00000000), ref: 00BC1410
                                                              • GetKeyboardState.USER32(?), ref: 00BC1425
                                                              • SetKeyboardState.USER32(?), ref: 00BC1486
                                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00BC14B2
                                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00BC14CF
                                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00BC1513
                                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00BC1534
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessagePost$KeyboardState$Parent
                                                              • String ID:
                                                              • API String ID: 87235514-0
                                                              • Opcode ID: 69dc2187cd2663016309f379bac8f1f49206832cb49ffcf346c9cd3103000e6b
                                                              • Instruction ID: e235675b073feaabf30b2aa0efc7d00f4151197288b67087f2a767f339456ab7
                                                              • Opcode Fuzzy Hash: 69dc2187cd2663016309f379bac8f1f49206832cb49ffcf346c9cd3103000e6b
                                                              • Instruction Fuzzy Hash: 9951E2A06442D13DFB3683288C51F76BEE9AB47300F0888CDE1D6665C3C2A4EC95DB61
                                                              Function 00BC5A25 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _wcsncpy$LocalTime
                                                              • String ID:
                                                              • API String ID: 2945705084-0
                                                              • Opcode ID: 91f67d7fc6f06d6761e739546176c1c615d51483fd3ed577d303d64a47f73937
                                                              • Instruction ID: fea1a8bff5a9a8a92b03497fe403597cff87958427494f77844baad5011e748a
                                                              • Opcode Fuzzy Hash: 91f67d7fc6f06d6761e739546176c1c615d51483fd3ed577d303d64a47f73937
                                                              • Instruction Fuzzy Hash: D2416D65C2061875CB11FBA48C8AACFB7F89F04710F5085A6F918E3231EB74E759C7A9
                                                              Function 00BC39D1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00BC4A30: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BC39F7,?), ref: 00BC4A4D
                                                                • Part of subcall function 00BC4A30: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BC39F7,?), ref: 00BC4A66
                                                              • lstrcmpiW.KERNEL32(?,?), ref: 00BC3A17
                                                              • _wcscmp.LIBCMT ref: 00BC3A33
                                                              • MoveFileW.KERNEL32(?,?), ref: 00BC3A4B
                                                              • _wcscat.LIBCMT ref: 00BC3A93
                                                              • SHFileOperationW.SHELL32(?), ref: 00BC3AFF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                              • String ID: \*.*
                                                              • API String ID: 1377345388-1173974218
                                                              • Opcode ID: 0876381b84b7fc38a5d8c32f79dcd13f74aa224afbc2ce7012a4bde320dea30f
                                                              • Instruction ID: 949c03550a7f96e9bf2d7c9153ad7de4de36446e4d67d6c8d11054fee5673c77
                                                              • Opcode Fuzzy Hash: 0876381b84b7fc38a5d8c32f79dcd13f74aa224afbc2ce7012a4bde320dea30f
                                                              • Instruction Fuzzy Hash: 63417C71508345AEC755EB64C481AEFB7ECEF88740F4049AEB48AC3161EB34D789CB66
                                                              Function 00BE767E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00BE7697
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BE773E
                                                              • IsMenu.USER32(?), ref: 00BE7756
                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BE779E
                                                              • DrawMenuBar.USER32 ref: 00BE77B1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Menu$Item$DrawInfoInsert_memset
                                                              • String ID: 0
                                                              • API String ID: 3866635326-4108050209
                                                              • Opcode ID: d5a23f2f57486af9b836a91203c3573313f40dc53492ad2fbfc909891893f046
                                                              • Instruction ID: 16fbaf88cc1f9c49ca07e94c11686973b56ff4ff4662e77dbdf712f485ffdc65
                                                              • Opcode Fuzzy Hash: d5a23f2f57486af9b836a91203c3573313f40dc53492ad2fbfc909891893f046
                                                              • Instruction Fuzzy Hash: 33412874A04289AFDB20DF55D884EAABBF9FB04354F0481A9ED1597361DB70AD50CFA0
                                                              Function 00BE13CA Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00BE13F9
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BE1423
                                                              • FreeLibrary.KERNEL32(00000000), ref: 00BE14DA
                                                                • Part of subcall function 00BE13CA: RegCloseKey.ADVAPI32(?), ref: 00BE1440
                                                                • Part of subcall function 00BE13CA: FreeLibrary.KERNEL32(?), ref: 00BE1492
                                                                • Part of subcall function 00BE13CA: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00BE14B5
                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00BE147D
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                              • String ID:
                                                              • API String ID: 395352322-0
                                                              • Opcode ID: f4ebd73712942e4d73877752f23c605131d6e2ac7e5796bbc1a6958f21cdab66
                                                              • Instruction ID: d2e3b7756d0584a8197f9a38d19c69750d399a0bce828b2c67986c5d148ca890
                                                              • Opcode Fuzzy Hash: f4ebd73712942e4d73877752f23c605131d6e2ac7e5796bbc1a6958f21cdab66
                                                              • Instruction Fuzzy Hash: 7F315C7191010DBFDB15DFA5DC85AFEB7BCEF08340F1005A9E511A3291EB749E45DAA0
                                                              Function 00BE66BA Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00BE66D9
                                                              • GetWindowLongW.USER32(017053E8,000000F0), ref: 00BE670C
                                                              • GetWindowLongW.USER32(017053E8,000000F0), ref: 00BE6741
                                                              • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00BE6773
                                                              • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00BE679D
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00BE67AE
                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BE67C8
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: LongWindow$MessageSend
                                                              • String ID:
                                                              • API String ID: 2178440468-0
                                                              • Opcode ID: bc9973fb9cbee29c090451a6644385038a6ee554f059d3179fbbd3e60fb38051
                                                              • Instruction ID: 71baad72471a92960d88010a5567e2ff26e39696412fd1209d0fe185bf23bb3e
                                                              • Opcode Fuzzy Hash: bc9973fb9cbee29c090451a6644385038a6ee554f059d3179fbbd3e60fb38051
                                                              • Instruction Fuzzy Hash: 0B313635614190AFDB20DF1ADC84F693BE1FB9A794F1801A4FA10CB2B2CB71AC50DB51
                                                              Function 00BBE06A Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BBE0AD
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BBE0D3
                                                              • SysAllocString.OLEAUT32(00000000), ref: 00BBE0D6
                                                              • SysAllocString.OLEAUT32(?), ref: 00BBE0F4
                                                              • SysFreeString.OLEAUT32(?), ref: 00BBE0FD
                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 00BBE122
                                                              • SysAllocString.OLEAUT32(?), ref: 00BBE130
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                              • String ID:
                                                              • API String ID: 3761583154-0
                                                              • Opcode ID: c5ef553773f1f0151b928a8a1e9b040f97028b980f3e2c1b81f970f314f5cef8
                                                              • Instruction ID: 239a50bef42f33542ffbe9ac8b567ffe97bb875e7617c3677fa167e047833099
                                                              • Opcode Fuzzy Hash: c5ef553773f1f0151b928a8a1e9b040f97028b980f3e2c1b81f970f314f5cef8
                                                              • Instruction Fuzzy Hash: C0218136604219AF9B10AFA8CC89CFB77ECEB08360B548565FA55DB2B1DAB0DC41C760
                                                              Function 00BD6623 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00BD823D: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00BD8268
                                                              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00BD6676
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00BD6685
                                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00BD66BE
                                                              • connect.WSOCK32(00000000,?,00000010), ref: 00BD66C7
                                                              • WSAGetLastError.WSOCK32 ref: 00BD66D1
                                                              • closesocket.WSOCK32(00000000), ref: 00BD66FA
                                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00BD6713
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                              • String ID:
                                                              • API String ID: 910771015-0
                                                              • Opcode ID: 417f2070b34d374c91602681f14c272e63ce7040d8327306466e93207a5abaec
                                                              • Instruction ID: 96ef63f9895434dae93e487327c406146e4456611b0963b33496162667d12336
                                                              • Opcode Fuzzy Hash: 417f2070b34d374c91602681f14c272e63ce7040d8327306466e93207a5abaec
                                                              • Instruction Fuzzy Hash: 73319371600508AFDB10AF64CC85BBEBBEDEB45764F0440AAFD0597391EB74AC44CBA1
                                                              Function 00BBE143 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BBE188
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BBE1AE
                                                              • SysAllocString.OLEAUT32(00000000), ref: 00BBE1B1
                                                              • SysAllocString.OLEAUT32 ref: 00BBE1D2
                                                              • SysFreeString.OLEAUT32 ref: 00BBE1DB
                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 00BBE1F5
                                                              • SysAllocString.OLEAUT32(?), ref: 00BBE203
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                              • String ID:
                                                              • API String ID: 3761583154-0
                                                              • Opcode ID: 6ddede0a94c37f7dd826d10b8f08918dbf0428b6e288522490141e56e909f690
                                                              • Instruction ID: 49846867014ec0e4df3708d726073a87ac5f2aabca27b03487e1b3743da95108
                                                              • Opcode Fuzzy Hash: 6ddede0a94c37f7dd826d10b8f08918dbf0428b6e288522490141e56e909f690
                                                              • Instruction Fuzzy Hash: B4215835614104AF9B10AFA8DC89DFA77ECEB09360B108165FA25DB2B1DAB0EC41C764
                                                              Function 00BBFBFC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: __wcsnicmp
                                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                              • API String ID: 1038674560-2734436370
                                                              • Opcode ID: 5a75019dfa04050cd98fa1457f7f3866616ce0b3a7355394d559c0b6dfb8535f
                                                              • Instruction ID: 4678c610683c8965b34cd06fffe36de9bf9a3b39415ca67c3af91a14a857b623
                                                              • Opcode Fuzzy Hash: 5a75019dfa04050cd98fa1457f7f3866616ce0b3a7355394d559c0b6dfb8535f
                                                              • Instruction Fuzzy Hash: 3121253210451A67D220B7249C42EFB77D8DF51B40F5084B6FD4687192EBE1AEC2C395
                                                              Function 00BE79BA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B62111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B6214F
                                                                • Part of subcall function 00B62111: GetStockObject.GDI32(00000011), ref: 00B62163
                                                                • Part of subcall function 00B62111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B6216D
                                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00BE7A1F
                                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00BE7A2C
                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00BE7A37
                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00BE7A46
                                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00BE7A52
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CreateObjectStockWindow
                                                              • String ID: Msctls_Progress32
                                                              • API String ID: 1025951953-3636473452
                                                              • Opcode ID: 1e574ca786e92b5e0d477baf90cb3ad61eb3c47fa7fc0945d9630968ac02d2c5
                                                              • Instruction ID: 467b7df289990aa156225b3415da37deebe7f1937c983a245a34c90367f00a3d
                                                              • Opcode Fuzzy Hash: 1e574ca786e92b5e0d477baf90cb3ad61eb3c47fa7fc0945d9630968ac02d2c5
                                                              • Instruction Fuzzy Hash: 661190B2154219BEEF119F61CC85EEB7F9DEF08758F015125BA44A2091CB729C21DBA0
                                                              Function 00B840E9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00B841B2,?), ref: 00B84103
                                                              • GetProcAddress.KERNEL32(00000000), ref: 00B8410A
                                                              • EncodePointer.KERNEL32(00000000), ref: 00B84116
                                                              • DecodePointer.KERNEL32(00000001,00B841B2,?), ref: 00B84133
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                              • String ID: RoInitialize$combase.dll
                                                              • API String ID: 3489934621-340411864
                                                              • Opcode ID: 50536552b289fcfc2d386ead67af7c84e68e31e9b8730799f87611e018549716
                                                              • Instruction ID: 7635bf59e3092d2cd9603aabaaaffdad43d2689488cf37e242e1dc832406b4db
                                                              • Opcode Fuzzy Hash: 50536552b289fcfc2d386ead67af7c84e68e31e9b8730799f87611e018549716
                                                              • Instruction Fuzzy Hash: EFE0E5B86A0302AFDE207B70EC4DB6C3AA4AB25B02F404464B511E70B1DBB540A5CF04
                                                              Function 00B841BE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00B840D8), ref: 00B841D8
                                                              • GetProcAddress.KERNEL32(00000000), ref: 00B841DF
                                                              • EncodePointer.KERNEL32(00000000), ref: 00B841EA
                                                              • DecodePointer.KERNEL32(00B840D8), ref: 00B84205
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                              • String ID: RoUninitialize$combase.dll
                                                              • API String ID: 3489934621-2819208100
                                                              • Opcode ID: 162b206c65cb2c8215d70554931f48ee67496014a1f6a9e6fdf6ccc85d045ec9
                                                              • Instruction ID: 3c9c9a701d4ab8f4eec4f1d1388bb5586379e16032401e44e4790f2730ba394b
                                                              • Opcode Fuzzy Hash: 162b206c65cb2c8215d70554931f48ee67496014a1f6a9e6fdf6ccc85d045ec9
                                                              • Instruction Fuzzy Hash: CAE0B678671302ABDB24AF60AD0DF6C3AE4BB28B42F100165F501E34B1CFB54695CF14
                                                              Function 00B6218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClientRect.USER32(?,?), ref: 00B621B8
                                                              • GetWindowRect.USER32(?,?), ref: 00B621F9
                                                              • ScreenToClient.USER32(?,?), ref: 00B62221
                                                              • GetClientRect.USER32(?,?), ref: 00B62350
                                                              • GetWindowRect.USER32(?,?), ref: 00B62369
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Rect$Client$Window$Screen
                                                              • String ID:
                                                              • API String ID: 1296646539-0
                                                              • Opcode ID: 69925a90f02a088075817a2eec31c5c5ad8a35396cb9815952ff00472c006091
                                                              • Instruction ID: e92e059e05087fb4c55cafbe16bfc8b4f1fd848dbfb029d1d54bbc338441d367
                                                              • Opcode Fuzzy Hash: 69925a90f02a088075817a2eec31c5c5ad8a35396cb9815952ff00472c006091
                                                              • Instruction Fuzzy Hash: 32B14939900649DBEF14CFA8C5807EEB7F1FF08710F1485A9ED59AB254EB34AA50CB64
                                                              Function 00BC68E0 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _memmove$__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 3253778849-0
                                                              • Opcode ID: 5d80546f7871975432d2fb18c1a2f36e84cfffe82bbe1ccc17cb789bf6a3501b
                                                              • Instruction ID: 2621fe9ab807c03f86a5e4c2dd925f835e530bec907221c72582e0853ef0e7bd
                                                              • Opcode Fuzzy Hash: 5d80546f7871975432d2fb18c1a2f36e84cfffe82bbe1ccc17cb789bf6a3501b
                                                              • Instruction Fuzzy Hash: 63618D3150065AABCB12FF64C882FFE37E4AF05308F448599F9596B2A2DB34AD05DB60
                                                              Function 00BE060C Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B71A36: _memmove.LIBCMT ref: 00B71A77
                                                                • Part of subcall function 00BE1242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BE01D5,?,?), ref: 00BE1259
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BE06E5
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BE0725
                                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00BE0748
                                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00BE0771
                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BE07B4
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00BE07C1
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                              • String ID:
                                                              • API String ID: 4046560759-0
                                                              • Opcode ID: 8c3a3d2a5882a09f5a6391b0ae37164bbb8c9299d316937b6b5dca3cfe85c8b6
                                                              • Instruction ID: 19bb27f1ed66200864e1870bdee536c86b33683257c0818730d5043bc319a4db
                                                              • Opcode Fuzzy Hash: 8c3a3d2a5882a09f5a6391b0ae37164bbb8c9299d316937b6b5dca3cfe85c8b6
                                                              • Instruction Fuzzy Hash: 4E517D31118244AFC711FF68C885E6AB7E8FF84314F04899DF555872A1DB71ED44CB92
                                                              Function 00BE5B9E Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetMenu.USER32(?), ref: 00BE5C00
                                                              • GetMenuItemCount.USER32(00000000), ref: 00BE5C37
                                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00BE5C5F
                                                              • GetMenuItemID.USER32(?,?), ref: 00BE5CCE
                                                              • GetSubMenu.USER32(?,?), ref: 00BE5CDC
                                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 00BE5D2D
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Menu$Item$CountMessagePostString
                                                              • String ID:
                                                              • API String ID: 650687236-0
                                                              • Opcode ID: 7757d577fb6f2bdb93ee4ab4cd585df8658b1c874314eae73c07078495f711e2
                                                              • Instruction ID: 8037fc4783dcc6067c370fa51565ca6847c8edce34a89b664edf1b8d73a1981d
                                                              • Opcode Fuzzy Hash: 7757d577fb6f2bdb93ee4ab4cd585df8658b1c874314eae73c07078495f711e2
                                                              • Instruction Fuzzy Hash: F1516F75A00A19AFCF21EF65C945AAEB7F5EF48314F1080A9E911BB351CB74AE41CB90
                                                              Function 00BBF46B Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 00BBF485
                                                              • VariantClear.OLEAUT32(00000013), ref: 00BBF4F7
                                                              • VariantClear.OLEAUT32(00000000), ref: 00BBF552
                                                              • _memmove.LIBCMT ref: 00BBF57C
                                                              • VariantClear.OLEAUT32(?), ref: 00BBF5C9
                                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00BBF5F7
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Variant$Clear$ChangeInitType_memmove
                                                              • String ID:
                                                              • API String ID: 1101466143-0
                                                              • Opcode ID: 557a652548d5af90ddf0951418a2fcea625d51a0aa3252430232f8e4cc27b63e
                                                              • Instruction ID: 13f7f1689b5a5427f5f8691332ab6006cb87c32017e2885e457471d7e55d2a5f
                                                              • Opcode Fuzzy Hash: 557a652548d5af90ddf0951418a2fcea625d51a0aa3252430232f8e4cc27b63e
                                                              • Instruction Fuzzy Hash: B3514BB5A0020A9FDB24CF58C884ABAB7F8FF4C314B15856AE959DB311D770E911CFA0
                                                              Function 00BC281D Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00BC286B
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BC28B6
                                                              • IsMenu.USER32(00000000), ref: 00BC28D6
                                                              • CreatePopupMenu.USER32 ref: 00BC290A
                                                              • GetMenuItemCount.USER32(000000FF), ref: 00BC2968
                                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00BC2999
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                              • String ID:
                                                              • API String ID: 3311875123-0
                                                              • Opcode ID: 5da4a26c11be740549c1fb34ee74a4eaf952444e3b28b3797dfa3d0d24c3e685
                                                              • Instruction ID: 37c9144b919d4ea0887b4cd9630dd7c9005ee9ebd52cfe0286f01a5bb14a370d
                                                              • Opcode Fuzzy Hash: 5da4a26c11be740549c1fb34ee74a4eaf952444e3b28b3797dfa3d0d24c3e685
                                                              • Instruction Fuzzy Hash: 9D51BC7460020AEBDF24DF68C888FAEBBF4EF54314F1446ADE8559B2A1D7B09944CB61
                                                              Function 00B61B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B629E2: GetWindowLongW.USER32(?,000000EB), ref: 00B629F3
                                                              • BeginPaint.USER32(?,?,?,?,?,?), ref: 00B61B76
                                                              • GetWindowRect.USER32(?,?), ref: 00B61BDA
                                                              • ScreenToClient.USER32(?,?), ref: 00B61BF7
                                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B61C08
                                                              • EndPaint.USER32(?,?), ref: 00B61C52
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                              • String ID:
                                                              • API String ID: 1827037458-0
                                                              • Opcode ID: 064e6607ff8643e5efd7ebb6a39bf20cb145715e74317d6ca9b2743f4a2135a0
                                                              • Instruction ID: becf5145754be16390688e9805411144c6d5406fabbad97b4c9987b44883c5c7
                                                              • Opcode Fuzzy Hash: 064e6607ff8643e5efd7ebb6a39bf20cb145715e74317d6ca9b2743f4a2135a0
                                                              • Instruction Fuzzy Hash: C6419171104200AFDB21DF28DC84FBA7BF8FB55720F180AA9F9559B2B2CB359845DB61
                                                              Function 00BEBA8B Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(00C267B0,00000000,017053E8,?,?,00C267B0,?,00BEB995,?,?), ref: 00BEBAFF
                                                              • EnableWindow.USER32(?,00000000), ref: 00BEBB23
                                                              • ShowWindow.USER32(00C267B0,00000000,017053E8,?,?,00C267B0,?,00BEB995,?,?), ref: 00BEBB83
                                                              • ShowWindow.USER32(?,00000004,?,00BEB995,?,?), ref: 00BEBB95
                                                              • EnableWindow.USER32(?,00000001), ref: 00BEBBB9
                                                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00BEBBDC
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Window$Show$Enable$MessageSend
                                                              • String ID:
                                                              • API String ID: 642888154-0
                                                              • Opcode ID: 5fd77e0957c7ad3f1d4416ec920c6591d11c831ef0c7563bf754f3d5f18cbbd9
                                                              • Instruction ID: 46f5d25dd89db7c35b84c0017051d7e70c0f3719236e5c37dee83a90be6514e3
                                                              • Opcode Fuzzy Hash: 5fd77e0957c7ad3f1d4416ec920c6591d11c831ef0c7563bf754f3d5f18cbbd9
                                                              • Instruction Fuzzy Hash: 31413034600184AFDB25DF25C989FA57BE1FF05314F1881F9F9988F2A6C771A846CB51
                                                              Function 00BD754D Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32(?,?,?,?,?,?,00BD52F1,?,?,00000000,00000001), ref: 00BD755B
                                                                • Part of subcall function 00BD3E50: GetWindowRect.USER32(?,?), ref: 00BD3E63
                                                              • GetDesktopWindow.USER32 ref: 00BD7585
                                                              • GetWindowRect.USER32(00000000), ref: 00BD758C
                                                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00BD75BE
                                                                • Part of subcall function 00BC566C: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BC56E4
                                                              • GetCursorPos.USER32(?), ref: 00BD75EA
                                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00BD7648
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                              • String ID:
                                                              • API String ID: 4137160315-0
                                                              • Opcode ID: dd58dc600adf5ff5eba7a3b36ba02f037274f100d3f3c54efcb3daace58d151f
                                                              • Instruction ID: 9bc326d0648a1a72d712548998107a74411f62535a32f806fb068bf680b719cb
                                                              • Opcode Fuzzy Hash: dd58dc600adf5ff5eba7a3b36ba02f037274f100d3f3c54efcb3daace58d151f
                                                              • Instruction Fuzzy Hash: 1231D472104305ABD720DF14D849FABB7E9FF98314F00091AF48997191EF70EA14CB92
                                                              Function 00BB9214 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00BB8AAA: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BB8AC1
                                                                • Part of subcall function 00BB8AAA: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BB8ACB
                                                                • Part of subcall function 00BB8AAA: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BB8ADA
                                                                • Part of subcall function 00BB8AAA: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BB8AE1
                                                                • Part of subcall function 00BB8AAA: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BB8AF7
                                                              • GetLengthSid.ADVAPI32(?,00000000,00BB8E30), ref: 00BB9265
                                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00BB9271
                                                              • HeapAlloc.KERNEL32(00000000), ref: 00BB9278
                                                              • CopySid.ADVAPI32(00000000,00000000,?), ref: 00BB9291
                                                              • GetProcessHeap.KERNEL32(00000000,00000000,00BB8E30), ref: 00BB92A5
                                                              • HeapFree.KERNEL32(00000000), ref: 00BB92AC
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                              • String ID:
                                                              • API String ID: 3008561057-0
                                                              • Opcode ID: 47de41f8c3e43095c33c39c50f3a064f85ae55382ce01a84d9cceb6b4a96bf27
                                                              • Instruction ID: 5f409431235a6c739c4746b478ce5866d3e7e15e0f096f86b4ed58cefae43e45
                                                              • Opcode Fuzzy Hash: 47de41f8c3e43095c33c39c50f3a064f85ae55382ce01a84d9cceb6b4a96bf27
                                                              • Instruction Fuzzy Hash: C9118131911208FFDB109F64CC09FFE7BA9EB45315F104099FA45A7221CB72AA40DB60
                                                              Function 00BB8FB2 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00BB8FE3
                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00BB8FEA
                                                              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00BB8FF9
                                                              • CloseHandle.KERNEL32(00000004), ref: 00BB9004
                                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BB9033
                                                              • DestroyEnvironmentBlock.USERENV(00000000), ref: 00BB9047
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                              • String ID:
                                                              • API String ID: 1413079979-0
                                                              • Opcode ID: 2abfcb3a05a1f3ed3d557b0164e6ccba6f4ab21932e88b677cfcf77dc5e181e9
                                                              • Instruction ID: 9a92934c2a71fc64f245b3c5021e68f0998a3b8702b05567f13c007d8397ff88
                                                              • Opcode Fuzzy Hash: 2abfcb3a05a1f3ed3d557b0164e6ccba6f4ab21932e88b677cfcf77dc5e181e9
                                                              • Instruction Fuzzy Hash: 6E111A72501249ABDB119FA4DD49FFA7BA9EB08704F044095FA04A2161D6B69D60EB60
                                                              Function 00BBC10C Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 00BBC131
                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 00BBC142
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BBC149
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00BBC151
                                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00BBC168
                                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 00BBC17A
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CapsDevice$Release
                                                              • String ID:
                                                              • API String ID: 1035833867-0
                                                              • Opcode ID: 08e1dccde1cc566322084bdb7e0254ab2b2907a40fd788eabb9b074e05da7427
                                                              • Instruction ID: fae122ebb9f9cd0f73483c13bee9ddb1c5e4dc64b7b66da249bcfb505261eb49
                                                              • Opcode Fuzzy Hash: 08e1dccde1cc566322084bdb7e0254ab2b2907a40fd788eabb9b074e05da7427
                                                              • Instruction Fuzzy Hash: 0E014475E40618BBEF10ABA59D49A6EBFF8EB58751F0040A5FA04F7291DA709D10CFA0
                                                              Function 00BEC2CD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B616CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B61729
                                                                • Part of subcall function 00B616CF: SelectObject.GDI32(?,00000000), ref: 00B61738
                                                                • Part of subcall function 00B616CF: BeginPath.GDI32(?), ref: 00B6174F
                                                                • Part of subcall function 00B616CF: SelectObject.GDI32(?,00000000), ref: 00B61778
                                                              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00BEC2F7
                                                              • LineTo.GDI32(00000000,00000003,?), ref: 00BEC30B
                                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00BEC319
                                                              • LineTo.GDI32(00000000,00000000,?), ref: 00BEC329
                                                              • EndPath.GDI32(00000000), ref: 00BEC339
                                                              • StrokePath.GDI32(00000000), ref: 00BEC349
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                              • String ID:
                                                              • API String ID: 43455801-0
                                                              • Opcode ID: 26140d5853558056d33ee381c4c78823dcfa21528e869dd30d4730632b8ae9ca
                                                              • Instruction ID: f136d1a814824cb89f6a1e883d586829768dd48c48f73856cbea1f6b4e47077d
                                                              • Opcode Fuzzy Hash: 26140d5853558056d33ee381c4c78823dcfa21528e869dd30d4730632b8ae9ca
                                                              • Instruction Fuzzy Hash: E711C97600014DBFDB12AF95DC88FAA7FADEB08354F048051BA185A1B1DB719E55DBA0
                                                              Function 00B806E6 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B80717
                                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00B8071F
                                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B8072A
                                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B80735
                                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00B8073D
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B80745
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Virtual
                                                              • String ID:
                                                              • API String ID: 4278518827-0
                                                              • Opcode ID: 71193de7d7be2b173c290a19c4f6a77c131e30751deb989b512ba54977c1e3c0
                                                              • Instruction ID: bf5368a8ee2153b7852ae6cba8fe0cebb2ec467a59a95135fd733045b15f9314
                                                              • Opcode Fuzzy Hash: 71193de7d7be2b173c290a19c4f6a77c131e30751deb989b512ba54977c1e3c0
                                                              • Instruction Fuzzy Hash: A2016CB09017597DE3009F5A8C85B52FFE8FF59354F00411BA15C47942C7F5A864CBE5
                                                              Function 00BC5811 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00BC5821
                                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00BC5837
                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 00BC5846
                                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BC5855
                                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BC585F
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BC5866
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                              • String ID:
                                                              • API String ID: 839392675-0
                                                              • Opcode ID: 49135888e5db8c8613640d804bbfc42d4923875832dde84b1e2dcd85948eab98
                                                              • Instruction ID: 57322f4630e7c9166dea03b8c983fe10900ea9a40f74b59bf3cf7ed13276c472
                                                              • Opcode Fuzzy Hash: 49135888e5db8c8613640d804bbfc42d4923875832dde84b1e2dcd85948eab98
                                                              • Instruction Fuzzy Hash: 89F01D32251159BBE7216B929C0DEFF7A7CEBCAB11F000159FA04E3061DFA01A11C6B5
                                                              Function 00BC7658 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • InterlockedExchange.KERNEL32(?,?), ref: 00BC766B
                                                              • EnterCriticalSection.KERNEL32(?,?,00B6C2B6,?,?), ref: 00BC767C
                                                              • TerminateThread.KERNEL32(00000000,000001F6,?,00B6C2B6,?,?), ref: 00BC7689
                                                              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00B6C2B6,?,?), ref: 00BC7696
                                                                • Part of subcall function 00BC705D: CloseHandle.KERNEL32(00000000,?,00BC76A3,?,00B6C2B6,?,?), ref: 00BC7067
                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00BC76A9
                                                              • LeaveCriticalSection.KERNEL32(?,?,00B6C2B6,?,?), ref: 00BC76B0
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                              • String ID:
                                                              • API String ID: 3495660284-0
                                                              • Opcode ID: 4045f7f88888cea76afdbf5347c8da1d67b7b6e5d622bf666c157e6e1c684dda
                                                              • Instruction ID: 99ac2ec1e60057bfc6e9e8d995d98e94e58db182a1bf5888538fff9e3c335cfd
                                                              • Opcode Fuzzy Hash: 4045f7f88888cea76afdbf5347c8da1d67b7b6e5d622bf666c157e6e1c684dda
                                                              • Instruction Fuzzy Hash: EBF034321A5612ABD7113BA8EC8CEBA7769FB4A302F540466F602A30B28F755801DB60
                                                              Function 00BB932D Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BB9338
                                                              • UnloadUserProfile.USERENV(?,?), ref: 00BB9344
                                                              • CloseHandle.KERNEL32(?), ref: 00BB934D
                                                              • CloseHandle.KERNEL32(?), ref: 00BB9355
                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00BB935E
                                                              • HeapFree.KERNEL32(00000000), ref: 00BB9365
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                              • String ID:
                                                              • API String ID: 146765662-0
                                                              • Opcode ID: b985d25e5cb1f9bff6b3df30a8c53f14437a4148de4c529bbc87ebfd7b670faa
                                                              • Instruction ID: f9496a3e818508d44d987193dd75fb7f9175704e74c72762182bf5e4554df994
                                                              • Opcode Fuzzy Hash: b985d25e5cb1f9bff6b3df30a8c53f14437a4148de4c529bbc87ebfd7b670faa
                                                              • Instruction Fuzzy Hash: 60E0C236014102BBDA012BE2EC0C96ABF29FB49722B504220F22593071CF32A460DB50
                                                              Function 00BD8A9F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 00BD8AC5
                                                              • CharUpperBuffW.USER32(?,?), ref: 00BD8BD4
                                                              • VariantClear.OLEAUT32(?), ref: 00BD8D4C
                                                                • Part of subcall function 00BC798A: VariantInit.OLEAUT32(00000000), ref: 00BC79CA
                                                                • Part of subcall function 00BC798A: VariantCopy.OLEAUT32(00000000,?), ref: 00BC79D3
                                                                • Part of subcall function 00BC798A: VariantClear.OLEAUT32(00000000), ref: 00BC79DF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                              • API String ID: 4237274167-1221869570
                                                              • Opcode ID: 164faca03238236890e4af53a098124078a84b1af45e763fc946f9542bb90034
                                                              • Instruction ID: 30e20bbbdacf096710e5505baef85680ca8bdedb145ea7de7d8bca05ede80a28
                                                              • Opcode Fuzzy Hash: 164faca03238236890e4af53a098124078a84b1af45e763fc946f9542bb90034
                                                              • Instruction Fuzzy Hash: FA916C71604701DFC710EF28C48096ABBF5EF89754F1489AEF89A8B361EB31E945CB52
                                                              Function 00BC30AA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B7436A: _wcscpy.LIBCMT ref: 00B7438D
                                                              • _memset.LIBCMT ref: 00BC319B
                                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BC31CA
                                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BC327D
                                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00BC32AB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                              • String ID: 0
                                                              • API String ID: 4152858687-4108050209
                                                              • Opcode ID: f30912cdac5637dcbce7eac4c2b7abcb39160db08c176113d0d2264fa6ab9ced
                                                              • Instruction ID: e30c72cacb3f532aa03b79b6ae289a0a8ff418227502d6c60141a2c1115b3183
                                                              • Opcode Fuzzy Hash: f30912cdac5637dcbce7eac4c2b7abcb39160db08c176113d0d2264fa6ab9ced
                                                              • Instruction Fuzzy Hash: 8D51D1716083009FDB15EB28D881B6BB7E4EF45B50F4485ADF895DB1A1DB70CE08CB92
                                                              Function 00BC2D66 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00BC2DD3
                                                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00BC2DEF
                                                              • DeleteMenu.USER32(?,00000007,00000000), ref: 00BC2E35
                                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C26890,00000000), ref: 00BC2E7E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Menu$Delete$InfoItem_memset
                                                              • String ID: 0
                                                              • API String ID: 1173514356-4108050209
                                                              • Opcode ID: b3e7e8534892331e5ca16d409d645f33859b77a3856466243902606e2465f8f1
                                                              • Instruction ID: d5319ed3d67ba905c1f0fa03307561c22528b58ec1e5029a4bdbad9bf1533c50
                                                              • Opcode Fuzzy Hash: b3e7e8534892331e5ca16d409d645f33859b77a3856466243902606e2465f8f1
                                                              • Instruction Fuzzy Hash: 4C416071204302DFDB24DF28C884F6ABBE4EF89714F1446ADF9A5A7391D770A905CB62
                                                              Function 00BB982B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B71A36: _memmove.LIBCMT ref: 00B71A77
                                                                • Part of subcall function 00BBB57D: GetClassNameW.USER32(?,?,000000FF), ref: 00BBB5A0
                                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00BB98AF
                                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00BB98C2
                                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00BB98F2
                                                                • Part of subcall function 00B71821: _memmove.LIBCMT ref: 00B7185B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$_memmove$ClassName
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 365058703-1403004172
                                                              • Opcode ID: 19a1be8a2f522536094cb2e571a1c8b6bc0bc1304f54348a7118105118391344
                                                              • Instruction ID: 2ab053ccbf38986b83986d09faf65e9be438d1844ad8cfd44bec91555c787901
                                                              • Opcode Fuzzy Hash: 19a1be8a2f522536094cb2e571a1c8b6bc0bc1304f54348a7118105118391344
                                                              • Instruction Fuzzy Hash: 0F213571A04108BFDB24ABA8CC86CFFB7F8DF41360B108299F565972E1DB744D09D620
                                                              Function 00BD1CDD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BD1CFC
                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BD1D22
                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BD1D52
                                                              • InternetCloseHandle.WININET(00000000), ref: 00BD1D99
                                                                • Part of subcall function 00BD2933: GetLastError.KERNEL32(?,?,00BD1CC7,00000000,00000000,00000001), ref: 00BD2948
                                                                • Part of subcall function 00BD2933: SetEvent.KERNEL32(?,?,00BD1CC7,00000000,00000000,00000001), ref: 00BD295D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                              • String ID:
                                                              • API String ID: 3113390036-3916222277
                                                              • Opcode ID: 6dea67242c3f47b740696ca7ba60b0da7f46f9e400c5d7da3266f184c053cd14
                                                              • Instruction ID: 0ae8ea779532d5fa664a0cd1151c00c7ea5c92679e6981cb397eda0534b5cb7a
                                                              • Opcode Fuzzy Hash: 6dea67242c3f47b740696ca7ba60b0da7f46f9e400c5d7da3266f184c053cd14
                                                              • Instruction Fuzzy Hash: EC21BE71500208BFE711AF288C85EBFB6FDEB88B44F1045ABF405A3350EB249D059BA0
                                                              Function 00BE67D4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B62111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B6214F
                                                                • Part of subcall function 00B62111: GetStockObject.GDI32(00000011), ref: 00B62163
                                                                • Part of subcall function 00B62111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B6216D
                                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00BE684E
                                                              • LoadLibraryW.KERNEL32(?), ref: 00BE6855
                                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00BE686A
                                                              • DestroyWindow.USER32(?), ref: 00BE6872
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                              • String ID: SysAnimate32
                                                              • API String ID: 4146253029-1011021900
                                                              • Opcode ID: 0ca1262c772a34ce4a3cfe65a9543e1a7aa87fee7d59ea88c284b86d125e6f5c
                                                              • Instruction ID: e6ad3f62534f9e21b9f1af56fae05e64532126d55da5bec0c527b2ff03d3a633
                                                              • Opcode Fuzzy Hash: 0ca1262c772a34ce4a3cfe65a9543e1a7aa87fee7d59ea88c284b86d125e6f5c
                                                              • Instruction Fuzzy Hash: 7121BB71610285ABEF104F65DC84EBB37E9EF693A8F10466AFA50D3090CB31DC519760
                                                              Function 00BC71C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(0000000C), ref: 00BC71E4
                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BC7217
                                                              • GetStdHandle.KERNEL32(0000000C), ref: 00BC7229
                                                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00BC7263
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CreateHandle$FilePipe
                                                              • String ID: nul
                                                              • API String ID: 4209266947-2873401336
                                                              • Opcode ID: 55363f89ef906cb11894ff6d33b3d18f75b915fbae7893b1fb61665079dcb503
                                                              • Instruction ID: 3a0b19eeedc63a4074b0ebf3a82874fb2ae5c06988052f11008da67f463750e3
                                                              • Opcode Fuzzy Hash: 55363f89ef906cb11894ff6d33b3d18f75b915fbae7893b1fb61665079dcb503
                                                              • Instruction Fuzzy Hash: AA213D71544206ABDB209F699C45F9A77E8EF45720F24469DF8A0EB2D0DF709950CFA0
                                                              Function 00BC7292 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00BC72B1
                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BC72E3
                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00BC72F4
                                                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00BC732E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CreateHandle$FilePipe
                                                              • String ID: nul
                                                              • API String ID: 4209266947-2873401336
                                                              • Opcode ID: 959108bb6cf5a2a2300653774137b9a6e35aa0d5397b66ce8b100a5536c50011
                                                              • Instruction ID: 14c4da27fedbf8f0c772ccdf8b72db05245991dc7ac8f91653da978b1c345944
                                                              • Opcode Fuzzy Hash: 959108bb6cf5a2a2300653774137b9a6e35aa0d5397b66ce8b100a5536c50011
                                                              • Instruction Fuzzy Hash: CC214F716482059BDB209F699849FA977E8EF56720F200A9DFCA1E72D0DF709841CB61
                                                              Function 00BCB0F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 00BCB104
                                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00BCB158
                                                              • __swprintf.LIBCMT ref: 00BCB171
                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,00BF0980), ref: 00BCB1AF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$InformationVolume__swprintf
                                                              • String ID: %lu
                                                              • API String ID: 3164766367-685833217
                                                              • Opcode ID: d039dee9b0d9bd8f49ca9318b458c0e756866504f0c47fcad6fbf4c24c699754
                                                              • Instruction ID: 717d037c07303106e76c71407e57984c1f166f832f6b2cb0049602be19be9e15
                                                              • Opcode Fuzzy Hash: d039dee9b0d9bd8f49ca9318b458c0e756866504f0c47fcad6fbf4c24c699754
                                                              • Instruction Fuzzy Hash: 80218634A00109AFCB10EF68CD85DAEB7F8EF49714B1080A9F509E7252DB71EE41CB61
                                                              Function 00BBA9E8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B71821: _memmove.LIBCMT ref: 00B7185B
                                                                • Part of subcall function 00BBA835: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00BBA852
                                                                • Part of subcall function 00BBA835: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BBA865
                                                                • Part of subcall function 00BBA835: GetCurrentThreadId.KERNEL32 ref: 00BBA86C
                                                                • Part of subcall function 00BBA835: AttachThreadInput.USER32(00000000), ref: 00BBA873
                                                              • GetFocus.USER32 ref: 00BBAA0D
                                                                • Part of subcall function 00BBA87E: GetParent.USER32(?), ref: 00BBA88C
                                                              • GetClassNameW.USER32(?,?,00000100), ref: 00BBAA56
                                                              • EnumChildWindows.USER32(?,00BBAACE), ref: 00BBAA7E
                                                              • __swprintf.LIBCMT ref: 00BBAA98
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                              • String ID: %s%d
                                                              • API String ID: 1941087503-1110647743
                                                              • Opcode ID: 4129cc5aad399e86391d35191065a0630c42c5ba949e06e8a63e7f3b5c8b873e
                                                              • Instruction ID: 3a75936eb263948b406b41401cfaca037ae90308a2f72ee151745504619dd2b7
                                                              • Opcode Fuzzy Hash: 4129cc5aad399e86391d35191065a0630c42c5ba949e06e8a63e7f3b5c8b873e
                                                              • Instruction Fuzzy Hash: C7116371900205ABDB11BFA48D85FFA77ECAB44700F0040E5BD18AA193DAB05955CB72
                                                              Function 00BC2153 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?), ref: 00BC2184
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpper
                                                              • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                              • API String ID: 3964851224-769500911
                                                              • Opcode ID: 2ac3ae2f0096d45ae96bdbf2f475afd0ddbbc00f72d279a55a42b30a88c5e648
                                                              • Instruction ID: 98bc391456bc26d6135376f99e66951095944af51b6cfa656a2b4ed2ca7e7231
                                                              • Opcode Fuzzy Hash: 2ac3ae2f0096d45ae96bdbf2f475afd0ddbbc00f72d279a55a42b30a88c5e648
                                                              • Instruction Fuzzy Hash: 0D117C709101089B8F05EF64C861AFDB3B5FF66304B5485A8DC25A7262DB325D4ACF50
                                                              Function 00BDF006 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00BDF0B8
                                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00BDF0E8
                                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00BDF21B
                                                              • CloseHandle.KERNEL32(?), ref: 00BDF29C
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                              • String ID:
                                                              • API String ID: 2364364464-0
                                                              • Opcode ID: 56d8c44387bef93d78732ea1f0e1a0a394ab33cd78fe86362bd17ee51cd18fef
                                                              • Instruction ID: 5a675d91d4b06494f1c2fb6faaf1d5cb006c145738f8a9c0e83394ed4bf557c8
                                                              • Opcode Fuzzy Hash: 56d8c44387bef93d78732ea1f0e1a0a394ab33cd78fe86362bd17ee51cd18fef
                                                              • Instruction Fuzzy Hash: 5B8192B16147019FD721EF24D882F2AF7E5EF48710F14886DF9969B392D7B4AC408B51
                                                              Function 00BE045F Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B71A36: _memmove.LIBCMT ref: 00B71A77
                                                                • Part of subcall function 00BE1242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BE01D5,?,?), ref: 00BE1259
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BE0525
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BE0564
                                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00BE05AB
                                                              • RegCloseKey.ADVAPI32(?,?), ref: 00BE05D7
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00BE05E4
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                              • String ID:
                                                              • API String ID: 3440857362-0
                                                              • Opcode ID: 45289962e7d2c5b79baafe12bfa94d7c08f56af4336b44f378e2f017adacb149
                                                              • Instruction ID: d6b286d27fffe23b74debe4166cf1aa430792c19d8db883f7088b9c55285f2ae
                                                              • Opcode Fuzzy Hash: 45289962e7d2c5b79baafe12bfa94d7c08f56af4336b44f378e2f017adacb149
                                                              • Instruction Fuzzy Hash: A8515B71218245AFD714EF68C891E7AB7E8FF84304F00899DF599872A2DB74ED44CB62
                                                              Function 00BCEA21 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00BCEACF
                                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00BCEAF8
                                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00BCEB37
                                                                • Part of subcall function 00B64D37: __itow.LIBCMT ref: 00B64D62
                                                                • Part of subcall function 00B64D37: __swprintf.LIBCMT ref: 00B64DAC
                                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00BCEB5C
                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00BCEB64
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 1389676194-0
                                                              • Opcode ID: d9d40caa34e0b725954c722bbeb1422d531261cc84a4b8f8f3f9b9e0bdbc3f1d
                                                              • Instruction ID: 2f00748cfec9c6093063f8d9117f536c026c32ea0331d4553fc9e13f6f156397
                                                              • Opcode Fuzzy Hash: d9d40caa34e0b725954c722bbeb1422d531261cc84a4b8f8f3f9b9e0bdbc3f1d
                                                              • Instruction Fuzzy Hash: 3F512F35A00505EFCB11EF64C985EADBBF5EF09310B1480E9E919AB362CB35ED11DB60
                                                              Function 00BEA443 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e0c2eaf4770ebffac94431b2d65ebd892c16be4704a6b04720076678e104ae0f
                                                              • Instruction ID: 7a87ecb1e1c595055f29ab6fd6b2ceba1629c010aa65ac9455c7cedff858e0e2
                                                              • Opcode Fuzzy Hash: e0c2eaf4770ebffac94431b2d65ebd892c16be4704a6b04720076678e104ae0f
                                                              • Instruction Fuzzy Hash: A641B235900194AFD720DF69CC88FA9BBFCFB09310F1401A5E819A72E1D7B0BE41DA52
                                                              Function 00B62714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCursorPos.USER32(?), ref: 00B62727
                                                              • ScreenToClient.USER32(00C267B0,?), ref: 00B62744
                                                              • GetAsyncKeyState.USER32(00000001), ref: 00B62769
                                                              • GetAsyncKeyState.USER32(00000002), ref: 00B62777
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: AsyncState$ClientCursorScreen
                                                              • String ID:
                                                              • API String ID: 4210589936-0
                                                              • Opcode ID: e81ab214a93761c6de0744b14523d68d31ee2b1fee68a0c6a14990b78a703ecf
                                                              • Instruction ID: 825196a628054bae00d2e3277fa5c44d43982e6ce6d1de4c9467c04a2c668094
                                                              • Opcode Fuzzy Hash: e81ab214a93761c6de0744b14523d68d31ee2b1fee68a0c6a14990b78a703ecf
                                                              • Instruction Fuzzy Hash: 2B414D75604509BBDF159FA4C884EF9BBF4FB05360F2043A9F829922A0C734AD50DB91
                                                              Function 00BB93BA Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowRect.USER32(?,?), ref: 00BB93CB
                                                              • PostMessageW.USER32(?,00000201,00000001), ref: 00BB9475
                                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00BB947D
                                                              • PostMessageW.USER32(?,00000202,00000000), ref: 00BB948B
                                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00BB9493
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessagePostSleep$RectWindow
                                                              • String ID:
                                                              • API String ID: 3382505437-0
                                                              • Opcode ID: f028eb6d2a1ed2a9b7e6b2cbddb8352be6dcd290403f0b482e80f003045a9df4
                                                              • Instruction ID: 803757bfeb1dbb384697089f1a0f750b75e8c725d75c25ea1133a0046bb26bc6
                                                              • Opcode Fuzzy Hash: f028eb6d2a1ed2a9b7e6b2cbddb8352be6dcd290403f0b482e80f003045a9df4
                                                              • Instruction Fuzzy Hash: 9F31BC71500219EBDB14CFA8D988AEE3BB5EB45315F108269FA25EB2D1C7B09A14DB90
                                                              Function 00BBBB68 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindowVisible.USER32(?), ref: 00BBBB80
                                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00BBBB9D
                                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00BBBBD5
                                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00BBBBFB
                                                              • _wcsstr.LIBCMT ref: 00BBBC05
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                              • String ID:
                                                              • API String ID: 3902887630-0
                                                              • Opcode ID: 196c01f11fec66cd380b529ec91a9e108f15511cf2569c4e2e52cff30b779629
                                                              • Instruction ID: 37d1a3001e9f32586b6ddb2fba5d7d4c70ab8c33f71a28a436f4b8f397b5478d
                                                              • Opcode Fuzzy Hash: 196c01f11fec66cd380b529ec91a9e108f15511cf2569c4e2e52cff30b779629
                                                              • Instruction Fuzzy Hash: 5621A7312082047BEB25AB299C45EBB7FE8DF45760F1081A9F905DB161EFE1DC51D7A0
                                                              Function 00BEB538 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B629E2: GetWindowLongW.USER32(?,000000EB), ref: 00B629F3
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00BEB57F
                                                              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00BEB5A4
                                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00BEB5BC
                                                              • GetSystemMetrics.USER32(00000004), ref: 00BEB5E5
                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00BD1340,00000000), ref: 00BEB603
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Window$Long$MetricsSystem
                                                              • String ID:
                                                              • API String ID: 2294984445-0
                                                              • Opcode ID: 0d1a22e6118176a9854208dabe19350d624ed5d2d99e332b7cd74a725321ae5e
                                                              • Instruction ID: a6f25c863cd7db815600f1b0a4abeb8afb42cbd4d67627714c3baeebd80e205b
                                                              • Opcode Fuzzy Hash: 0d1a22e6118176a9854208dabe19350d624ed5d2d99e332b7cd74a725321ae5e
                                                              • Instruction Fuzzy Hash: AD21A171920295AFCB209F3A9C54F7A7BE5FB15721F204769F922D71E0E7308910DB90
                                                              Function 00BB9CA2 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BB9CBB
                                                                • Part of subcall function 00B71821: _memmove.LIBCMT ref: 00B7185B
                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BB9CED
                                                              • __itow.LIBCMT ref: 00BB9D05
                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BB9D2D
                                                              • __itow.LIBCMT ref: 00BB9D3E
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$__itow$_memmove
                                                              • String ID:
                                                              • API String ID: 2983881199-0
                                                              • Opcode ID: 69896936ead242d705dd106b723df0cc31aa26f5a027405b61f14daf71f1bc8c
                                                              • Instruction ID: 83babd24ba8648fc9de5e9e302741c8dd583c34dbb6431406969a4897822af2f
                                                              • Opcode Fuzzy Hash: 69896936ead242d705dd106b723df0cc31aa26f5a027405b61f14daf71f1bc8c
                                                              • Instruction Fuzzy Hash: 31219531704208BBDB20AA699C89EFE7BECEF45B50F1440A5FB14DB291DAB0C945D7A1
                                                              Function 00B616CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B61729
                                                              • SelectObject.GDI32(?,00000000), ref: 00B61738
                                                              • BeginPath.GDI32(?), ref: 00B6174F
                                                              • SelectObject.GDI32(?,00000000), ref: 00B61778
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ObjectSelect$BeginCreatePath
                                                              • String ID:
                                                              • API String ID: 3225163088-0
                                                              • Opcode ID: b3f3219317f9a07a1d017206a65e12f0a80e37b3d53441a830d7f7d0fb45905e
                                                              • Instruction ID: 6e0884b8aca1fd0156397127bfd2d4ffb97d89213d16b4802921c623ad353a48
                                                              • Opcode Fuzzy Hash: b3f3219317f9a07a1d017206a65e12f0a80e37b3d53441a830d7f7d0fb45905e
                                                              • Instruction Fuzzy Hash: 6A2160B4920208EBDB219F29DD44B7D7BF9F700311F184656F810975F0DB759892CBA0
                                                              Function 00BBC61A Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _memcmp
                                                              • String ID:
                                                              • API String ID: 2931989736-0
                                                              • Opcode ID: fbcbdc6dc8765964cd296e98414d27ac49744472e7a493bab4ee9e424fced220
                                                              • Instruction ID: ae3813ff404f5b4bb0850704ffc8a55d82f49e4ca9d7a48246339c8bfbea162a
                                                              • Opcode Fuzzy Hash: fbcbdc6dc8765964cd296e98414d27ac49744472e7a493bab4ee9e424fced220
                                                              • Instruction Fuzzy Hash: F301B9616012097BD200E6199D82FF77BDCEAA0784B0054D7FE0697252E690DE15C2A4
                                                              Function 00BC4EBB Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentThreadId.KERNEL32 ref: 00BC4EE2
                                                              • __beginthreadex.LIBCMT ref: 00BC4F00
                                                              • MessageBoxW.USER32(?,?,?,?), ref: 00BC4F15
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00BC4F2B
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00BC4F32
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                              • String ID:
                                                              • API String ID: 3824534824-0
                                                              • Opcode ID: 3398d6a384e2011f3f5cc9949577846215db3768aa825ada0e3e7975900a710e
                                                              • Instruction ID: 02cf2581e5b5c44fd8cfa10edcf315423154f53c80891916bf3c1c5029914591
                                                              • Opcode Fuzzy Hash: 3398d6a384e2011f3f5cc9949577846215db3768aa825ada0e3e7975900a710e
                                                              • Instruction Fuzzy Hash: 6711C8B6914249BBC7119BA89C44FAE7BECEB45320F14429DF818D32A1DB758A44C7B0
                                                              Function 00BB8C03 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BB8C1F
                                                              • GetLastError.KERNEL32(?,00BB86E3,?,?,?), ref: 00BB8C29
                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00BB86E3,?,?,?), ref: 00BB8C38
                                                              • HeapAlloc.KERNEL32(00000000,?,00BB86E3,?,?,?), ref: 00BB8C3F
                                                              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BB8C56
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                              • String ID:
                                                              • API String ID: 842720411-0
                                                              • Opcode ID: 8d703f09fcfe3307fc9edc69ce1eb991f0a1db94f8c0728ca123d6bc22961043
                                                              • Instruction ID: 8fa20731b6b3177a14e84f84bc81db45fa7aa4089007117a727537a7ca16272f
                                                              • Opcode Fuzzy Hash: 8d703f09fcfe3307fc9edc69ce1eb991f0a1db94f8c0728ca123d6bc22961043
                                                              • Instruction Fuzzy Hash: 550124B0611208BFDB205FA6EC889BB7FACEF8A754B100469F948D3220DA71CD10CA70
                                                              Function 00BB7B0B Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BB7A45,80070057,?,?,?,00BB7E56), ref: 00BB7B28
                                                              • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BB7A45,80070057,?,?), ref: 00BB7B43
                                                              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BB7A45,80070057,?,?), ref: 00BB7B51
                                                              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BB7A45,80070057,?), ref: 00BB7B61
                                                              • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BB7A45,80070057,?,?), ref: 00BB7B6D
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                                              • String ID:
                                                              • API String ID: 3897988419-0
                                                              • Opcode ID: 2ef5e3602f24958f1b669cd03928f0b7e22ea3d94189a5411a354fb5e960d26d
                                                              • Instruction ID: 370d0821114479fa7b17d6a51ee64eb577d3edfa14877aaabf5c50d211bbb8f6
                                                              • Opcode Fuzzy Hash: 2ef5e3602f24958f1b669cd03928f0b7e22ea3d94189a5411a354fb5e960d26d
                                                              • Instruction Fuzzy Hash: 33015A72611205BBDB215F64EC48ABA7BEDEF84792F104068F909D3221EBB1DD10CAA0
                                                              Function 00BB8AAA Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BB8AC1
                                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BB8ACB
                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BB8ADA
                                                              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BB8AE1
                                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BB8AF7
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                              • String ID:
                                                              • API String ID: 44706859-0
                                                              • Opcode ID: 83b3efa1eaafdb66f9e38507a29904e6a89644f7e135158bb42068cb91fb07c6
                                                              • Instruction ID: 2860ea34a2fa43fdff8da7ab97ecdb16534e2c146f6b7d76f109c155231502d7
                                                              • Opcode Fuzzy Hash: 83b3efa1eaafdb66f9e38507a29904e6a89644f7e135158bb42068cb91fb07c6
                                                              • Instruction Fuzzy Hash: B5F04F71210204AFEB211FB59CCDEB73BADEF49758B500155F945D7161CEA29C41DB60
                                                              Function 00BB8B0B Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BB8B22
                                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BB8B2C
                                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BB8B3B
                                                              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BB8B42
                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BB8B58
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                              • String ID:
                                                              • API String ID: 44706859-0
                                                              • Opcode ID: a271422327d78c1ebbdaa63b15654f17469cda7cd8313d8a1279d7e092e925e0
                                                              • Instruction ID: fe5a9fb1472986c493b562227749891c3dff803a1e1f2476f4c2817389686bd9
                                                              • Opcode Fuzzy Hash: a271422327d78c1ebbdaa63b15654f17469cda7cd8313d8a1279d7e092e925e0
                                                              • Instruction Fuzzy Hash: EEF0AF71210204AFEB211FB4EC88EB77BACEF49754B000029F904D7160DEB1D910DB60
                                                              Function 00BBCB5F Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00BBCB73
                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 00BBCB8A
                                                              • MessageBeep.USER32(00000000), ref: 00BBCBA2
                                                              • KillTimer.USER32(?,0000040A), ref: 00BBCBBE
                                                              • EndDialog.USER32(?,00000001), ref: 00BBCBD8
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                              • String ID:
                                                              • API String ID: 3741023627-0
                                                              • Opcode ID: a953b19f6c7a898fe71d03c87dd43c19f156b501920a091eccfa125484f3e634
                                                              • Instruction ID: eb95c91c357866ea52d02824887145e73d0ba123b2b3f45a156db9d2b104eddc
                                                              • Opcode Fuzzy Hash: a953b19f6c7a898fe71d03c87dd43c19f156b501920a091eccfa125484f3e634
                                                              • Instruction Fuzzy Hash: 6D014F30550708ABEB31AB54DD8EFBA7BA8FF00B05F000699B586A24E1DBE06954CA90
                                                              Function 00B6178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EndPath.GDI32(?), ref: 00B6179B
                                                              • StrokeAndFillPath.GDI32(?,?,00B9BAF9,00000000,?), ref: 00B617B7
                                                              • SelectObject.GDI32(?,00000000), ref: 00B617CA
                                                              • DeleteObject.GDI32 ref: 00B617DD
                                                              • StrokePath.GDI32(?), ref: 00B617F8
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                                              • String ID:
                                                              • API String ID: 2625713937-0
                                                              • Opcode ID: a11117112462279f170a42e51a945b36f37d39aaaa84cb2f69156c376ed8d8fb
                                                              • Instruction ID: 91a4c15ac1e947984ba2cae391890b94647884dbe26273532e463e05786fc291
                                                              • Opcode Fuzzy Hash: a11117112462279f170a42e51a945b36f37d39aaaa84cb2f69156c376ed8d8fb
                                                              • Instruction Fuzzy Hash: 8AF0C470024208EFDB226F2AEC4CB693BA4EB01326F18C255F829564F1CB358996DF20
                                                              Function 00BCC847 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoInitialize.OLE32(00000000), ref: 00BCC8E2
                                                              • CoCreateInstance.OLE32(00BF3D3C,00000000,00000001,00BF3BAC,?), ref: 00BCC8FA
                                                                • Part of subcall function 00B71A36: _memmove.LIBCMT ref: 00B71A77
                                                              • CoUninitialize.OLE32 ref: 00BCCB67
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CreateInitializeInstanceUninitialize_memmove
                                                              • String ID: .lnk
                                                              • API String ID: 2683427295-24824748
                                                              • Opcode ID: b8f15b9a8be6babd70d8b6e442fbb0912fd78413584aa96adf34151573bcbcd2
                                                              • Instruction ID: 39453d07b6e1b3f8da5857dbb13f17c32828c3b7865244b3a5058ad9a3fee1a5
                                                              • Opcode Fuzzy Hash: b8f15b9a8be6babd70d8b6e442fbb0912fd78413584aa96adf34151573bcbcd2
                                                              • Instruction Fuzzy Hash: 4CA13071504205AFD300EF64C891EABB7ECEF95754F0049ACF159972A2EB70EE49CB62
                                                              Function 00B6E3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B80F16: std::exception::exception.LIBCMT ref: 00B80F4C
                                                                • Part of subcall function 00B80F16: __CxxThrowException@8.LIBCMT ref: 00B80F61
                                                                • Part of subcall function 00B71A36: _memmove.LIBCMT ref: 00B71A77
                                                                • Part of subcall function 00B71680: _memmove.LIBCMT ref: 00B716DB
                                                              • __swprintf.LIBCMT ref: 00B6E598
                                                              Strings
                                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00B6E431
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                              • API String ID: 1943609520-557222456
                                                              • Opcode ID: 33fb1d9070648f97b473d49807d8136b3047f1ee1371d3eb36c4918855986593
                                                              • Instruction ID: 3778ad565483f999e1516be804be3853cbb1087968289a21c7e5e90cd110b495
                                                              • Opcode Fuzzy Hash: 33fb1d9070648f97b473d49807d8136b3047f1ee1371d3eb36c4918855986593
                                                              • Instruction Fuzzy Hash: 9A9172715182019FC724FF28C895C6E77E4EF95700F40899DF5A69B2A1EB34EE44CBA2
                                                              Function 00B8516D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __startOneArgErrorHandling.LIBCMT ref: 00B851FD
                                                                • Part of subcall function 00B90250: __87except.LIBCMT ref: 00B9028B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ErrorHandling__87except__start
                                                              • String ID: pow
                                                              • API String ID: 2905807303-2276729525
                                                              • Opcode ID: 87f7f157acfeeb3401fbe27ea21adc28c318e918520ebd511e45f329bbf0e20a
                                                              • Instruction ID: 4f249bd667e80ffec0a7a799f3236bad290002e7f4889c3e3dd8fe839017251b
                                                              • Opcode Fuzzy Hash: 87f7f157acfeeb3401fbe27ea21adc28c318e918520ebd511e45f329bbf0e20a
                                                              • Instruction Fuzzy Hash: 27515761A2C602DBDF21BB14C98537E7BD4EB40750F2089F8E096862B5EE348CD4DB5A
                                                              Function 00B8057F Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$+
                                                              • API String ID: 0-2552117581
                                                              • Opcode ID: 5e26dccc42448309dfc867582a88dcea9f126e657a7581fdb6110c9bad9f3afb
                                                              • Instruction ID: b6beceff6b10ceb762d3df0be029d1d4c1ac692d8d21c115ccd6ce306165c9c0
                                                              • Opcode Fuzzy Hash: 5e26dccc42448309dfc867582a88dcea9f126e657a7581fdb6110c9bad9f3afb
                                                              • Instruction Fuzzy Hash: 9651117150421ADFDF25AF28C480AFA7BE4EF65310F144096EC919B2A0DB78DD66CB60
                                                              Function 00B7CF08 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _memset$_memmove
                                                              • String ID: ERCP
                                                              • API String ID: 2532777613-1384759551
                                                              • Opcode ID: f6cb2a7a1795b180cbb6657abc6cf902af885323f3197e3076a34e43f287836e
                                                              • Instruction ID: ebdd1feb4ba3763ee0fabfdf695a42fd29aa932e60575234788d02ef4fd6241c
                                                              • Opcode Fuzzy Hash: f6cb2a7a1795b180cbb6657abc6cf902af885323f3197e3076a34e43f287836e
                                                              • Instruction Fuzzy Hash: FB51C1B0900705DFCB24DF65C8917AABBF4EF04350F2485AEE45ADB241E770EA45CB41
                                                              Function 00BBA190 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00BC1B27: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BB9C31,?,?,00000034,00000800,?,00000034), ref: 00BC1B51
                                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00BBA1DA
                                                                • Part of subcall function 00BC1AF2: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BB9C60,?,?,00000800,?,00001073,00000000,?,?), ref: 00BC1B1C
                                                                • Part of subcall function 00BC1A49: GetWindowThreadProcessId.USER32(?,?), ref: 00BC1A74
                                                                • Part of subcall function 00BC1A49: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00BB9BF5,00000034,?,?,00001004,00000000,00000000), ref: 00BC1A84
                                                                • Part of subcall function 00BC1A49: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00BB9BF5,00000034,?,?,00001004,00000000,00000000), ref: 00BC1A9A
                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BBA247
                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BBA294
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                              • String ID: @
                                                              • API String ID: 4150878124-2766056989
                                                              • Opcode ID: fd979d21df78ebb8eaa9a3cd73ebf0cebe3608d22c6d40567943d45a63fa00ed
                                                              • Instruction ID: cd229d5037f6b84241e8b0f1bec48e764a83f67b75863222d7b66bf9f20d4f29
                                                              • Opcode Fuzzy Hash: fd979d21df78ebb8eaa9a3cd73ebf0cebe3608d22c6d40567943d45a63fa00ed
                                                              • Instruction Fuzzy Hash: B6413C72901218BFDB10DB98CC81EEEBBB8EB49300F004099F955B7191DA716E49CB61
                                                              Function 00BE77C6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00BE784E
                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00BE7862
                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00BE7886
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window
                                                              • String ID: SysMonthCal32
                                                              • API String ID: 2326795674-1439706946
                                                              • Opcode ID: 3526f17737bc6c71abe91a82e4201968d98e2f6a436f55eadd69ad928c58d67b
                                                              • Instruction ID: fb9bfbf7101493f689b204eab3085c6bd7406269bc6c6188383e091534e46ba3
                                                              • Opcode Fuzzy Hash: 3526f17737bc6c71abe91a82e4201968d98e2f6a436f55eadd69ad928c58d67b
                                                              • Instruction Fuzzy Hash: 4721DD32644218BBDF218E91CC46FEA3BA9EF88714F110254FE586B190DBB1AC50DBA0
                                                              Function 00BE709D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00BE7128
                                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00BE7138
                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00BE715D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$MoveWindow
                                                              • String ID: Listbox
                                                              • API String ID: 3315199576-2633736733
                                                              • Opcode ID: 13de312bda694ebf9d888edd087eb8600405cdcd90035c405d3cad46770f5306
                                                              • Instruction ID: 15a3a84f45c13d2d39c2fa2447d1bb532c1415e826c7cd120bfded9e4913f742
                                                              • Opcode Fuzzy Hash: 13de312bda694ebf9d888edd087eb8600405cdcd90035c405d3cad46770f5306
                                                              • Instruction Fuzzy Hash: 34210432254208BFDF119F55CC45FBB37EAEF89760F018164FA04AB191CB71AC519BA0
                                                              Function 00BE7AFB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00BE7B5F
                                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00BE7B74
                                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00BE7B81
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: msctls_trackbar32
                                                              • API String ID: 3850602802-1010561917
                                                              • Opcode ID: a451d865ac9478a9e626b3e45a91369b97edcff625b5d94bcd41c3098ab67ea3
                                                              • Instruction ID: 993d8a0233afa5b3cf5ef4eee6a252f89020888873721de8a436598a639d4ed5
                                                              • Opcode Fuzzy Hash: a451d865ac9478a9e626b3e45a91369b97edcff625b5d94bcd41c3098ab67ea3
                                                              • Instruction Fuzzy Hash: C111C132244248BBEB209F71CC46FEB37A9EF89B68F114118FA55A7090D771A851DB20
                                                              Function 00BDC4A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00BA01AA,?), ref: 00BDC4AF
                                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00BDC4C1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                              • API String ID: 2574300362-1816364905
                                                              • Opcode ID: cec3ab161327cd62d1cda1415c69c280c165d87bdf1e3da82bae5fbe7c11b9c3
                                                              • Instruction ID: 4b7b1353c7a55f3fa8bcf4e25d7ab293560c689922ac08ae72a1d4ccf0d5b644
                                                              • Opcode Fuzzy Hash: cec3ab161327cd62d1cda1415c69c280c165d87bdf1e3da82bae5fbe7c11b9c3
                                                              • Instruction Fuzzy Hash: 49E086395117038BE7205B25C914B61BAE4FF14755B5084AAE48AD3331E770D440CA10
                                                              Function 00B74BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00B74AF7,?), ref: 00B74BB8
                                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B74BCA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                              • API String ID: 2574300362-1355242751
                                                              • Opcode ID: 7d7821203d07ad9ef7628c6073b045a78bb0d0caaf18ed082b5a8e9ddd551160
                                                              • Instruction ID: a2f3182a08c9ab1c67d7643ab2c868696325cd3483c14e37cdd47b1dfc006815
                                                              • Opcode Fuzzy Hash: 7d7821203d07ad9ef7628c6073b045a78bb0d0caaf18ed082b5a8e9ddd551160
                                                              • Instruction Fuzzy Hash: 24D0C7305203128FD320AF30DC08B16B2E5AF01342B00CCAAE49AE3662EBB0C980DA00
                                                              Function 00B74B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00B74B44,?,00B749D4,?,?,00B727AF,?,00000001), ref: 00B74B85
                                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B74B97
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                              • API String ID: 2574300362-3689287502
                                                              • Opcode ID: 688b9f7a4c1e8bb0287a0ec64eb0837e218c6c729a8ea2f8505fca9f1a4e7f27
                                                              • Instruction ID: 8cbefbc78206d203c7d1144c4ea5498383c3fc54dde7218aaeff10c28eed849b
                                                              • Opcode Fuzzy Hash: 688b9f7a4c1e8bb0287a0ec64eb0837e218c6c729a8ea2f8505fca9f1a4e7f27
                                                              • Instruction Fuzzy Hash: ABD01270520713CFD720AF35DC1875676E4AF05751F51C8B9E495E3261EB70D884C610
                                                              Function 00BE120F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,00BE145E), ref: 00BE121D
                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BE122F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                                              • API String ID: 2574300362-4033151799
                                                              • Opcode ID: 3c23c042b765fdcb73f6c9b0faf375147c6f031c624d4aeea2ac057c3b9265f3
                                                              • Instruction ID: 7aa3aeadf8c3a5914c8c18065b8e5296d2534d54142c24f56bc8a1c36e7d85b6
                                                              • Opcode Fuzzy Hash: 3c23c042b765fdcb73f6c9b0faf375147c6f031c624d4aeea2ac057c3b9265f3
                                                              • Instruction Fuzzy Hash: 43D0C2304517138FC3209F76CC08256B7E4EF21342B108D39A481E7160DB70C4C0C600
                                                              Function 00BD9592 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00BD91A6,?,00BF0980), ref: 00BD95A0
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00BD95B2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: GetModuleHandleExW$kernel32.dll
                                                              • API String ID: 2574300362-199464113
                                                              • Opcode ID: 30a3d9a96a3aa81f2dce9123a0dac3f0caae6103374f4caaaefa724ab9ebc791
                                                              • Instruction ID: 5f9aad99a75a5550a6823ef518df525de78d3b937bb272c8db7fb6a0a87063cd
                                                              • Opcode Fuzzy Hash: 30a3d9a96a3aa81f2dce9123a0dac3f0caae6103374f4caaaefa724ab9ebc791
                                                              • Instruction Fuzzy Hash: 00D01770520712DFDB21AF75DC18B56B6E4EF1535AF11CC7AE886E32A1EBB0C980CA10
                                                              Function 00B755F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00B75E3D), ref: 00B755FE
                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B75610
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                              • API String ID: 2574300362-192647395
                                                              • Opcode ID: f4148a62241388c168353df80c73faf3f367c0a2ee1f07bfb7ad35a58983ea05
                                                              • Instruction ID: bc9273f981d9c1a496de43e994b8a846ed05530d6dff7cba7befb15b8075b548
                                                              • Opcode Fuzzy Hash: f4148a62241388c168353df80c73faf3f367c0a2ee1f07bfb7ad35a58983ea05
                                                              • Instruction Fuzzy Hash: 9ED012745307138FD7306F35CC0862676E5AF04355F51C869E495D3172FAB0C480C650
                                                              Function 00BB7B7E Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dd1cab7b57ee803467b3a58263e718a6c40209ca093a334f952f9c66b63fbcf2
                                                              • Instruction ID: e3257ffb9bb91e309d5dd8fb994c610f20e9828f3433ecf5b874882c226b8466
                                                              • Opcode Fuzzy Hash: dd1cab7b57ee803467b3a58263e718a6c40209ca093a334f952f9c66b63fbcf2
                                                              • Instruction Fuzzy Hash: 4BC12A75A44216EFCB14CFA4C884ABABBF9FF88714B1185D8E805EB251DB70ED41DB90
                                                              Function 00BDE4DB Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharLowerBuffW.USER32(?,?), ref: 00BDE56F
                                                              • CharLowerBuffW.USER32(?,?), ref: 00BDE5B2
                                                                • Part of subcall function 00BDDC56: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00BDDC76
                                                              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00BDE7B2
                                                              • _memmove.LIBCMT ref: 00BDE7C5
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: BuffCharLower$AllocVirtual_memmove
                                                              • String ID:
                                                              • API String ID: 3659485706-0
                                                              • Opcode ID: 6a3dc23fc4eb5977a7b857965dcdf34d97d878992b8928bdb49e46f0792cbd53
                                                              • Instruction ID: 01f105eda006fafa7c207af0b650c7dcfd6430032a127e24c1ad2f6f995dab63
                                                              • Opcode Fuzzy Hash: 6a3dc23fc4eb5977a7b857965dcdf34d97d878992b8928bdb49e46f0792cbd53
                                                              • Instruction Fuzzy Hash: 5BC15971A043019FC754EF28C48096AFBE4FF89718F0489AEF8A99B351E731E945CB91
                                                              Function 00BD8545 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoInitialize.OLE32(00000000), ref: 00BD8575
                                                              • CoUninitialize.OLE32 ref: 00BD8580
                                                                • Part of subcall function 00BEDC66: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00BD87D6,?,00000000), ref: 00BEDCCE
                                                              • VariantInit.OLEAUT32(?), ref: 00BD858B
                                                              • VariantClear.OLEAUT32(?), ref: 00BD885C
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                              • String ID:
                                                              • API String ID: 780911581-0
                                                              • Opcode ID: b770b31fda90bbc6a4f226da7fac57401e6bb40a70762758370aef3535d3bbf5
                                                              • Instruction ID: 507ca7345a4c7dac0cc60c9d325c96d2b720f10c76212e01137e5ceb6e07fcc5
                                                              • Opcode Fuzzy Hash: b770b31fda90bbc6a4f226da7fac57401e6bb40a70762758370aef3535d3bbf5
                                                              • Instruction Fuzzy Hash: 3EA13575604B01AFD711EF14C481B2AB7E4FF89364F148899F9999B3A2DB34ED04CB92
                                                              Function 00BB727E Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Variant$AllocClearCopyInitString
                                                              • String ID:
                                                              • API String ID: 2808897238-0
                                                              • Opcode ID: d7697b1b00c02af46b262afbdd20e7445a72564fbf0393bf12e9fc708371cc14
                                                              • Instruction ID: 6bc03e62e6f58ce77b0fd1ce6519675e95d6655a56072ba4d822b8eccd3d6d59
                                                              • Opcode Fuzzy Hash: d7697b1b00c02af46b262afbdd20e7445a72564fbf0393bf12e9fc708371cc14
                                                              • Instruction Fuzzy Hash: 9251C4306887029FDB20AF65D8D1ABDB7E9EF94311F20889FE546DB3A1DEB09840C711
                                                              Function 00BDF2BE Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00BDF2EE
                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00BDF2FC
                                                                • Part of subcall function 00B71A36: _memmove.LIBCMT ref: 00B71A77
                                                              • Process32NextW.KERNEL32(00000000,?), ref: 00BDF3BC
                                                              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00BDF3CB
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                              • String ID:
                                                              • API String ID: 2576544623-0
                                                              • Opcode ID: 6a04112fe5a431cfd9f7360b24921af157f3ff56349cd91b2721d53564a08ca0
                                                              • Instruction ID: bd3650a521f9f36b9ae286e090d777ee0279f51898c61da19ccd19ba1609ec83
                                                              • Opcode Fuzzy Hash: 6a04112fe5a431cfd9f7360b24921af157f3ff56349cd91b2721d53564a08ca0
                                                              • Instruction Fuzzy Hash: 3D518FB1508711AFD310EF24DC81A6BB7E8EF95750F00496EF596972A2EB70E904CB92
                                                              Function 00BE9BE1 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowRect.USER32(?,?), ref: 00BE9C50
                                                              • ScreenToClient.USER32(00000002,00000002), ref: 00BE9C83
                                                              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00BE9CF0
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Window$ClientMoveRectScreen
                                                              • String ID:
                                                              • API String ID: 3880355969-0
                                                              • Opcode ID: b60cb1c81ee97e0df3b083e6dab8d4e0d60fb9c200be4f8de3a5bc24942b6a71
                                                              • Instruction ID: 27362c40f254d06911a6952e2036bbc13e6d3162e807fce821bc7d212f096cdf
                                                              • Opcode Fuzzy Hash: b60cb1c81ee97e0df3b083e6dab8d4e0d60fb9c200be4f8de3a5bc24942b6a71
                                                              • Instruction Fuzzy Hash: 01512F34A00149EFDF24DF65C880AAE7BF6FF45320F2081A9F855972A1DB30AD95CB90
                                                              Function 00B8485A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                              • String ID:
                                                              • API String ID: 2782032738-0
                                                              • Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                              • Instruction ID: fd5ffae57674a4feac1eebf9df1ba466ecefea037a8405859504a96ab7a1dff9
                                                              • Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                              • Instruction Fuzzy Hash: 7141D371A007479FDB28EEA9C88096F7BE6EF84364B2485BDE855C7660EB70DD40CB40
                                                              Function 00BBA41B Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00BBA46D
                                                              • __itow.LIBCMT ref: 00BBA49E
                                                                • Part of subcall function 00BBA6EE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00BBA759
                                                              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00BBA507
                                                              • __itow.LIBCMT ref: 00BBA55E
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$__itow
                                                              • String ID:
                                                              • API String ID: 3379773720-0
                                                              • Opcode ID: 18801ac2d791aff29d4a5252fd9e6f8851e4776e41a3d90d35fcc14c726323d3
                                                              • Instruction ID: 1b9d1459477526dae82013f9cfb28f89fc813c3ead8cac3c6cad9be252f0d881
                                                              • Opcode Fuzzy Hash: 18801ac2d791aff29d4a5252fd9e6f8851e4776e41a3d90d35fcc14c726323d3
                                                              • Instruction Fuzzy Hash: C4419170E00209ABDF21EF58C855BFE7BF9EF54750F0040A9F919A3291DBB09A45CB62
                                                              Function 00BD6E5A Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • socket.WSOCK32(00000002,00000002,00000011), ref: 00BD6E81
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00BD6E91
                                                                • Part of subcall function 00B64D37: __itow.LIBCMT ref: 00B64D62
                                                                • Part of subcall function 00B64D37: __swprintf.LIBCMT ref: 00B64DAC
                                                              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00BD6EF5
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00BD6F01
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$__itow__swprintfsocket
                                                              • String ID:
                                                              • API String ID: 2214342067-0
                                                              • Opcode ID: 861b27665789114b663888a9b88b230010a0f1cee7cd3ad5c937382a5917416c
                                                              • Instruction ID: 9839700248a1cad0e1746771591609ea60a3a435228e04d22fe093b7709e2ded
                                                              • Opcode Fuzzy Hash: 861b27665789114b663888a9b88b230010a0f1cee7cd3ad5c937382a5917416c
                                                              • Instruction Fuzzy Hash: 8141A075750600AFEB21BF24DC86F7A77E8DB05B54F148498FA199B3D2DB789C008B91
                                                              Function 00BD68CA Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00BF0980), ref: 00BD6957
                                                              • _strlen.LIBCMT ref: 00BD6989
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _strlen
                                                              • String ID:
                                                              • API String ID: 4218353326-0
                                                              • Opcode ID: 296a47a52df5c95a7f231f63b5b048ae795cdb52cb3643a11a5e67c2f1d2bc5b
                                                              • Instruction ID: 3aad808bfc4dad632eed44a8f0bd704483fef1355544f03ea0de425c3f418871
                                                              • Opcode Fuzzy Hash: 296a47a52df5c95a7f231f63b5b048ae795cdb52cb3643a11a5e67c2f1d2bc5b
                                                              • Instruction Fuzzy Hash: 2B419731A00114ABC715FB64DC91EBEF7E9EF44310F148196F51A97392EB34AD04C750
                                                              Function 00BCBCA4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00BCBD4E
                                                              • GetLastError.KERNEL32(?,00000000), ref: 00BCBD74
                                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00BCBD99
                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00BCBDC5
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                                              • String ID:
                                                              • API String ID: 3321077145-0
                                                              • Opcode ID: f6cca5e283bbbf0d7cbfb7a5a868570b5da0411c23f14932fc004509f4f1779e
                                                              • Instruction ID: 7dbcdcf9f63ea30baea42c841b873e3a6ee9945e1e500135aa62151d9477ad85
                                                              • Opcode Fuzzy Hash: f6cca5e283bbbf0d7cbfb7a5a868570b5da0411c23f14932fc004509f4f1779e
                                                              • Instruction Fuzzy Hash: 8541E435600A15DFCB11EF55C485E5EBBE5EF49320B1984D8E84A9B362CB34ED41CB91
                                                              Function 00BE8C3E Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BE8CCB
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: InvalidateRect
                                                              • String ID:
                                                              • API String ID: 634782764-0
                                                              • Opcode ID: 42c2696e19ba1dcfb6ba3734fbedf301fa45ff1c0154287d5e1d7c4e704227a0
                                                              • Instruction ID: 561d90e36d84ce38c903f49f3c57695072b2a71f145873facefc04c45cf39cce
                                                              • Opcode Fuzzy Hash: 42c2696e19ba1dcfb6ba3734fbedf301fa45ff1c0154287d5e1d7c4e704227a0
                                                              • Instruction Fuzzy Hash: 34310834201988BFEF249B16CC85FA937E5FB16310F2085A6F919E72E1CF319940EB61
                                                              Function 00BEAF24 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ClientToScreen.USER32(?,?), ref: 00BEAF4D
                                                              • GetWindowRect.USER32(?,?), ref: 00BEAFC3
                                                              • PtInRect.USER32(?,?,00BEC437), ref: 00BEAFD3
                                                              • MessageBeep.USER32(00000000), ref: 00BEB044
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Rect$BeepClientMessageScreenWindow
                                                              • String ID:
                                                              • API String ID: 1352109105-0
                                                              • Opcode ID: 63c5875d44244d8b597d0bbe2b71f218cf93dbad187ea180a1e11ca7c683c49a
                                                              • Instruction ID: 8024f31fab058619bf6155dcbbc361f11e509fa2694869421037ed7a0ecf8db1
                                                              • Opcode Fuzzy Hash: 63c5875d44244d8b597d0bbe2b71f218cf93dbad187ea180a1e11ca7c683c49a
                                                              • Instruction Fuzzy Hash: 6B415870600295DFCB21DF5AC894FAE7BF5FB49310F1481E9E425DB262C731A841DB91
                                                              Function 00BC1141 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00BC1192
                                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00BC11AE
                                                              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00BC1214
                                                              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00BC1266
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: KeyboardState$InputMessagePostSend
                                                              • String ID:
                                                              • API String ID: 432972143-0
                                                              • Opcode ID: c14d53692dc88fb96b73880c78c7f3d931dc612624eb3ab4b0936397dea56b47
                                                              • Instruction ID: dd87670821a987e6fca451fe1b915c68e4de35662107c1dcf3dd3591dcc087a7
                                                              • Opcode Fuzzy Hash: c14d53692dc88fb96b73880c78c7f3d931dc612624eb3ab4b0936397dea56b47
                                                              • Instruction Fuzzy Hash: A6314874990208AEFF209A298C04FF9BBE9EB47310F18468EE980F61D2C3788D519761
                                                              Function 00BC127C Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00BC12D1
                                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00BC12ED
                                                              • PostMessageW.USER32(00000000,00000101,00000000), ref: 00BC134C
                                                              • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00BC139E
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: KeyboardState$InputMessagePostSend
                                                              • String ID:
                                                              • API String ID: 432972143-0
                                                              • Opcode ID: 9e4672f5b9781866dec6fffa59ad6e5fb5342ebaae8f576667d8a9956ef595c2
                                                              • Instruction ID: 66e10214562b0401deadaaf1bdc927752c63e8e7f856853f13eb6d1c47e1f466
                                                              • Opcode Fuzzy Hash: 9e4672f5b9781866dec6fffa59ad6e5fb5342ebaae8f576667d8a9956ef595c2
                                                              • Instruction Fuzzy Hash: C3316B30E40288BEFF248A6C8C04FFA7BE9EBC6314F48468EE480665D3C37489559759
                                                              Function 00B96325 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B9635B
                                                              • __isleadbyte_l.LIBCMT ref: 00B96389
                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B963B7
                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B963ED
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                              • String ID:
                                                              • API String ID: 3058430110-0
                                                              • Opcode ID: 0860db5ded6e3f672ce085411bcfdbe35d7c988e0d547349d7788e42ec0c0847
                                                              • Instruction ID: cdd50b843ec1db1d2b245d349c0d81a7a781414f98505bd66a0907cf7d570442
                                                              • Opcode Fuzzy Hash: 0860db5ded6e3f672ce085411bcfdbe35d7c988e0d547349d7788e42ec0c0847
                                                              • Instruction Fuzzy Hash: B631AF31608256AFDF219F79C884AAA7BF5FF41310F1540B8F824871A1E731D950DB94
                                                              Function 00BE52F3 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32 ref: 00BE5307
                                                                • Part of subcall function 00BC39A1: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BC39BB
                                                                • Part of subcall function 00BC39A1: GetCurrentThreadId.KERNEL32 ref: 00BC39C2
                                                                • Part of subcall function 00BC39A1: AttachThreadInput.USER32(00000000,?,00BC542D), ref: 00BC39C9
                                                              • GetCaretPos.USER32(?), ref: 00BE5318
                                                              • ClientToScreen.USER32(00000000,?), ref: 00BE5353
                                                              • GetForegroundWindow.USER32 ref: 00BE5359
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                              • String ID:
                                                              • API String ID: 2759813231-0
                                                              • Opcode ID: 6246fd37769038dce6ce2a784445f5ea4ae6a49f0788b02effe0786deb5895a9
                                                              • Instruction ID: f369f1d6535dc11612d835b56cc4453324352c13ce0af19e7c4186c02e0df66a
                                                              • Opcode Fuzzy Hash: 6246fd37769038dce6ce2a784445f5ea4ae6a49f0788b02effe0786deb5895a9
                                                              • Instruction Fuzzy Hash: 0A314E71D00108AFDB10EFA5C8819EFB7FDEF55304F1040AAE415E7241DBB5AE008BA1
                                                              Function 00BEC8BB Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B629E2: GetWindowLongW.USER32(?,000000EB), ref: 00B629F3
                                                              • GetCursorPos.USER32(?), ref: 00BEC8F5
                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B9BC1C,?,?,?,?,?), ref: 00BEC90A
                                                              • GetCursorPos.USER32(?), ref: 00BEC957
                                                              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B9BC1C,?,?,?), ref: 00BEC991
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                              • String ID:
                                                              • API String ID: 2864067406-0
                                                              • Opcode ID: 8397415140b539a0ab17eaf0b517c064ca2cc358d13eaa2733d460cc1dd75250
                                                              • Instruction ID: 2f2eb4bc8e088003aeb8fb5a0b9ff506c20c249fe9aaea4f721254f7aad26764
                                                              • Opcode Fuzzy Hash: 8397415140b539a0ab17eaf0b517c064ca2cc358d13eaa2733d460cc1dd75250
                                                              • Instruction Fuzzy Hash: 9131F239600158AFCB228F55C894EFA7FF5EB4A310F5041A9F9058B2A2C7315D52DFA0
                                                              Function 00B80AEB Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __setmode.LIBCMT ref: 00B80B0D
                                                                • Part of subcall function 00B7402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00BC7CBE,?,?,00000000), ref: 00B74041
                                                                • Part of subcall function 00B7402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00BC7CBE,?,?,00000000,?,?), ref: 00B74065
                                                              • _fprintf.LIBCMT ref: 00B80B44
                                                              • OutputDebugStringW.KERNEL32(?), ref: 00BB672F
                                                                • Part of subcall function 00B84BFA: _flsall.LIBCMT ref: 00B84C13
                                                              • __setmode.LIBCMT ref: 00B80B79
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                              • String ID:
                                                              • API String ID: 521402451-0
                                                              • Opcode ID: ef601646fd0d991846c2f8fabde28fd7f14990ea5c8af951e851e5518a44e3d4
                                                              • Instruction ID: ee555ee72cf4e2d4cd73db96499ea95578e190d59e3f70fb3682614dbe68ae57
                                                              • Opcode Fuzzy Hash: ef601646fd0d991846c2f8fabde28fd7f14990ea5c8af951e851e5518a44e3d4
                                                              • Instruction Fuzzy Hash: A4110232904205BFCA14B7A89C42EBEBBE8DF46320F1441EAF204971A2EF615C46C7A4
                                                              Function 00BB9057 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00BB8B0B: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BB8B22
                                                                • Part of subcall function 00BB8B0B: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BB8B2C
                                                                • Part of subcall function 00BB8B0B: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BB8B3B
                                                                • Part of subcall function 00BB8B0B: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BB8B42
                                                                • Part of subcall function 00BB8B0B: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BB8B58
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00BB90A4
                                                              • _memcmp.LIBCMT ref: 00BB90C7
                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BB90FD
                                                              • HeapFree.KERNEL32(00000000), ref: 00BB9104
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                              • String ID:
                                                              • API String ID: 1592001646-0
                                                              • Opcode ID: 4400a2a588d3c7ebc85a6b868484c308b62f1582876add780a1696ea782d3bf8
                                                              • Instruction ID: 872c85dac67c13019d18c66b6d9e2230ff164c67c0c4b4a922283381b47d51d4
                                                              • Opcode Fuzzy Hash: 4400a2a588d3c7ebc85a6b868484c308b62f1582876add780a1696ea782d3bf8
                                                              • Instruction Fuzzy Hash: 6521BD32E00109AFDB10EFA9C985BFEB7F8EF44300F444099E904A7251EBB1AA05CB50
                                                              Function 00BD1C17 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BD1C53
                                                                • Part of subcall function 00BD1CDD: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BD1CFC
                                                                • Part of subcall function 00BD1CDD: InternetCloseHandle.WININET(00000000), ref: 00BD1D99
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Internet$CloseConnectHandleOpen
                                                              • String ID:
                                                              • API String ID: 1463438336-0
                                                              • Opcode ID: fa107686b4780f961492ea0804563bb82aa99f5ee5aaafad0449667b254b1e04
                                                              • Instruction ID: 6194fdd5dfbcfdcaad6f005cf71d280165687e399a5acc9ce0467362a4d208f8
                                                              • Opcode Fuzzy Hash: fa107686b4780f961492ea0804563bb82aa99f5ee5aaafad0449667b254b1e04
                                                              • Instruction Fuzzy Hash: 1E21B075250601BBDB11AF648D01BBAF7E9FF84700F18045BFA459B761EB71A811ABA0
                                                              Function 00BE6116 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00BE6185
                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BE619F
                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BE61AD
                                                              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00BE61BB
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Window$Long$AttributesLayered
                                                              • String ID:
                                                              • API String ID: 2169480361-0
                                                              • Opcode ID: 91e0c350ae6a9a067bc33717656863b3d0c95011d9f50fd0c987d725e54fa05d
                                                              • Instruction ID: 99799885ae99d519dfe2d046001f75eba8e1487c4ec8ca910a7ceb6209ce545b
                                                              • Opcode Fuzzy Hash: 91e0c350ae6a9a067bc33717656863b3d0c95011d9f50fd0c987d725e54fa05d
                                                              • Instruction Fuzzy Hash: 7C110035300504AFDB06AB15CC45FBE7BE8EF95360F044198F826DB2E2CBA8AD00CB91
                                                              Function 00BBE23D Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00BBF63B: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00BBE252,?,?,?,00BBF045,00000000,000000EF,00000119,?,?), ref: 00BBF64A
                                                                • Part of subcall function 00BBF63B: lstrcpyW.KERNEL32(00000000,?), ref: 00BBF670
                                                                • Part of subcall function 00BBF63B: lstrcmpiW.KERNEL32(00000000,?,00BBE252,?,?,?,00BBF045,00000000,000000EF,00000119,?,?), ref: 00BBF6A1
                                                              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00BBF045,00000000,000000EF,00000119,?,?,00000000), ref: 00BBE26B
                                                              • lstrcpyW.KERNEL32(00000000,?), ref: 00BBE291
                                                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,00BBF045,00000000,000000EF,00000119,?,?,00000000), ref: 00BBE2C5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: lstrcmpilstrcpylstrlen
                                                              • String ID: cdecl
                                                              • API String ID: 4031866154-3896280584
                                                              • Opcode ID: 78cb942412840c8a6916e829c274170a0aa94c025a48cae35e828d90f257986f
                                                              • Instruction ID: 845ad1f70c17c5e5a5e24b5a5406f4f090e232087c7615ac129762ee71aca9c1
                                                              • Opcode Fuzzy Hash: 78cb942412840c8a6916e829c274170a0aa94c025a48cae35e828d90f257986f
                                                              • Instruction Fuzzy Hash: 5A11AC36200305ABDB25AF24D8459FA77E8EF45350B40816AF806CB2B0EBB1D851D7A0
                                                              Function 00B95242 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00B95261
                                                                • Part of subcall function 00B8586C: __FF_MSGBANNER.LIBCMT ref: 00B85883
                                                                • Part of subcall function 00B8586C: __NMSG_WRITE.LIBCMT ref: 00B8588A
                                                                • Part of subcall function 00B8586C: RtlAllocateHeap.NTDLL(016F0000,00000000,00000001,?,00000004,?,?,00B80F33,?), ref: 00B858AF
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap_free
                                                              • String ID:
                                                              • API String ID: 614378929-0
                                                              • Opcode ID: 9b605825cf5c0046bca3f2f3c7ee32c1f59810ff9d97fd037f2fc626713f9cde
                                                              • Instruction ID: 3e4719b6b86aed079a170b370e1cbd915fa00bc5a721b042174bb2ac3d477dbe
                                                              • Opcode Fuzzy Hash: 9b605825cf5c0046bca3f2f3c7ee32c1f59810ff9d97fd037f2fc626713f9cde
                                                              • Instruction Fuzzy Hash: 4411E032886A15ABCF323F70AC4466E3BD8EF16360B2044BAF9459B171DE308940CBA4
                                                              Function 00BC41D2 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00BC41F2
                                                              • _memset.LIBCMT ref: 00BC4213
                                                              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00BC4265
                                                              • CloseHandle.KERNEL32(00000000), ref: 00BC426E
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CloseControlCreateDeviceFileHandle_memset
                                                              • String ID:
                                                              • API String ID: 1157408455-0
                                                              • Opcode ID: 5960a0f9c3004f2929c3c4a458e7e925766ba8aef8d4c67e6e183b9d7a5af20c
                                                              • Instruction ID: 187f90622d5a11ea9fdeace999830552992d4c2ec14b24ae9fde4ea477fb1f34
                                                              • Opcode Fuzzy Hash: 5960a0f9c3004f2929c3c4a458e7e925766ba8aef8d4c67e6e183b9d7a5af20c
                                                              • Instruction Fuzzy Hash: 2C1186759112287AD720ABA59C4DFABBBBCEB45760F10419AF908A7190D6744F80CAA4
                                                              Function 00BD6819 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B7402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00BC7CBE,?,?,00000000), ref: 00B74041
                                                                • Part of subcall function 00B7402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00BC7CBE,?,?,00000000,?,?), ref: 00B74065
                                                              • gethostbyname.WSOCK32(?,?,?), ref: 00BD6849
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00BD6854
                                                              • _memmove.LIBCMT ref: 00BD6881
                                                              • inet_ntoa.WSOCK32(?), ref: 00BD688C
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                              • String ID:
                                                              • API String ID: 1504782959-0
                                                              • Opcode ID: aa554b9886184c20ac5e19ace2f1b80d4189ce97074b80eea573c440d7174f6a
                                                              • Instruction ID: 4b401471fe72068b9d43dbfbd0891534883291fd110a8104acc70ab792224b01
                                                              • Opcode Fuzzy Hash: aa554b9886184c20ac5e19ace2f1b80d4189ce97074b80eea573c440d7174f6a
                                                              • Instruction Fuzzy Hash: 2D1154715001099FCB05FBA4DD46CEEB7F8EF04311B1480A5F505A72A2DF319E04DB61
                                                              Function 00BB94DC Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00BB94FC
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BB950E
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BB9524
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BB953F
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 0dcf2e3c9af2291b0ad72544d3b5740bbfe1777595792db4f220342486005ab7
                                                              • Instruction ID: 04bc97126e462766e2302da253b1e30415adaea6ff454ea5f4fd426629744090
                                                              • Opcode Fuzzy Hash: 0dcf2e3c9af2291b0ad72544d3b5740bbfe1777595792db4f220342486005ab7
                                                              • Instruction Fuzzy Hash: 8F114C39940218FFDB11DF95C885FEDBBB4FB48310F204095EA00B7250D671AE10DB90
                                                              Function 00B6166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B629E2: GetWindowLongW.USER32(?,000000EB), ref: 00B629F3
                                                              • DefDlgProcW.USER32(?,00000020,?), ref: 00B616B4
                                                              • GetClientRect.USER32(?,?), ref: 00B9B86C
                                                              • GetCursorPos.USER32(?), ref: 00B9B876
                                                              • ScreenToClient.USER32(?,?), ref: 00B9B881
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Client$CursorLongProcRectScreenWindow
                                                              • String ID:
                                                              • API String ID: 4127811313-0
                                                              • Opcode ID: 7c1f07781fde755c17a8cde1c1806ec62084dee16f2fc1778e7ed31866f709f1
                                                              • Instruction ID: c08d10c25b87d1b64755cab8681d450c8854e58eb6ac9f92a1412a22d77a9184
                                                              • Opcode Fuzzy Hash: 7c1f07781fde755c17a8cde1c1806ec62084dee16f2fc1778e7ed31866f709f1
                                                              • Instruction Fuzzy Hash: 73112579A1015AABCB10EFA8D885DBE77F8FB04300F580895F942E7161CB34BA51CBA1
                                                              Function 00B62111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B6214F
                                                              • GetStockObject.GDI32(00000011), ref: 00B62163
                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00B6216D
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CreateMessageObjectSendStockWindow
                                                              • String ID:
                                                              • API String ID: 3970641297-0
                                                              • Opcode ID: ad1c9391c6587ae1f4bea451509b88d6b79908b8df12d0d1179e4225182eeeab
                                                              • Instruction ID: ddc7ca1258b63a0b939eb6f7cc87d95b8df72a7f7b57a6d623b5c2e6a0c8e6df
                                                              • Opcode Fuzzy Hash: ad1c9391c6587ae1f4bea451509b88d6b79908b8df12d0d1179e4225182eeeab
                                                              • Instruction Fuzzy Hash: CD11AD72505909BFEF125F90DC80EEA7BA9FF59394F040152FB1462020CB35DC61DBA0
                                                              Function 00BC17AD Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00BC0358,?,00BC13AB,?,00008000), ref: 00BC17CA
                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00BC0358,?,00BC13AB,?,00008000), ref: 00BC17EF
                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00BC0358,?,00BC13AB,?,00008000), ref: 00BC17F9
                                                              • Sleep.KERNEL32(?,?,?,?,?,?,?,00BC0358,?,00BC13AB,?,00008000), ref: 00BC182C
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CounterPerformanceQuerySleep
                                                              • String ID:
                                                              • API String ID: 2875609808-0
                                                              • Opcode ID: 40cf685957124ada80d2f1aec561940ca310654664947e4eb4f90512a31cf2de
                                                              • Instruction ID: 5184ee90f3c52522802a76cc748b3c14ac10acdfd31f579deb99ee379f1f9faa
                                                              • Opcode Fuzzy Hash: 40cf685957124ada80d2f1aec561940ca310654664947e4eb4f90512a31cf2de
                                                              • Instruction Fuzzy Hash: 2A112E71D05519DBCF00EFA8D984BEEBBB8FF0A711F41449AE941B3151CB305A60CB91
                                                              Function 00B97117 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                              • String ID:
                                                              • API String ID: 3016257755-0
                                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                              • Instruction ID: 9dc6e8f2c1f4d9b81f636131b734c5c815bf112b5656e4fe291bcb0941514a1b
                                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                              • Instruction Fuzzy Hash: C601803209415ABBCF125F84DC45CEE3FA6FF18344B5884A5FA1868131CB36C9B1EB81
                                                              Function 00BEB6B2 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowRect.USER32(?,?), ref: 00BEB6D1
                                                              • ScreenToClient.USER32(?,?), ref: 00BEB6E9
                                                              • ScreenToClient.USER32(?,?), ref: 00BEB70D
                                                              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BEB728
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ClientRectScreen$InvalidateWindow
                                                              • String ID:
                                                              • API String ID: 357397906-0
                                                              • Opcode ID: a7fd490f39b246c5c884dff0a190f164487cf62c26a6b681f4587a57543ef420
                                                              • Instruction ID: a858aa48e7f6dec5d20e9b8d66af162f67271e63f9e9ec0cb70234da5ba4138c
                                                              • Opcode Fuzzy Hash: a7fd490f39b246c5c884dff0a190f164487cf62c26a6b681f4587a57543ef420
                                                              • Instruction Fuzzy Hash: E21143B9D00249EFDB41DF99D8849EEBBF9FB48310F104156E914E3620DB35AA65CF50
                                                              Function 00BEBA22 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00BEBA31
                                                              • _memset.LIBCMT ref: 00BEBA40
                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00C27F20,00C27F64), ref: 00BEBA6F
                                                              • CloseHandle.KERNEL32 ref: 00BEBA81
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: _memset$CloseCreateHandleProcess
                                                              • String ID:
                                                              • API String ID: 3277943733-0
                                                              • Opcode ID: 4964695fee38826a107712f693ff4b0f9d86dc55d12b4824a3816bbd9aff4cbe
                                                              • Instruction ID: 7966c01c664881679d5af38230b9728e3fbd572e7decc0ed42563b51b8d2c682
                                                              • Opcode Fuzzy Hash: 4964695fee38826a107712f693ff4b0f9d86dc55d12b4824a3816bbd9aff4cbe
                                                              • Instruction Fuzzy Hash: 90F05EF25583147BE62077A1AD86FBB3A9CEB08750F000160BB08D69B6DBB15C11C7A8
                                                              Function 00BC7002 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EnterCriticalSection.KERNEL32(?), ref: 00BC700E
                                                                • Part of subcall function 00BC7AEC: _memset.LIBCMT ref: 00BC7B21
                                                              • _memmove.LIBCMT ref: 00BC7031
                                                              • _memset.LIBCMT ref: 00BC703E
                                                              • LeaveCriticalSection.KERNEL32(?), ref: 00BC704E
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection_memset$EnterLeave_memmove
                                                              • String ID:
                                                              • API String ID: 48991266-0
                                                              • Opcode ID: 8d9a76a26c1d6f33fee35033e0afef853aac5b5276f32b9e742d99f44179ce21
                                                              • Instruction ID: 19a6cdaf87890d227b310e8141b95b20f6cc6296c2560f805633ecbf35df6a3b
                                                              • Opcode Fuzzy Hash: 8d9a76a26c1d6f33fee35033e0afef853aac5b5276f32b9e742d99f44179ce21
                                                              • Instruction Fuzzy Hash: F0F0547A100104ABCF417F55DC85E5ABB69EF45360F08C095FE085F227CB31A911DBB4
                                                              Function 00BEC13F Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B616CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B61729
                                                                • Part of subcall function 00B616CF: SelectObject.GDI32(?,00000000), ref: 00B61738
                                                                • Part of subcall function 00B616CF: BeginPath.GDI32(?), ref: 00B6174F
                                                                • Part of subcall function 00B616CF: SelectObject.GDI32(?,00000000), ref: 00B61778
                                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00BEC163
                                                              • LineTo.GDI32(00000000,?,?), ref: 00BEC170
                                                              • EndPath.GDI32(00000000), ref: 00BEC180
                                                              • StrokePath.GDI32(00000000), ref: 00BEC18E
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                              • String ID:
                                                              • API String ID: 1539411459-0
                                                              • Opcode ID: dbf74b57cf45f7dea4f33eb8b9413c38161743b60264d30f3802275e09e42292
                                                              • Instruction ID: cdd5610a86e0d453a9ccf7b90a593cf5f4d671cbedbc40daa43aaf63e717b109
                                                              • Opcode Fuzzy Hash: dbf74b57cf45f7dea4f33eb8b9413c38161743b60264d30f3802275e09e42292
                                                              • Instruction Fuzzy Hash: F8F05E32015259BADB126F65AC0AFDE3F99AF05311F084140FA10760F28B755552DBA9
                                                              Function 00BBA835 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00BBA852
                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00BBA865
                                                              • GetCurrentThreadId.KERNEL32 ref: 00BBA86C
                                                              • AttachThreadInput.USER32(00000000), ref: 00BBA873
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                              • String ID:
                                                              • API String ID: 2710830443-0
                                                              • Opcode ID: 4c2025e26907a2acc05a6076dacf7476d0a730cec81ac0ac2ea8e1d74686fda2
                                                              • Instruction ID: 731c07778c756d99bf4f35b4cb2a12a1b6a9c6df529aa2138b6a9baf2b0a0888
                                                              • Opcode Fuzzy Hash: 4c2025e26907a2acc05a6076dacf7476d0a730cec81ac0ac2ea8e1d74686fda2
                                                              • Instruction Fuzzy Hash: ADE0303150522877EB212B629C0CEF73F5CEF127A1F008061F509D6461CAB1C551C7E0
                                                              Function 00B625F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSysColor.USER32(00000008), ref: 00B6260D
                                                              • SetTextColor.GDI32(?,000000FF), ref: 00B62617
                                                              • SetBkMode.GDI32(?,00000001), ref: 00B6262C
                                                              • GetStockObject.GDI32(00000005), ref: 00B62634
                                                              • GetWindowDC.USER32(?,00000000), ref: 00B9C0F4
                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00B9C101
                                                              • GetPixel.GDI32(00000000,?,00000000), ref: 00B9C11A
                                                              • GetPixel.GDI32(00000000,00000000,?), ref: 00B9C133
                                                              • GetPixel.GDI32(00000000,?,?), ref: 00B9C153
                                                              • ReleaseDC.USER32(?,00000000), ref: 00B9C15E
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                              • String ID:
                                                              • API String ID: 1946975507-0
                                                              • Opcode ID: 5de2a0e8128dee047dc728258696173c64586ac3c42c31faebfa3f80030e52d3
                                                              • Instruction ID: ce4093a8355e2caa9c463f9d6686e5b8ef584b358d48c901c66c778bebc0883d
                                                              • Opcode Fuzzy Hash: 5de2a0e8128dee047dc728258696173c64586ac3c42c31faebfa3f80030e52d3
                                                              • Instruction Fuzzy Hash: 4AE06531510244AADF216F74BC097E83F50EB15331F1483A6FA69590F28B714690DB12
                                                              Function 00BB9113 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentThread.KERNEL32 ref: 00BB911C
                                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,00BB8CE7), ref: 00BB9123
                                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00BB8CE7), ref: 00BB9130
                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,00BB8CE7), ref: 00BB9137
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CurrentOpenProcessThreadToken
                                                              • String ID:
                                                              • API String ID: 3974789173-0
                                                              • Opcode ID: 02e847707d7d58414f0bb3e1981c351fe8a69d65e37e023b93d9346783e02729
                                                              • Instruction ID: 45eba8766c59c7e4ac9f3e4b53d94b4af1919dc65aea7a9a920dbc89b3ff3f77
                                                              • Opcode Fuzzy Hash: 02e847707d7d58414f0bb3e1981c351fe8a69d65e37e023b93d9346783e02729
                                                              • Instruction Fuzzy Hash: 60E08632611212ABD7602FB4AE0CBB63BACDF54791F114858B245DB061EE748545CB64
                                                              Function 00BA05A9 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDesktopWindow.USER32 ref: 00BA05A9
                                                              • GetDC.USER32(00000000), ref: 00BA05B3
                                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BA05D3
                                                              • ReleaseDC.USER32(?), ref: 00BA05F4
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                              • String ID:
                                                              • API String ID: 2889604237-0
                                                              • Opcode ID: e9aec14130230efa3992c0fb3ba73b5bcb07850bdb1a58cf45f2914d2e013282
                                                              • Instruction ID: 8059ae6a58f3dc80e6722d7ea13609a0a20654d4a38196cef8d431d70db9db9c
                                                              • Opcode Fuzzy Hash: e9aec14130230efa3992c0fb3ba73b5bcb07850bdb1a58cf45f2914d2e013282
                                                              • Instruction Fuzzy Hash: F5E012B5810204EFCF02AFA0D848AAE7BF5EB9C350F108059F85AE7221DF388551DF50
                                                              Function 00BA05BD Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDesktopWindow.USER32 ref: 00BA05BD
                                                              • GetDC.USER32(00000000), ref: 00BA05C7
                                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BA05D3
                                                              • ReleaseDC.USER32(?), ref: 00BA05F4
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                              • String ID:
                                                              • API String ID: 2889604237-0
                                                              • Opcode ID: f61d19305e699c4a1fd63518450b4c7c9d0c602f53b895f07196a027dc309e78
                                                              • Instruction ID: af6b95ba6b74245cc1fbb99fbefe45db127a47839f44a6086cb379ee1c3551ad
                                                              • Opcode Fuzzy Hash: f61d19305e699c4a1fd63518450b4c7c9d0c602f53b895f07196a027dc309e78
                                                              • Instruction Fuzzy Hash: 2AE012B5810204AFCF01AFB0D808AAE7BF5AB8C350F108018F95AE7221DF389551CF50
                                                              Function 00BCB45C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B7436A: _wcscpy.LIBCMT ref: 00B7438D
                                                                • Part of subcall function 00B64D37: __itow.LIBCMT ref: 00B64D62
                                                                • Part of subcall function 00B64D37: __swprintf.LIBCMT ref: 00B64DAC
                                                              • __wcsnicmp.LIBCMT ref: 00BCB4DD
                                                              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00BCB5A6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                              • String ID: LPT
                                                              • API String ID: 3222508074-1350329615
                                                              • Opcode ID: 3a4ba325fd5d8af460375f10df3a0d19958e252d9e07166a4e7650d06f80b1c7
                                                              • Instruction ID: d6ea3ecf8d138140b5b9e59d719a1c81fc32fa80edde9a217b92a03f7ffb7665
                                                              • Opcode Fuzzy Hash: 3a4ba325fd5d8af460375f10df3a0d19958e252d9e07166a4e7650d06f80b1c7
                                                              • Instruction Fuzzy Hash: 82615F75A00219AFDB14EF94C892EAEB7F4EB19310F1480EDF516AB291DB74AE40CB54
                                                              Function 00B6E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(00000000), ref: 00B6E01E
                                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00B6E037
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemorySleepStatus
                                                              • String ID: @
                                                              • API String ID: 2783356886-2766056989
                                                              • Opcode ID: 09893d8b834be26d9e98b4e12cc68e73a9f58534ff7ca649331a0fad67de68f7
                                                              • Instruction ID: 542fdf72eb986ee3421d0fb1a163ab7fd6f38f5c34eb3a445c1f855931623465
                                                              • Opcode Fuzzy Hash: 09893d8b834be26d9e98b4e12cc68e73a9f58534ff7ca649331a0fad67de68f7
                                                              • Instruction Fuzzy Hash: 81515A71408B449BE320AF50E886BAFB7FCFF85314F41899DF1D8411A1DB759928CB16
                                                              Function 00BD2A3E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00BD2A4E
                                                              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00BD2A84
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CrackInternet_memset
                                                              • String ID: |
                                                              • API String ID: 1413715105-2343686810
                                                              • Opcode ID: d37277d3899a20fb56f3cc87b5ac659bf531e860bb4e3e2051280fd68fc6e5b7
                                                              • Instruction ID: 80f2e28161cbdffde2b6bf9ba3ebaa447b48c00b2cb5432c52990be0f5f307c4
                                                              • Opcode Fuzzy Hash: d37277d3899a20fb56f3cc87b5ac659bf531e860bb4e3e2051280fd68fc6e5b7
                                                              • Instruction Fuzzy Hash: 5D313D71C00119ABDF11EFA4CC85AEEBFF9FF18304F10409AF819A6262EB715956DB60
                                                              Function 00BE6E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32(?,?,?,?), ref: 00BE6F04
                                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00BE6F40
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Window$DestroyMove
                                                              • String ID: static
                                                              • API String ID: 2139405536-2160076837
                                                              • Opcode ID: a27f8e5d4188eb47f959989db3507d9120a12ff5c444c0453f42913a0bdd33af
                                                              • Instruction ID: f556fb9d80699c0e210b30f3c40d9ec32db03602ddff754fb64dd3e7a5f4fbd9
                                                              • Opcode Fuzzy Hash: a27f8e5d4188eb47f959989db3507d9120a12ff5c444c0453f42913a0bdd33af
                                                              • Instruction Fuzzy Hash: 80319A71110648AAEB109F79DC80BFB73E9FF98764F008659F9A587191DB31AC81CBA0
                                                              Function 00BC2EB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00BC2F24
                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BC2F5F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: InfoItemMenu_memset
                                                              • String ID: 0
                                                              • API String ID: 2223754486-4108050209
                                                              • Opcode ID: 7e6ec2466bf9b9916203c0a584ea1ebb1047323cbbaf31f11b239528ba5d9d86
                                                              • Instruction ID: 3f806c530e003be90704806ba7921806cb7f2edea325724f59bac6e2f3537872
                                                              • Opcode Fuzzy Hash: 7e6ec2466bf9b9916203c0a584ea1ebb1047323cbbaf31f11b239528ba5d9d86
                                                              • Instruction Fuzzy Hash: 8731A5366002099BEB25AF58C885FAEBBF4EF05350F1440ADED85E71A1D7709A44DB61
                                                              Function 00BE6AC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BE6B4E
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BE6B59
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: Combobox
                                                              • API String ID: 3850602802-2096851135
                                                              • Opcode ID: bced6f21974be1f8a29522cccf3eab9b85cc9ada2f7cd8737fcc1458fe559fcd
                                                              • Instruction ID: 871dc00256165f66c5b5ca9129be8422b26783eef51dd6620eae6c67bd8401f1
                                                              • Opcode Fuzzy Hash: bced6f21974be1f8a29522cccf3eab9b85cc9ada2f7cd8737fcc1458fe559fcd
                                                              • Instruction Fuzzy Hash: 9A11B271700248AFEF159F25CC82EFB37AAEBA43A4F104165F918D7290D7719C519760
                                                              Function 00BE6FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B62111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B6214F
                                                                • Part of subcall function 00B62111: GetStockObject.GDI32(00000011), ref: 00B62163
                                                                • Part of subcall function 00B62111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B6216D
                                                              • GetWindowRect.USER32(00000000,?), ref: 00BE705E
                                                              • GetSysColor.USER32(00000012), ref: 00BE7078
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                              • String ID: static
                                                              • API String ID: 1983116058-2160076837
                                                              • Opcode ID: 8ab723276aa77e81a263910350da25d142fb6593b57a49ef85b27e1ae8211b80
                                                              • Instruction ID: 6679cdf6f5879aaede516c4ac705b2101cbe19dd23f562fe985856530cfc888b
                                                              • Opcode Fuzzy Hash: 8ab723276aa77e81a263910350da25d142fb6593b57a49ef85b27e1ae8211b80
                                                              • Instruction Fuzzy Hash: 5F213672624209AFDB04EFB8CC45AFA7BE8EB48314F004658FA55D3251EB34A851DB50
                                                              Function 00BE6D0D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowTextLengthW.USER32(00000000), ref: 00BE6D8F
                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00BE6D9E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: LengthMessageSendTextWindow
                                                              • String ID: edit
                                                              • API String ID: 2978978980-2167791130
                                                              • Opcode ID: ad83e53cd4504a449b85cd67ff190d0cae21ffc2f6a1098dfa8f1bcb8805fe90
                                                              • Instruction ID: 40effc10e56da7e3498279494f815c0ce7e835d3c126a6d3fd74501a1ed955f6
                                                              • Opcode Fuzzy Hash: ad83e53cd4504a449b85cd67ff190d0cae21ffc2f6a1098dfa8f1bcb8805fe90
                                                              • Instruction Fuzzy Hash: DD11BF31610148ABEB109F65DC84AFB3BAAEF253A8FA08364F960971E1C771DC509B60
                                                              Function 00BC2FC3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00BC3036
                                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00BC3055
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: InfoItemMenu_memset
                                                              • String ID: 0
                                                              • API String ID: 2223754486-4108050209
                                                              • Opcode ID: f9a2fa0b9ad48a147806686d1d786564942628d96bd8b85cf4e19ffcae1aa9b5
                                                              • Instruction ID: db2e3358ce7eccf49d04e891d7d3d358f3849819831c20915a4e2671a73db79e
                                                              • Opcode Fuzzy Hash: f9a2fa0b9ad48a147806686d1d786564942628d96bd8b85cf4e19ffcae1aa9b5
                                                              • Instruction Fuzzy Hash: 5611EF32901218ABDB20EB5CDC44FADB3F8EB01B00F4480ADED05A72A0D770AE45DBA1
                                                              Function 00BD2686 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00BD26DC
                                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00BD2705
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Internet$OpenOption
                                                              • String ID: <local>
                                                              • API String ID: 942729171-4266983199
                                                              • Opcode ID: 19fef7ea526ad65492c284ce34c5e4f1ee1dcbb393c780c03ea56d254414dff9
                                                              • Instruction ID: 77160af1ffdd57748e467bb6e3925a0a28728150b0cce2e0e5c113eed400e2fe
                                                              • Opcode Fuzzy Hash: 19fef7ea526ad65492c284ce34c5e4f1ee1dcbb393c780c03ea56d254414dff9
                                                              • Instruction Fuzzy Hash: 3F119E70501365BADB259F518C88EBBFBE8FB26761F1081ABF90546240E270AD94DAF0
                                                              Function 00BD823D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00BD84A8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00BD8265,?,00000000,?,?), ref: 00BD84BF
                                                              • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00BD8268
                                                              • htons.WSOCK32(00000000,?,00000000), ref: 00BD82A5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWidehtonsinet_addr
                                                              • String ID: 255.255.255.255
                                                              • API String ID: 2496851823-2422070025
                                                              • Opcode ID: 0ccec8d79360d5863856516eb1576be7a3a8176601ea779d10ae9157e766cc74
                                                              • Instruction ID: 85bf945f9af473546f7dacef487e095171115b301e67ba339f6354fe3c687b73
                                                              • Opcode Fuzzy Hash: 0ccec8d79360d5863856516eb1576be7a3a8176601ea779d10ae9157e766cc74
                                                              • Instruction Fuzzy Hash: BF118E74600619ABDB10AFA4DC46FFEF3A4EF14321F10859BE925973D1EB71A811CB91
                                                              Function 00BB97A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B71A36: _memmove.LIBCMT ref: 00B71A77
                                                                • Part of subcall function 00BBB57D: GetClassNameW.USER32(?,?,000000FF), ref: 00BBB5A0
                                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00BB980E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameSend_memmove
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 372448540-1403004172
                                                              • Opcode ID: a354591eec8e1ac4e04bc6fa8463675be98748ad7014ab19b35a5c428b025666
                                                              • Instruction ID: ff65cde015e2aa3322003794c7136c63bba44ae15a8b7a3277a7b1833231a505
                                                              • Opcode Fuzzy Hash: a354591eec8e1ac4e04bc6fa8463675be98748ad7014ab19b35a5c428b025666
                                                              • Instruction Fuzzy Hash: 260128B1A42214AB8B14EFA8CC61CFE73E9EF12360B504699F875572C1DF715808C760
                                                              Function 00BC91B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: __fread_nolock_memmove
                                                              • String ID: EA06
                                                              • API String ID: 1988441806-3962188686
                                                              • Opcode ID: 3a84c4f059922547328a7295fd3242019e1e620653ebe48caca6fb54cf35f770
                                                              • Instruction ID: 6086aa5799580c68803d0ccf09fa99c721d2d1c3249a51028b46b2533c7fe069
                                                              • Opcode Fuzzy Hash: 3a84c4f059922547328a7295fd3242019e1e620653ebe48caca6fb54cf35f770
                                                              • Instruction Fuzzy Hash: 1D01F972D042187EEF28DBA8CC5AEEE7BF8DB01711F00819EF552D2181E474EA08CB60
                                                              Function 00BB9698 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B71A36: _memmove.LIBCMT ref: 00B71A77
                                                                • Part of subcall function 00BBB57D: GetClassNameW.USER32(?,?,000000FF), ref: 00BBB5A0
                                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00BB9706
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameSend_memmove
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 372448540-1403004172
                                                              • Opcode ID: c529de0bab0736f0ae930346066d03686b89e0a4d29335997b9b517d57a4bd30
                                                              • Instruction ID: bf74c66be231a3086961cdc1f386b9a81ebb84396676c6ce61d94b60e1860405
                                                              • Opcode Fuzzy Hash: c529de0bab0736f0ae930346066d03686b89e0a4d29335997b9b517d57a4bd30
                                                              • Instruction Fuzzy Hash: D901F7B1E41108ABDB24EFA4C862EFF73E8DF11300F1000A5B916672C1DF905E08D6B1
                                                              Function 00BB971D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B71A36: _memmove.LIBCMT ref: 00B71A77
                                                                • Part of subcall function 00BBB57D: GetClassNameW.USER32(?,?,000000FF), ref: 00BBB5A0
                                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00BB9789
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameSend_memmove
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 372448540-1403004172
                                                              • Opcode ID: fdd6df79b6cd15786cd41b454521ac54e54aaada79a46ef1f3b422c0fcaf72a1
                                                              • Instruction ID: 0708871cb7c15221c89e97bb798fa645ea1426496d73450721d0a62eb0ca049c
                                                              • Opcode Fuzzy Hash: fdd6df79b6cd15786cd41b454521ac54e54aaada79a46ef1f3b422c0fcaf72a1
                                                              • Instruction Fuzzy Hash: A301A2B1A51104BBDB20EBA9C952EFEB3ECDF11340F504195B925A3281DF614E089671
                                                              Function 00BC5350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: ClassName_wcscmp
                                                              • String ID: #32770
                                                              • API String ID: 2292705959-463685578
                                                              • Opcode ID: 3fae1a04ece021227dae5045c0a45b433beb90f32244e71edcfe0c3e6cd3cb44
                                                              • Instruction ID: cac096be5ae555af2b23024b28e3234d95925651ba05c532d6e7e97f69e747aa
                                                              • Opcode Fuzzy Hash: 3fae1a04ece021227dae5045c0a45b433beb90f32244e71edcfe0c3e6cd3cb44
                                                              • Instruction Fuzzy Hash: 97E02B3290422826D720A6599C05FABF7ECDB45B60F0001A6B804D3051E5606A4187D0
                                                              Function 00BB8675 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00BB8683
                                                                • Part of subcall function 00B834BA: _doexit.LIBCMT ref: 00B834C4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Message_doexit
                                                              • String ID: AutoIt$Error allocating memory.
                                                              • API String ID: 1993061046-4017498283
                                                              • Opcode ID: 01726b447614b9c481ef3c6e26feb7bf2ec70c3162782ca19478c78ad6131850
                                                              • Instruction ID: c9bf3b4a104125d6b80be11786982ef4c53e2ff9c86bdb0136846c7ae43738c0
                                                              • Opcode Fuzzy Hash: 01726b447614b9c481ef3c6e26feb7bf2ec70c3162782ca19478c78ad6131850
                                                              • Instruction Fuzzy Hash: 83D05B3238931836D25536D4AC0BFDA7AC88B05F51F1444F5FB08971E34EE98594C2D5
                                                              Function 00B9B421 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B9B474: _memset.LIBCMT ref: 00B9B481
                                                                • Part of subcall function 00B80A9F: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B9B450,?,?,?,00B6100A), ref: 00B80AA4
                                                              • IsDebuggerPresent.KERNEL32(?,?,?,00B6100A), ref: 00B9B454
                                                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B6100A), ref: 00B9B463
                                                              Strings
                                                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B9B45E
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                              • API String ID: 3158253471-631824599
                                                              • Opcode ID: 97019882066a096c95da63b42125969abbb906de49b3f75555de25ede97648c6
                                                              • Instruction ID: 8282b36baf24cb37895d566c2a314cb4d8416a5238a2a032ba3d833faab0fbc5
                                                              • Opcode Fuzzy Hash: 97019882066a096c95da63b42125969abbb906de49b3f75555de25ede97648c6
                                                              • Instruction Fuzzy Hash: 37E06D70220351CFDB30BF25E908B167AE4AF04744F0089ADE496C37A2DBB4D504CBA1
                                                              Function 00BA0181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemDirectoryW.KERNEL32(?), ref: 00B9FFC1
                                                                • Part of subcall function 00BDC4A1: LoadLibraryA.KERNEL32(kernel32.dll,?,00BA01AA,?), ref: 00BDC4AF
                                                                • Part of subcall function 00BDC4A1: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00BDC4C1
                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00BA01B9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2656382005.0000000000B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B60000, based on PE: true
                                                              • Associated: 0000000B.00000002.2656364982.0000000000B60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656426043.0000000000C15000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656471331.0000000000C1F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 0000000B.00000002.2656494485.0000000000C28000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_b60000_Eco.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                              • String ID: WIN_XPe
                                                              • API String ID: 582185067-3257408948
                                                              • Opcode ID: b3ab998bd932d50aeeb9dd9b0ad74fb80bf85d3416b04e6e3972c7c64b544522
                                                              • Instruction ID: 8deae3a75ca6c1c4f26fb746024a33088e0957d05cca244d4486fa38ade369ae
                                                              • Opcode Fuzzy Hash: b3ab998bd932d50aeeb9dd9b0ad74fb80bf85d3416b04e6e3972c7c64b544522
                                                              • Instruction Fuzzy Hash: 3FF0A57181611ADBCB15EB95C999BFCBBF8AB09314F2400E6E102E21A1CB755F44DF20